THE PENNSYLVANIA STATE UNIVERSITY SCHREYER HONORS COLLEGE DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING ANDROID LOCATION PERMISSIONS AND HOW THEY AFFECT THE PRIVACY OF USERS DOVILE DROZDOVAITE Fall 2020 A thesis submitted in partial fulfillment of the requirements for a baccalaureate degree in Computer Engineering with honors in Computer Engineering Reviewed and approved* by the following: Trent Jaeger Professor of Computer Science & Engineering Thesis Supervisor John Sampson Assistant Professor of Computer Science & Engineering Honors Adviser * Signatures are on file in the Schreyer Honors College. Abstract It is not rare for a user to be requested permissions while using an application. However, many users are still in the dark as to understanding what happens when they accept the permissions the application requests. In this paper, we will be highlighting Android vulnerabilities used to abuse permission assignment for continuous sensors involved with location based services (LBSs) and GPS location data. Such vulnerabilities include user privacy awareness, ride-hailing services (RHS), side-channel attacks, and white-box and black-box attacks. We will then evaluate these vulnerabilities on the application AbuserGPS, then review and propose different defense strategies to combat these vulnerabilities within the operating system such as the Location-Privacy Preserving Mechanisms (LPPMs), the ASM framework, and MATRIX. i Table of Contents List of Figures…………………………………………………………………………………...iii ​ Acknowledgements……………………………………………………………………………...iv ​ Chapter 1: Introduction………………………………………………………………………....1 ​ Chapter 2: Android Background……………………………………………………………….3 ​ Chapter 3: Android Vulnerabilities…………………………………………………………….8 ​ 3.1 Description of Vulnerabilities……………………………………………………….8 ​ 3.2 Vulnerability Study AbuserGPS……....………...………………………………...11 ​ Chapter 4: Evaluation………………………………………………………………………….15 ​ 4.1 Research on Android Security Mechanisms……….……………………….……..15 ​ 4.2 Proposed Security Mechanisms………………………………………...………….18 ​ 4.3 Candidate Security Experiments…………………………………………………..23 ​ 4.4 Android 11 Location Privacy……………………………………………………....24 ​ Chapter 5: Conclusion………………………………………………………………………….27 ​ References……………………………………………………………………………………….28 ​ ii List of Figures Figure 1: AOSP’s directory structure…………………………………………………………….3 ​ Figure 2: getLastKnownLocation function in LocationManger………………………………….5 ​ Figure 3: Establishing location permissions for AbuserGP………………………..……………11 ​ Figure 4: User’s point of view when accepting permission request from AbuserGPS ​ application………………………………………………………………………………………..12 Figure 5: onCreate function which continuously requests location……...……………………...13 ​ Figure 6: Location Data being received by AbuserGPS………………………………………...13 ​ Figure 7: Modified onLocationChanged function in AbuserGPS………………………………20 ​ Figure 8: Location data received by modified AbuserGPS……………………………………..20 ​ Figure 9: getLastKnownLocation in LocationManagerService………………………………....22 ​ Figure 10: Modified _getLastKnownLocationLocked in LocationManagerService…..………..22 ​ iii Acknowledgments I want to thank Professor Trent Jaeger for his guidance throughout the entire research process as well as the invaluable advice he provided. I would also like to thank Yu Tsung Lee, a graduate student at Penn State University, for sharing his knowledge on the involved concepts and providing valuable feedback. I would also like to thank both of my parents, Valerijus Drozdovas and Vilma Drozdovas, for supporting me mentally and financially throughout my education. Your inspiring words always motivated me to push myself harder. Finally, I would like to thank my friends who supported me throughout the process, ensuring that I always took care of myself throughout this process as well as shared knowledge on subjects that they were knowledgeable in. Thank you for keeping me sane throughout this whole process! iv Chapter 1: Introduction Android is currently the most popular operating system deployed for mobile devices. With over 2.5 billion monthly active Android devices [1], Android has become one of the most common interfaces for users to interact with digital services, specifically mobile applications. Most modern day Android devices are equipped with a variety of sophisticated sensors. Although these sensors improve the user’s interaction with mobile applications, they can also pose significant threats to the user’s privacy. As many applications value their security and privacy, Android as an OS needs to be able to ensure that privacy is ensured to both users as well as the developers. In order to ensure this privacy to all parties, Android is based on a multi-party consent model. In other words, “an action should only happen if all involved parties consent to it” [2]. ​ ​ The parties involved are the platform, user, and developer. If either the platform, user, or developer do not consent to a specific action, the action cannot be completed. This ensures that no application has permission to perform an operation that would impact other applications, the operating system, or the user. The developer must explicitly request in the application that they are requesting a specific permission in the Android Manifest file, or AndroidManifest.xml [3]. Then, the user will be prompted to either allow the permission request to follow through or deny the request. In this paper, we will mainly be focusing on location-based permissions. There are two different types of location access. The first type of location access is foreground location and the second type of location access is background location. Foreground location is used when an application only needs to share or receive location information only once or for some defined amount of time [4]. This feature is particularly useful for navigation applications or messaging applications, when a user may need to share their current location. Background location is used if an application is constantly sharing a location with other users or if the application is using the Geofencing API, which compares the user’s current location to the user’s proximity to specific locations [4]. This feature is particularly useful with a family location sharing application or for specific IoT applications. However, when requesting this 1 permission in the application’s manifest file, the developer will need to be specific on what kind of location permissions the developer is requesting. There are three different types of location permissions that may be deemed necessary to define in the application’s manifest file depending on the type of location access the application requires. These three types of location permissions are ACCESS_COARSE_LOCATION, ACCESS_FINE_LOCATION, and ACCESS_BACKGROUND_LOCATION. ACCESS_COARSE_LOCATION will provide the user’s location to within roughly a city block. ACCESS_FINE_LOCATION will provide a more accurate location compared to ACCESS_COARSE_LOCATION. One of these two types of location permissions must be defined when using foreground location, depending on the usage of the location data. However, if the application is intending to run using background location access, the developer will also need to request the ACCESS_BACKGROUND_PERMISSION permission within the application’s manifest file. Requesting this permission will not give you the location access though, you will still need to request either ACCESS_FINE_LOCATION or ACCESS_COARSE_LOCATION [4]. In this paper, we will be highlighting Android vulnerabilities used to abuse permission assignment for continuous sensors, specifically in this case, sensors involved with location based services (LBSs) and GPS location data. We will also be providing a defense strategy that most Google Play Store applications will comply with, as well as reviewing other existing defense strategies, in order to prevent such vulnerabilities. There is a complementary security feature provided by Google called Google Play Protect (GPP), which is Google’s built-in malware protect for Android. This security feature is backed by Google’s machine learning algorithms, so it is continuously improving [5]. This feature is out of scope for this paper. However, it is important to point out that Google Play does require that new apps and app updates target a recent Android API level, allowing Android to remove APIs which can be abused or that have had security issues [6]. In the following, we will first define the AOSP (Android Open Source Project) structure as well as the Android security and privacy principles and the basis of the Android Security model. Then, we will review different Android vulnerabilities which are used to abuse permission assignment for continuous sensors. Finally, I will speak on a possible defense strategy as well by manipulating an application titled AbuserGPS. 2 Chapter 2: Android Background Before we can introduce the Android vulnerabilities, it is important to understand the AOSP structure, Android’s privacy and security principles, as well as the Android security model. AOSP Structure The Android Open Source Project, or AOSP, is an “open source operating system for mobile devices and a corresponding open source project led by Google” [7]. This open source project allows developers to create a custom variant of the Android OS, while ensuring that devices are still meeting compatibility requirements and therefore ensuring a healthy and stable environment for users. However, when you first download the AOSP, you will find that there are multiple directories,