Enabling Fine-Grained Permissions in Smartphones by Nisarg Raval Department of Computer Science Duke University Date: Approved: Ashwin Machanavajjhala, Supervisor Landon Cox Alvin Lebeck Maria Gorlatova Dissertation submitted in partial fulfillment of the requirements for the degree of Doctor of Philosophy in the Department of Computer Science in the Graduate School of Duke University 2019 ABSTRACT Enabling Fine-Grained Permissions in Smartphones by Nisarg Raval Department of Computer Science Duke University Date: Approved: Ashwin Machanavajjhala, Supervisor Landon Cox Alvin Lebeck Maria Gorlatova An abstract of a dissertation submitted in partial fulfillment of the requirements for the degree of Doctor of Philosophy in the Department of Computer Science in the Graduate School of Duke University 2019 Copyright c 2019 by Nisarg Raval All rights reserved except the rights granted by the Creative Commons Attribution-Noncommercial Licence Abstract The increasing popularity of smart devices that continuously monitor various aspects of users’ life and the prevalence of third-party services that utilize these data feeds have resulted in a serious threat to users’ privacy. One-sided focus on the utility of these ap- plications (apps) and lack of proper access control mechanism often lead to inadvertent (or deliberate) leak of sensitive information about users. At the core of protecting user data on smart devices lies the permissions framework. It arbitrates apps’ accesses to re- sources on the device. The existing permissions frameworks in smartphones are largely coarse-grained allowing apps to collect more information than that is required for their functionality thereby putting users’ privacy at risk. In this dissertation, we address these privacy concerns by proposing an extensible per- missions framework that gives users fine-grained control over the resources accessed by apps. It uses permissions plugins which are special modules that govern the app’s access to resources on the device. We develop a number of permissions plugins to arbitrate ac- cess to key resources including location, contacts, camera and external storage. Moreover, we show that the existing privacy solutions can be easily integrated in our framework via plugins. We also develop two novel privacy frameworks that help users balance privacy- utility tradeoffs, and allow them to take an informed decision about sharing their data to apps in order to obtain services in return. We envision a repository of permissions plugins where privacy experts publish plugins that are customized to the needs of users as well as apps, and users simply install the plugins they are interested in to protect their privacy. iv To Mom, Dad, and Mansi v Contents Abstract iv List of Tables x List of Figures xi Acknowledgements xiii 1 Introduction 1 1.1 Primary Contributions . .8 1.2 Thesis Organization . .9 2 Background 11 2.1 Android Permissions . 11 2.2 SE Android . 13 2.3 Android Internals . 14 2.3.1 Binder IPC . 14 2.3.2 Launching apps . 15 3 Plugin-driven Permissions Framework for Smartphones 16 3.1 Introduction . 17 3.2 Related Work . 19 3.3 Overview . 22 3.3.1 Trust model . 22 3.3.2 Design principles . 22 vi 3.3.3 Dalf . 26 3.3.4 Malicious plugins . 27 3.4 Implementation . 29 3.4.1 Plugins . 29 3.4.2 Interposers . 30 3.5 Permissions Plugins . 35 3.5.1 Location plugin . 35 3.5.2 Contacts plugin . 35 3.5.3 Camera plugin . 36 3.5.4 Storage plugin . 37 3.6 Evaluation . 37 3.6.1 Experimental methodology . 37 3.6.2 Performance slowdown . 39 3.6.3 Memory overhead . 42 3.6.4 Battery usage . 42 3.6.5 Scalability . 43 3.6.6 Real world apps . 44 3.7 Limitations . 45 3.7.1 Design . 46 3.7.2 Prototype . 47 3.8 Conclusion . 48 4 Privacy Markers for Protecting Visual Secrets 49 4.1 Introduction . 50 4.2 Motivation . 51 4.3 Approach Overview . 53 vii 4.3.1 Design principles . 53 4.3.2 Trust and attacker model . 56 4.3.3 Limitations . 57 4.4 Implementation . 58 4.4.1 Android’s camera subsystem . 58 4.4.2 WAVEOFF in Android . 60 4.5 Evaluation . 64 4.5.1 User study . 64 4.5.2 Evaluating real-world scenarios . 69 4.5.3 Performance impact on mobile device . 73 4.6 Related Work . 75 4.7 Conclusion . 77 5 Sensor Privacy through Utility Aware Obfuscation 78 5.1 Introduction . 78 5.2 OLYMPUS Overview . 82 5.2.1 Problem setting . 82 5.2.2 Design principles . 83 5.2.3 Privacy framework . 85 5.3 Utility Aware Obfuscation . 88 5.3.1 Problem formulation . 88 5.3.2 Learning to obfuscate . 92 5.4 Implementation . 94 5.4.1 Constructing OLYMPUS ...................... 94 5.4.2 Training OLYMPUS ......................... 95 5.4.3 Deploying OLYMPUS ........................ 97 viii 5.5 Experiments . 98 5.5.1 Experimental setup . 99 5.5.2 Evaluation on android app . 103 5.5.3 Evaluation on benchmark datasets . 105 5.5.4 Utility evaluation . 107 5.5.5 Privacy evaluation . 107 5.5.6 Privacy-utility tradeoff . 109 5.5.7 Effect of correlation . 111 5.5.8 Obfuscation time . 113 5.5.9 Scaling to multiple applications . 113 5.5.10 App classifiers . 114 5.6 Related Work . 115 5.7 Conclusion . 117 6 Conclusion 119 6.1 Future Work . 121 A Supporting Materials for OLYMPUS 124 A.1 Neural Network Architectures . 124 A.1.1 OLYMPUS for images . 124 A.1.2 OLYMPUS for motion sensors . 129 Bibliography 132 Biography 141 ix List of Tables 3.1 A summary of how prior work compares to DALF............. 19 3.2 The resource interposers currently supported by the DALF prototype. 30 3.3 Configurations used in evaluating DALF................... 38 4.1 WAVEOFF API for interacting with the camera service. 61 4.2 Salient features of user study participants. 66 4.3 Scenarios to evaluate WAVEOFF....................... 69 5.1 Summary of benchmark datasets used for evaluating OLYMPUS...... 99 5.2 Evaluation results on DL4Mobile...................... 103 5.3 Example images obfuscated by OLYMPUS................. 104 5.4 Accuracy of attackers on obfuscated data. 107 5.5 Evaluating OLYMPUS using LR as an app classifier. 114 x List of Figures 2.1 Android permissions. 12 3.1 A high-level overview of DALF’s design. 25 3.2 The performance slowdown in DALF when accessing various resources. 39 3.3 The memory overhead and battery usage in DALF under different workloads. 40 3.4 Performance of DALF as we apply plugins to multiple instances of LOCFINDER (top row) and FILEREADER (bottom row). 41 3.5 Results of finding nearby restaurants in Grubhub app. 44 4.1 Hypothetical scenarios. 52 4.2 An illustration of marking a coffee mug safe via WAVEOFF. ....... 54 4.3 Android’s camera subsystem. 59 4.4 Usability results of WAVEOFF........................ 67 4.5 WAVEOFF results on (a) plain background, (b) plain background with pri- vate object, and (c) cluttered background with private objects use cases. 70 4.6 (a) Frames per second achieved by WAVEOFF across all the use cases. (b) Accuracy (left) and runtime (right) on multi object video. 72 4.7 Performance impact on (a) Power consumption, (b) Memory consumption, and (c) CPU load, over 60 seconds usage. 74 5.1 OLYMPUS framework . 85 5.2 OLYMPUS architecture for image data. 94 5.3 OLYMPUS architecture for motion sensor data. 95 5.4 An illustration of how OLYMPUS intercepts and obfuscates images re- quested by the target app Classify...................... 97 xi 5.5 Accuracy of App (in blue) and Attacker (in red) networks on obfuscated data while training the Obfuscator...................... 105 5.6 Classification accuracy of the target apps on unperturbed and perturbed data.106 5.7 Comparison with existing approaches. 109 5.8 Learning obfuscation when sensitive and useful properties are correlated. 111 xii Acknowledgements The last six years of my life have been a rollercoaster ride with many ups and downs. Nevertheless, it was a joyful and an intellectually satisfying ride, thanks to folks who were instrumental in making my PhD a successful journey! I am extremely grateful to my advisor, Ashwin Machanavajjhala for recognizing my potential and yearn for research. His invaluable guidance and an unvarying impetus to push my boundaries have helped me become a better researcher. I am also thankful to Landon Cox for his guidance and feedback that played a major role in shaping this dissertation. I would like to thank all my committee members for their critical feedback. I enjoyed working with many amazing collaborators who helped me nurture my re- search skills and made the paper deadlines bearable! Special thanks to Ali, Animesh, and Xi; I learned a lot.