More Like this

1. An Exploratory Analysis of Mobile Security Tools

   Shahriar, Hossain; Talukder, Md Arabin; Islam, Md Saiful (October 2019, Conference on Cybersecurity Education, Research and Practice)

   The growing market of the mobile application is overtaking the web application. Mobile application development environment is open source, which attracts new inexperienced developers to gain hands on experience with application development. However, the security of data and vulnerable coding practice is an issue. Among all mobile Operating systems such as, iOS (by Apple), Android (by Google) and Blackberry (RIM), Android dominates the market. The majority of malicious mobile attacks take advantage of vulnerabilities in mobile applications, such as sensitive data leakage via the inadvertent or side channel, unsecured sensitive data storage, data transition and many others. Most of these vulnerabilities can be detected during mobile application analysis phase. In this paper, we explore vulnerability detection for static and dynamic analysis tools. We also suggest limitations of the tools and future directions such as the development of new plugins. 

   more » « less
2. Understanding iOS-based crowdturfing through hidden UI analysis

   https://doi.org/10.5555/3361338.3361391  

   Lee, Y; Wang, X; Lee, K; Liao, X; Wang, X; Li, T; Mi, X. (January 2019, SEC'19: Proceedings of the 28th USENIX Conference on Security Symposium)

   A new type of malicious crowdsourcing (a.k.a., crowdturfing) clients, mobile apps with hidden crowdturfing user interface (UI), is increasingly being utilized by miscreants to coordinate crowdturfing workers and publish mobile-based crowdturfing tasks (e.g., app ranking manipulation) even on the strictly controlled Apple App Store. These apps hide their crowdturfing content behind innocent-looking UIs to bypass app vetting and infiltrate the app store. To the best of our knowledge, little has been done so far to understand this new abusive service, in terms of its scope, impact and techniques, not to mention any effort to identify such stealthy crowdturfing apps on a large scale, particularly on the Apple platform. In this paper, we report the first measurement study on iOS apps with hidden crowdturfing UIs. Our findings bring to light the mobile-based crowdturfing ecosystem (e.g., app promotion for worker recruitment, campaign identification) and the underground developer's tricks (e.g., scheme, logic bomb) for evading app vetting. 

   more » « less
3. Data Safety vs. App Privacy: Comparing the Usability of Android and iOS Privacy Labels

   https://doi.org/10.56553/popets-2024-0047  

   Lin, Yanzi; Juneja, Jaideep; Birrell, Eleanor; Cranor, Lorrie Faith (April 2024, Proceedings on Privacy Enhancing Technologies)

   Privacy labels---standardized, compact representations of data collection and data use practices---are often presented as a solution to the shortcomings of privacy policies. Apple introduced mandatory privacy labels for apps in its App Store in December 2020; Google introduced mandatory labels for Android apps in July 2022. iOS app privacy labels have been evaluated and critiqued in prior work. In this work, we evaluated Android Data Safety Labels and explored how differences between the two label designs impact user comprehension and label utility. We conducted a between-subjects, semi-structured interview study with 12 Android users and 12 iOS users. While some users found Android Data Safety Labels informative and helpful, other users found them too vague. Compared to iOS App Privacy Labels, Android users found the distinction between data collection groups more intuitive and found explicit inclusion of omitted data collection groups more salient. However, some users expressed skepticism regarding elided information about collected data type categories. Most users missed critical information due to not expanding the accordion interface, and they were surprised by collection practices excluded from Android's definitions. Our findings also revealed that Android users generally appreciated information about security practices included in the labels, and iOS users wanted that information added. 

   more » « less
4. The Danger of Minimum Exposures: Understanding Cross-App Information Leaks on iOS through Multi-Side-Channel Learning

   https://doi.org/10.1145/3576915.3616655  

   Wang, Zihao; Guan, Jiale; Wang, XiaoFeng; Wang, Wenhao; Xing, Luyi; Alharbi, Fares (November 2023, ACM)

   Research on side-channel leaks has long been focusing on the information exposure from a single channel (memory, network traffic, power, etc.). Less studied is the risk of learning from multiple side channels related to a target activity (e.g., website visits) even when individual channels are not informative enough for an effective attack. Although the prior research made the first step on this direction, inferring the operations of foreground apps on iOS from a set of global statistics, still less clear are how to determine the maximum information leaks from all target-related side channels on a system, what can be learnt about the target from such leaks and most importantly, how to control information leaks from the whole system, not just from an individual channel. To answer these fundamental questions, we performed the first systematic study on multi-channel inference, focusing on iOS as the first step. Our research is based upon a novel attack technique, called Mischief, which given a set of potential side channels related to a target activity (e.g., foreground apps), utilizes probabilistic search to approximate an optimal subset of the channels exposing most information, as measured by Merit Score, a metric for correlation-based feature selection. On such an optimal subset, an inference attack is modeled as a multivariate time series classification problem, so the state-of-the-art deep-learning based solution, InceptionTime in particular, can be applied to achieve the best possible outcome. Mischief is found to work effectively on today's iOS (16.2), identifying foreground apps, website visits, sensitive IoT operations (e.g., opening the door) with a high confidence, even in an open-world scenario, which demonstrates that the protection Apple puts in place against the known attack is inadequate. Also importantly, this new understanding enables us to develop more comprehensive protection, which could elevate today's side-channel research from suppressing leaks from individual channels to controlling information exposure across the whole system. 

   more » « less
5. GUILeak: Tracing Privacy Policy Claims on User Input Data for Android Applications

   https://doi.org/10.1145/3180155.3180196  

   Wang, Xiaoyin; Qin, Xue; Hosseini, Mitra Bokaei; Slavin, Rocky; Breaux, Travis D.; Niu, Jianwei (May 2018, Proceedings - International Conference on Software Engineering)

   The Android mobile platform supports billions of devices across more than 190 countries around the world. This popularity coupled with user data collection by Android apps has made privacy protection a well-known challenge in the Android ecosystem. In practice, app producers provide privacy policies disclosing what information is collected and processed by the app. However, it is difficult to trace such claims to the corresponding app code to verify whether the implementation is consistent with the policy. Existing approaches for privacy policy alignment focus on information directly accessed through the Android platform (e.g., location and device ID), but are unable to handle user input, a major source of private information. In this paper, we propose a novel approach that automatically detects privacy leaks of user-entered data for a given Android app and determines whether such leakage may violate the app's privacy policy claims. For evaluation, we applied our approach to 120 popular apps from three privacy-relevant app categories: finance, health, and dating. The results show that our approach was able to detect 21 strong violations and 18 weak violations from the studied apps. 

   more » « less