Prevention of Cross-update Privacy Leaks on Android
Computer Science and Information Systems, Tome 15 (2018) no. 1
Updating applications is an important mechanism to enhance their availability, functionality, and security. However, without careful considerations, application updates can bring other security problems. In this paper, we consider a novel attack that exploits application updates on Android: a cross-update privacy-leak attack called COUPLE. The COUPLE attack allows an application to secretly leak sensitive data through the cross-update interaction between its old and new versions; each version only has permissions and logic for either data collection or transmission to evade detection. We implement a runtime security system, BREAKUP, that prevents cross-update sensitive data transactions by tracking permission-use histories of individual applications. Evaluation results show that BREAKUP’s time overhead is below 5%. We further show the feasibility of the COUPLE attack by analyzing the versions of 2;009 applications (28;682 APKs).
Keywords:
Android, Privacy, Information flow, Permission
@article{CSIS_2018_15_1_a5,
author = {Beumjin Cho and Sangho Lee and Meng Xu and Sangwoo Ji and Taesoo Kim and Jong Kim},
title = {Prevention of {Cross-update} {Privacy} {Leaks} on {Android}},
journal = {Computer Science and Information Systems},
year = {2018},
volume = {15},
number = {1},
url = {http://geodesic.mathdoc.fr/item/CSIS_2018_15_1_a5/}
}
TY - JOUR AU - Beumjin Cho AU - Sangho Lee AU - Meng Xu AU - Sangwoo Ji AU - Taesoo Kim AU - Jong Kim TI - Prevention of Cross-update Privacy Leaks on Android JO - Computer Science and Information Systems PY - 2018 VL - 15 IS - 1 UR - http://geodesic.mathdoc.fr/item/CSIS_2018_15_1_a5/ ID - CSIS_2018_15_1_a5 ER -
Beumjin Cho; Sangho Lee; Meng Xu; Sangwoo Ji; Taesoo Kim; Jong Kim. Prevention of Cross-update Privacy Leaks on Android. Computer Science and Information Systems, Tome 15 (2018) no. 1. http://geodesic.mathdoc.fr/item/CSIS_2018_15_1_a5/