The Pennsylvania State University The Graduate School College of Engineering SECURITY AND PRIVACY OF NEW FEATURES ON SMARTPHONES A Dissertation in Computer Science and Engineering by Zhi Xu ⃝c 2012 Zhi Xu Submitted in Partial Fulfillment of the Requirements for the Degree of Doctor of Philosophy December 2012 The dissertation of Zhi Xu was reviewed and approved∗ by the following: Sencun Zhu Associate Professor of Computer Science and Engineering Associate Professor of Information Sciences and Technology Dissertation Advisor Chair of Committee Guohong Cao Professor of Computer Science and Engineering Tom La Porta Professor of Computer Science and Engineering Dennis K.J. Lin Professor of Statistics Lee Coraor Associate of Computer Science and Engineering Director of Academic Affairs ∗Signatures are on file in the Graduate School. Abstract Smartphones have become an indispensable part of our daily lives. Thanks to advances in both hardware and software, modern smartphones provide innovative features to third party applications (a.k.a., apps) running on their platforms. Those features, including various onboard sensors and notification services, have been widely applied in third party applications. They allow the developers to build innovative third party applications. Also, they greatly improve the interactive experience for phone users. As these features and their provided services are becoming more and more popular, concerns are raised about whether the features and the services they provide might introduce security vulnerabilities to the smartphone or cause private information leakages of phone users. Because these features are newly introduced and never appear on the previous dumbphones, they have been barely studied from the perspectives of security and privacy in previous literatures. In this dissertation, we present our studies focusing on two types of popular features on smartphones: onboard sensors (and the sensor services they provide) and notification services. For each feature, we elaborate our studies from both the attack side (i.e., exploring attack approaches on phone users utilizing the feature) and the defense side (i.e., proposing designs and solutions to prevent potential feature-based attacks). For the onboard sensors on smartphones, we present a study of inferring a user's tap inputs on a smartphone with its integrated motion sensors. Specifically, we utilize an installed trojan application to stealthily monitor the device movements and gesture changes of a smartphone using its on-board motion sensors. When the user is interacting with the trojan application, it learns the motion change patterns of tap events. Later, when the user is performing sensitive inputs, such as entering passwords on the touchscreen, the trojan application applies the learnt pattern to infer the occurrences of tap events on the touchscreen as well as the iii tapped positions on the touchscreen. To manage the onboard sensors and prevent sensor-based attacks, we propose a privacy-aware sensor management framework, called SemaDroid, which extends the existing sensor management framework on Android to provide the compre- hensive and fine-grained access control over onboard sensors. SemaDroid allows the smartphone user to know the sensor usage of every installed application, spec- ify context-aware and quality-of-sensing based access control policies, and enforce the policies in real-time. Further, considering the trade-off between functionali- ties of installed third party applications and privacy of users, SemaDroid provides a privacy bargain feature that allows users to control the disclosure of sensing information while keeping the application running. For the notification service, we show that notification customization may allow an installed trojan application to launch phishing attacks or anonymously post spam notifications. Through our studies on four major smartphone platforms, we show that both Android and BlackBerry OS are vulnerable under the phishing and spam notification attacks. iOS and Windows Phone allow little notification cus- tomization, thus launching the phishing and spam attacks will expose the identity of the trojan application. Our notification service studies point out the important vulnerability of lacking view authentication in the existing view-based smartphone platforms. To prevent the user from being tricked by the phishing notification and to lo- cate the malware application spreading phishing and spam notifications, while still allowing notification customization, we propose a Semi-OS-Controlled notification view design principle and a Notification Logging service. Moreover, to protect applications from fraudulent views, we propose a view authentication framework, named SecureView, which enables the third party applications to add the authen- tication image and text to their sensitive views (e.g. the account login view). The design, implementation, demonstrations, and evaluation of proposed attack and defense approaches are elaborated in the dissertation. iv Contents List of Figures xi List of Tables xiii Acknowledgments xiv Chapter 1 Introduction 1 1.1 New Features on Smartphones . 1 1.2 Motivation . 2 1.3 Contributions . 3 1.3.1 Motion Sensor based Logging Attacks . 4 1.3.2 Proposed Sensor Management Framework . 4 1.3.3 Notification based Phishing and Spam Attacks . 5 1.3.4 Preventing Notification based Phishing and Spam Attacks . 6 1.4 Dissertation Outline . 7 Chapter 2 Onboard Sensors and Notification Services on Smartphones 8 2.1 Mobile Phone Sensing . 9 2.1.1 Types of Onboard Sensors . 9 2.1.2 Phone Sensing Applications . 10 2.1.3 Existing Sensor Management on Android . 11 2.2 Notification Services . 12 2.2.1 Notification Categorization . 12 2.2.2 Notification Customization . 12 v Chapter 3 Inferring User Inputs on Touchscreens Using Motion Sensors 15 3.1 Technical Background . 16 3.1.1 User Inputs on Touchscreen . 16 3.1.2 Motion Sensors . 16 3.1.2.1 Accelerometer Sensor . 17 3.1.2.2 Orientation Sensor . 18 3.1.2.3 Hardware Specifications . 18 3.1.3 Tap-To-Open/Active Interactive Pattern . 18 3.2 Related Work . 19 3.2.1 Logging Attacks on Smartphones . 19 3.2.2 Attacks Relying on Mobile Sensors . 20 3.3 Attack Overview . 21 3.3.1 Assumptions . 21 3.3.2 Attack Goals . 21 3.3.3 Attack Workflow . 22 3.3.4 Challenges . 23 3.4 Tap Event Detection . 23 3.4.1 Observed Pattern of Tap Events . 24 3.4.2 Proposed Statistic Approach . 25 3.4.2.1 Pattern Learning in Training Mode . 25 3.4.2.2 Tap Event Detection in Logging Mode . 27 3.4.3 Evaluations . 28 3.5 Tap Position Inference . 30 3.5.1 Gesture Change Analysis . 30 3.5.2 Screen Division . 32 3.5.3 Proposed Inference Approach . 32 3.5.3.1 Classifier Generation in Training Mode . 33 3.5.3.2 Inference in Logging Mode . 34 3.5.4 Evaluation . 35 3.6 Applications on Android ........................ 37 3.6.1 Implementation on Android . 37 3.6.1.1 Training Mode . 37 3.6.1.2 Logging Mode . 37 3.6.2 Number Pad Logging Attack . 38 3.6.2.1 Attack Overview . 38 3.6.2.2 Tap Position Inference . 39 3.6.2.3 Evaluations . 39 3.6.3 Password Stealing Attack . 41 3.6.3.1 Attack Overview . 41 vi 3.6.3.2 Tap Position Inference . 41 3.6.3.3 Evaluations . 43 3.7 Discussion . 43 3.7.1 Security Permission Requirements . 43 3.7.2 Overhead Analysis . 44 3.7.3 Attack on Other Platforms . 45 3.7.4 Countermeasures . 45 Chapter 4 A Privacy-Aware Sensor Management Framework for Smart- phones 47 4.1 Overview of SemaDroid ........................ 47 4.2 Related Works . 49 4.2.1 Access Control on Smartphones . 49 4.2.2 Sensor Management on Smartphones . 50 4.3 Security Model . 51 4.3.1 Attack Model . 51 4.3.2 Trust Model . 52 4.4 SemaDroid Design . 52 4.4.1 SemaDroid Framework Design . 53 4.4.2 SemaDroid Workflow . 54 4.4.2.1 Allowing Sensor Usage Management . 55 4.4.2.2 Enforcing Sensor Usage Policies . 55 4.5 Usage Policy Design and Enforcement . 56 4.5.1 Policy Design . 57 4.5.1.1 app-info Section . 57 4.5.1.2 policy-info Section . 58 4.5.2 Policy Enforcement Context . 58 4.5.3 Quality-of-Sensing based Enforcement Rules . 60 4.5.4 Policy Enforcement . 60 4.6 Privacy Bargain . 61 4.6.1 Definition of Privacy Bargain . 61 4.6.2 Bargain Procedure using SemaDroid . 62 4.6.3 QoSn Adjustment using SemaDroid . 63 4.6.3.1 Data Adjustment Rules . 63 4.6.3.2 Data Manipulation Rules . 63 4.6.3.3 Mock Data Rules . 64 4.6.3.4 Rules Refinement . 64 4.7 Implementation of SemaDroid ..................... 64 4.7.1 Unrestricted Sensors . 64 vii 4.7.1.1 Normal Sensor Data Collection . 65 4.7.1.2 Policy Enforcement with SemaDroid . 67 4.7.2 GPS and Network Location Providers . 67 4.7.2.1 Normal Sensor Data Collection . 68 4.7.2.2 Policy Enforcement with SemaDroid . 68 4.7.3 Camera . 69 4.7.3.1 Normal Sensor Data Collection . 69 4.7.3.2 Policy Enforcement . 69 4.7.4 Microphone . 70 4.7.4.1 Normal Sensor Data Collection . 70 4.7.4.2 Policy Enforcement . 71 4.7.5 Media Recorder . 71 4.7.5.1 Normal Sensor Data Collection . 71 4.7.5.2 Policy Enforcement . 72 4.7.6 Mock Data Generator Service . 73 4.8 Application and Demonstration . 74 4.8.1 Preventing Private Sensor Data Leakage . 74 4.8.1.1 Sensor Usage Review . 74 4.8.1.2 Policy Design . 74 4.8.2 Managing Sensor Usages . 75 4.9 Discussions . 77 4.9.1 Extending SemaDroid to iOS and BlackBerry OS . 77 4.9.2 Mock Sensor Data . 78 4.9.3 Coverage of SemaDroid ...................