Leixiang Wu CSE 300 Literature Review Final Draft – Privacy Threats on Smartphone With emergence of various mobile operating systems, such as Google’s Android, Apple’s iOS, and Microsoft’s Windows, smartphones have been evolved rapidly over last ten years and became increasingly popular and powerful. The latest generation of smartphones can be considered as a mini computer. They allow us not just to make phone calls and send messages, but also send emails, play games, browse websites, and navigate map. Nowadays, most of us carry a smartphone around. So we can access information anytime and anywhere. Since users store more and more personal information on their smartphones, mobile OS companies, such as Google or Apple, have been improving their OS to protect users’ privacy and sensitive data. One feature that Apple added is requiring an app to ask user’s implicit permission in order to use GPS. However, smartphones are not very secure since there are still many privacy leaks on our smartphone that need be fixed. Although current smartphone operating systems require an application to gain permission before accessing sensitive information, they frequently fail to provide users with the visibility into how mobile applications actually use our private data. For example, a user allows an application to access GPS, but he doesn’t know if the application will send her location to a third-party organization. To solve this issue, William Enck and other scholars developed a system called TaintDroid that can be integrated into Android operating system. It was described in an academic article, “TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones”. It is an efficient data tracking and data analysis system that uses Android execution environment. This system allows phone users to monitor how their private data being used. So the users don’t have to blindly trust an application that it will properly handle their data and can take actions against misbehaving applications. Here is how TaintDroid works: it labels sensitive data. Whenever labeled data is about to send over the network, TaintDroid logs the data, the application that wants to send the data, and the destination of the labeled information. Based on a 2010 survey, the scholars of this paper used TaintDroid on a Google Nexus One running Android Version 2.1 to analyze 30 randomly selected popular Android applications from the Android Market. They found 20 apps sending location data, ID, and phone number to advertisers. Because TaintDroid needs to log information whenever labeled data is transmitted over the network, it decreases phone performance by a very negligible amount of time and uses 4.4% memory to store log information. Although this system is very effective based on the experimental result, it can’t be deployed on iPhone. Having the same goal of studying privacy leaks in smartphones as William Enck had, a group of scholars at The International Secure Systems Lab analyzed free iOS applications that are available in Apple App Store and Cydia to find privacy threats that exist in these applications. Cydia is an app repository that is similar to App Store, but only jailbroken iPhones can access Cydia. They published a paper, “PiOS: Detecting Privacy Leaks in iOS Applications”, which discusses their study of privacy leaks in iOS applications.. However, their research only focused on iOS applications. They built an automated tool, PiOS, to identify possible privacy threats. This tool takes Mach-O binary code files of a mobile app as the input and produces a data flow graph. From a data flow graph, the scholars were able to identify privacy leaks where data flow from the application to third parties over the network without user’s consent. They used PiOS to evaluate more than 1,400 iPhone applications in Apple Store and Cydia. They found that most applications don’t send users’ information to third parties. However, a majority of applications leak the device ID and phone usage statistics to advertisers because developers use third-party library code to display advertisement. It’s hard to make a connection between a user and a device based on the ID, but a connection can be made once the advertisers gain more information. For instance, if a user is using Facebook app, and Facebook happens to buy these libraries, Facebook is able to link the user’s profile to a device. PiOS has the same limitation as TaintDroid has, which only analyze applications on one operating system, but both tools detected privacy breaches. Because a group of scholars at SBA Research wanted to analyze applications that are available on both iOS and Android operating systems, they evaluated following nine applications: WhatsApp, Viber, eBuddy, Tango, Voypi, Forfone, HeyTell, EasyTalk, and Wowtalk. These mobile messaging applications are replacing traditional communication methods. One common feature among them is that these applications ask the users for their phone number as their identification in the registration step. They published their findings in a research paper, “Guess Who’s Texting You? Evaluating the Security of Smartphone Messaging Applications”. The researchers discovered five possible attacks that can occur in nine apps: account hijacking, sender ID spoofing, unrequested SMS, Enumeration, and modifying status messages. One scenario where an attacker could hijack an account is using design flaws in the verification process. In WhatsApp, its verification process of PIN gives a hacker a chance to intercept the communication between the phone and server and then steal the PIN. Now the hacker is able to send and receive messages as the target user. Besides hijacking, an attacker can spam a user with verification messages. Although all apps have some kind of mechanism to prevent verification spamming, an attacker can still send verification SMS messages at a regular interval. Also, Voypi doesn’t encrypt messages sent by a user and require authentication to send a message. This allows a malicious user to send a message to anyone. The scholars also discovered that WhatsApp would return a subset of active phone numbers based on a user’s contacts. Although the experts pointed out various potential problems in these applications, they didn’t propose any authentication schema that will prevent these attacks. In addition to mobile applications posing privacy threats to users, harmless hardware component also poses threats to users’ personal information. To protect user’s privacy, Android platform always require applications to gain permissions in order to access the phone’s GPS. However, Android OS allows applications to access the phone’s aggregate power meter without the user’s permission since Android considers that getting power usage information doesn’t pose threats to user’s data. Researchers at Stanford University and Israel research group published an article, “PowerSpy: Location Tracking using Mobile Device Power Analysis”. They showed that a malicious application could use a user’s power consumption information to track his location. The main idea behind this paper is that the location of a phone massively affects the power consumed by the phone’s cellular radio. As a person moves toward a cellular base station, his phone consumes less power. Therefore, the strength of a mobile phone signal impacts the amount of power being consumed by cellular network. If an attacker makes a power consumption profile of a phone by moving in a set of routes in a city, the attacker is able to track the phone’s location. This is not simple to do since listening to music, making a phone call, and texting a message may change a phone’s power consumption profile. Nevertheless, the scholars were able to eliminate these activities by using machine learning algorithms. The researchers proved this by developing an Android app, PowerSpy, which collects power consumption information only and is able to identify the user’s location. Although this hacking sounds awesome, there are limitations. For instances, tracking technique doesn’t work when a person stands still. The phone has connected to network and needs to have cellular network. In addition to threats posed by a power meter, a touch screen also could leak personal information on the phone. Touch screen is a very common part of a smartphone in these days, whereas less and less phones are equipped with a physical keyboard. A majority of Android smartphone owners use graphical password as the identification to unlock the phone. The Android password pattern has 3x3 grid of circles where a user traverses the grid to draw a pattern. If the pattern is correct, the phone will be unlocked. Because our skin generates oil to keep the skin moisturized, oily residues remain on the screen after we unlock the smartphone. A paper, “Smudge Attacks on Smartphone Touch Screens”, is published by security experts at University of Pennsylvania. They examined the possibility of smudge attack and analyzed the Android password pattern in their paper. Smudge attack is an attack that attempts to extract a phone’s sensitive information by inspecting residual oils on the phone. The researchers did an experiment to take pictures of touch screens of two Android smartphones, the HTC G1 and the HTX Nexus1. Pictures were taken under a variety of angles and brightness. They were able to partially identify the Android password pattern in 92% of scenarios. In 68% of scenarios, the pattern can be fully identified. They also considered situations of incidental contact between a phone and clothing. The pattern can still be extracted from the oily smudge. The researchers analyzed the difficulty of inferring the password based on oily residues. They discovered that a smudge attacker can still guess the password even if he is able to partially identify smudge since human factors, such as people tend not to have a long pattern, reduce the number of guesses the attacker has to make. More and more people own smartphones, such as iPhone, Nexus, and Galaxy, and use phones to store their private data. This increases security concerns. Security scholars and experts are working to address these concerns. Scholars have developed tools, PiOS and TaintDroid, to automatically detect privacy threats in mobile applications. They also analyzed some popular apps on a single platform. A group of scholars at SBA Research extended the security analysis to two mobile operating systems. The result of their researches is very close. They all showed that mobile applications do pose privacy threats to users. Moreover, Stanford scholars discovered that even phone’s power meter could leak location data. Another group of scholars also found that oily residues remain on the touch screen could leak unlocking password. All these researches demonstrated that there are so many components on a smartphone pose privacy threats to users. However, none of them discusses possible defenses that users could take to protect their privacy. Also, they often choose popular applications to analyze. This is a problem since some users may use unpopular apps. Researchers can still evaluate applications on Windows phones. Works Cited

1. S. Schrittwieser, P. Frhwirt, P. Kieseberg, M. Leithner, M. Mulazzani, M. Huber, and E. Weippl, “Guess who's texting you? Evaluating the security of smartphone messaging applications,” in Proc. the 19th Annual Symposium on Network and Distributed System Security, 2012. 2. M. Egele, C. Kruegel, E. Kirda, and G. Vigna. Pios: De- tecting privacy leaks in ios applications. In Network and Distributed System Security Symposium (NDSS), 2011. 3. W. Enck, P. Gilbert, B.-G. Chun, L. P. Cox, J. Jung, P. Mc- Daniel, and A. N. Sheth. TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smart- phones. In Proceedings of the 9th USENIX Symposium on Operating Systems Design and Implementation, USENIX OSDI ’10, 2010. 4. A. J. Aviv, K. Gibson, E. Mossop, M. Blaze, and J. M. Smith. Smudge attacks on smartphone touch screens. In Proc. of the 4th USENIX Conf. on Offensive Technologies, pages 1–7, 2010. 5. Y. Michalevsky, G. Nakibly, A. Schulman, and D. Boneh, “Powerspy: Location tracking using mobile device power analysis,” CoRR, vol. abs/1502.03182, 2015.