HideMyApp: Hiding the Presence of Sensitive Apps on Android Anh Pham, Italo Dacosta, Eleonora Losiouk, John Stephan, Kévin Huguenin, Jean-Pierre Hubaux To cite this version: Anh Pham, Italo Dacosta, Eleonora Losiouk, John Stephan, Kévin Huguenin, et al.. HideMyApp: Hiding the Presence of Sensitive Apps on Android. 28th USENIX Security Symposium (USENIX Security), Aug 2019, Santa Clara, CA, United States. pp.18. hal-01935675 HAL Id: hal-01935675 https://hal.archives-ouvertes.fr/hal-01935675 Submitted on 17 Oct 2019 HAL is a multi-disciplinary open access L’archive ouverte pluridisciplinaire HAL, est archive for the deposit and dissemination of sci- destinée au dépôt et à la diffusion de documents entific research documents, whether they are pub- scientifiques de niveau recherche, publiés ou non, lished or not. The documents may come from émanant des établissements d’enseignement et de teaching and research institutions in France or recherche français ou étrangers, des laboratoires abroad, or from public or private research centers. publics ou privés. HideMyApp : Hiding the Presence of Sensitive Apps on Android Anh Pham Italo Dacosta Eleonora Losiouk ABB Corporate Research, Switzerland EPFL, Switzerland University of Padova, Italy John Stephan Kévin Huguenin Jean-Pierre Hubaux EPFL, Switzerland University of Lausanne, Switzerland EPFL, Switzerland Abstract patients [23], and there are around 325,000 mHealth apps available in major mobile app stores.2 Millions of users rely on mobile health (mHealth) apps to Given the sensitivity of medical data, the threats of pri- manage their wellness and medical conditions. Although the vacy leakage are one of the main hindrances to the success of popularity of such apps continues to grow, several privacy and mHealth technologies [37]. In this area, a serious and often security challenges can hinder their potential. In particular, overlooked threat is that an adversary can infer sensitive infor- the simple fact that an mHealth app is installed on a user’s mation simply from the presence of an app on a user’s phone. phone can reveal sensitive information about the user’s health. Previous studies have shown that private information, such as Due to Android’s open design, any app, even without per- age, gender, race, and religion, can be inferred from the list of missions, can easily check for the presence of a specific app installed apps [22,29,47]. With the increasing popularity of or collect the entire list of installed apps on the phone. Our mHealth apps, an adversary can now infer even more sensitive analysis shows that Android apps expose a significant amount information. For example, learning that a user has a diabetes of metadata, which facilitates fingerprinting them. Many third app reveals that the user probably suffers from this disease; parties are interested in such information: Our survey of 2917 such information could be misused to profile, discriminate, or popular apps in the Google Play Store shows that around 57% blackmail the user. When inquired about this threat, 87% of of these apps explicitly query for the list of installed apps. the participants in our user-study expressed concern about it Therefore, we designed and implemented HideMyApp (HMA), (Section 10.6). an effective and practical solution for hiding the presence Due to Android’s open design, a zero-permission app can of sensitive apps from other apps. HMA does not require any easily infer the presence of specific apps, or even collect the changes to the Android operating system or to apps yet still full list of installed apps on the phone [55]. Our analysis supports their key functionalities. By using a diverse dataset shows that Android exposes a considerable amount of static of both free and paid mHealth apps, our experimental eval- and runtime metadata about installed apps (Section 4); this uation shows that HMA supports the main functionalities in information can be misused by a nosy app to accurately finger- most apps and introduces acceptable overheads at runtime print these apps. In 2014, Twitter was criticized for collecting (i.e., several milliseconds); these findings were validated by the list of installed apps in order to offer targeted ads.3 But our user-study (N = 30). In short, we show that the practice of Twitter is not the only app interested in such information. Our collecting information about installed apps is widespread and static and dynamic analysis of 2917 popular apps in the US that our solution, HMA, provides a robust protection against Google Play Store shows that approximately 57% of these such a threat. apps include calls to API methods that explicitly collect the list of installed apps (Section 5). Our analysis, corroborating 1 Introduction the findings of previous studies [29, 32], also shows that free apps are more likely to query for such information and that Mobile health (mHealth), the use of technologies such as third-party libraries (libs) are the main requesters of the list of smartphones and wearable sensors for wellness and medical installed apps. As users have on average 80 apps installed on purposes, promises to improve the quality of and reduce the their phones,4 most of them being free, there is a high chance costs of medical care and research. An increasing number of of untrusted third-parties obtaining the list of installed apps. people rely on mHealth apps to manage their wellness and to Since 2015, Android has classified as potentially harmful prevent and manage diseases.1 For instance, more than a third apps (PHA)5 the apps that collect information about other of physicians in the US recommend mHealth apps to their apps without user consent [1]. To avoid this classification, USENIX Association 28th USENIX Security Symposium 711 developers simply need to provide a privacy policy that de- ing robust protection against fingerprinting attacks, as many of scribes how the app collects, uses, and shares user data.6 the information leaks uncovered by our analysis are still pos- We find it interesting that only 7.7% of the evaluated apps sible when just app virtualization is used. Therefore, our main clearly declared that they collect the list of installed apps in contribution is the design and evaluation of mechanisms built their privacy policies, and some even claim that such a list on top of app-virtualization in order to reduce the information is non-personal information (Section 5.4). Also, few users leaks that could be exploited to fingerprint sensitive apps. HMA read privacy policies [41], as our user study also confirmed provides multiple tiers of protection: For baseline protection (Section 10.6). against current threats, HMA obfuscates static meta-data of sen- Android does not provide mechanisms to hide the use of sitive apps (e.g., their package names and components). To sensitive apps on a phone; a few third-party tools, designed provide more advanced protection (e.g., against side-channel for other purposes, can provide only partial protection to some attacks), HMA can add an additional layer of obfuscation for users (Section 6). Android announced that their security ser- sensitive apps (e.g., randomizing memory access). In some vices will display warnings on apps that collect without con- cases, app developers might need to be involved to make sent users’ personal information, including the list of installed changes to the apps. Moreover, we are the first to identify the apps.7 This is a welcomed step, but the effectiveness of secu- security and functional limitations of using app virtualization rity warnings is known to be limited [30, 49] and it is unclear for the purpose of hiding apps. how queries by third-party libraries will be handled. It is also Our evaluation of HMA on a diverse set of both free and paid unclear if such an approach will be able to prevent more sub- mHealth apps on the Google Play Store shows that HMA is tle attacks, where a nosy app checks for the existence of a practical, and that it introduces reasonable operational delays specific app or a small set of sensitive apps by using more to the users. For example, in 90% of the cases, the delay advanced fingerprinting techniques (Section 4). introduced by HMA to the cold start of an mHealth app by We propose HideMyApp (HMA), the first system that enables a non-optimized proof-of-concept implementation of HMA is organizations and developers to distribute sensitive apps to less than one second. At runtime, the delay introduced is of their users while considerably reducing the risk of such apps only several milliseconds. Moreover, our user-study (N = 30) being detected by nosy apps on the same phone. Apps pro- suggests that HMA is user-friendly and of interest to users. tected by HMA expose significantly less identifying metadata, Our main contributions in this work are as follows. therefore, it is more difficult for nosy apps to detect their pres- Systemized knowledge: We are the first to investigate ence, even when the nosy apps have all Android permissions • the techniques that an app can use to fingerprint another and debugging privileges. With HMA, an organization such as a app.8 Also, through our static and dynamic analysis on consortium of hospitals sets up an HMA app store where autho- apps from the Google Play Store, we gain understanding rized developers collaborating with the hospitals can publish about the prevalence of the problem of apps fingerprint- their mHealth and other sensitive apps. Users employ a client ing other installed apps. app called HMA Manager to anonymously (un)install, use, and to update the apps selected from the HMA app store; an the Design and implementation of a solution for hiding sen- • HMA App Store does not learn about the set of apps that a sitive apps: We present HMA, a practical system that pro- user has installed from the store.
Details
-
File Typepdf
-
Upload Time-
-
Content LanguagesEnglish
-
Upload UserAnonymous/Not logged-in
-
File Pages19 Page
-
File Size-