X-Decaf : Android平臺社交類應(yīng)用的緩存文件泄露檢測

李暉; 王斌; 張文; 湯祺; 張艷麗

doi:10.11999/JEIT160555

X-Decaf : Android平臺社交類應(yīng)用的緩存文件泄露檢測

doi: 10.11999/JEIT160555 cstr: 32379.14.JEIT160555

李暉¹,
王斌^1, ,,
張文¹,
湯祺¹,
張艷麗¹

基金項目:

國家自然科學(xué)基金資助(61370195)，中興通訊產(chǎn)學(xué)研項目

計量
- 文章訪問數(shù): 1334
- HTML全文瀏覽量: 214
- PDF下載量: 406
- 被引次數(shù): 0
出版歷程
- 收稿日期: 2016-05-28
- 修回日期: 2016-10-12
- 刊出日期: 2017-01-19

X-Decaf : Detection of Cache File Leaks in Android Social Apps

LI Hui¹,
WANG Bin^{1
, ,},
ZHANG Wen¹,
TANG Qi¹,
ZHANG Yanli¹

Funds:

The National Natural Science Foundation of China (61370195), ZTE Corporation and University Joint Research Project

摘要

摘要: 由于社交類應(yīng)用涉及的隱私數(shù)據(jù)類型非常多，導(dǎo)致這類應(yīng)用在被廣泛使用的同時，頻繁出現(xiàn)用戶隱私泄露事件，但是目前還鮮有針對社交應(yīng)用的隱私泄露檢測機(jī)制的研究。該文結(jié)合Android系統(tǒng)的特性，提出一個面向Android社交類應(yīng)用檢測框架X-Decaf(Xposed-based-detecting-cache-file)，創(chuàng)新性地利用污點追蹤技術(shù)以及Xposed框架，獲取應(yīng)用內(nèi)疑似泄露路徑，監(jiān)測隱私數(shù)據(jù)的緩存文件。此外，該文給出了對隱私泄露進(jìn)行評級的建議，并利用該框架對50款社交類應(yīng)用進(jìn)行了檢測，發(fā)現(xiàn)社交類應(yīng)用普遍存在泄露用戶隱私信息的漏洞。
- 隱私泄露 /
- 污點追蹤 /
- 緩存文件 /
- Xposed /
- Android系統(tǒng)
Abstract: Since social applications involve various types of information related to the user privacy, events of privacy leakage occur frequently along with their popular applications and few studies are available on the privacy leakage detection for social applications. With the combination of the characteristics of the Android system as well as the exploitation of the taint tracking technology and Xposed framework, a privacy leakage detection tool named X-Decaf (Xposed-based-detecting-cache-file) is proposed, which is oriented to social applications on Android platform. It suspects the leakage paths within the applications and detects the privacy datas cache files. This paper also presents a suggestion for the evaluation of the privacy leakage. Evaluation results of 50 kinds of Android social applications show that many vulnerabilities of user privacy leakage exist in the social applications on Android platform.
- Privacy leakage /
- Taint tracking /
- Cache file /
- Xposed /
- Android system

HTML全文

參考文獻(xiàn)(16)

ZHANG Y, YANG M, YANG Z, et al. Permission use analysis for vetting undesirable behaviors in android apps[J]. IEEE Transactions on Information Forensics and Security, 2014, 9(11): 1828-1842. doi: 10.1109/TIFS.2014.2347206.

SHEBARO B, OLUWATIMI O, and BERTINO E. Context- based access control systems for mobile devices[J]. IEEE Transactions on Dependable and Secure Computing, 2015, 12(2): 150-163. doi: 10.1109/TDSC.2014.2320731.

NAUMAN M, KHAN S, OTHMAN A T, et al. Realization of a user-centric, privacy preserving permission framework for Android[J]. Security and Communication Networks, 2015, 8(3): 368-382. doi: 10.1002/sec.986.

WU L, DU X, and ZHANG H. An effective access control scheme for preventing permission leak in Android[C]. 2015 International Conference on Computing, Networking and Communications (ICNC), IEEE, Anaheim, CA, USA, 2015: 57-61. doi: 10.1109/ ICCNC.2015.7069315.

LU L, LI Z, WU Z, et al. Chex: Statically vetting android apps for component hijacking vulnerabilities[C]. Proceedings of the 2012 ACM Conference on Computer and Communications Security, North Carolina, USA, 2012: 229-240.

TAN J, DROLIA U, MARTINS R, et al. Short paper: Chips: Content-based heuristics for improving photo privacy for smartphones[C]. Proceedings of the 2014 ACM Conference on Security and Privacy in Wireless Mobile Networks. Oxford, UK, 2014: 213-218. doi: 10.1145/2627393.2627394.

NAVEED M, ZHOU X, DEMETRIOU S, et al. Inside job: Understanding and mitigating the threat of external device mis-binding on Android[C]. Network and Distributed System Security Symposium, San Diego, California, USA, 2014. doi: 10.14722/ndss.2014.23097.

RAHMAN M, BALLESTEROS J, CARBUNAR B, et al. Toward preserving privacy and functionality in geosocial networks[C]. Proceedings of the 19th ACM Annual International Conference on Mobile Computing Networking, Miami, Florida, USA, 2013: 207-210.

FAWAZ K, FENG H, and SHIN K G. Anatomization and protection of mobile apps location privacy threats[C]. 24th USENIX Security Symposium (USENIX Security 15). Washington, D.C., USA, 2015: 753-768.

YAN L, GUO Y, and CHEN X. SplitDroid: isolated execution of sensitive components for mobile applications[C]. International Conference on Security and Privacy in Communication Systems. Springer International Publishing, Dallas, TX, USA, 2015: 78-96.

TRIPP O and RUBIN J. A Bayesian approach to privacy enforcement in smartphones[C]. 23rd USENIX Security Symposium (USENIX Security 14). California, USA, 2014: 175-190.

ENCK W, GILBERT P, HAN S, et al. TaintDroid: An information-flow tracking system for realtime privacy monitoring on smartphones[J]. ACM Transactions on Computer Systems (TOCS), 2014, 32(2): 5. doi: 10.1145/ 2619091.

HSIAO S W, HUNG S H, CHIEN R, et al. PasDroid: real- time security enhancement for Android[C]. 2014 Eighth International Conference on Innovative Mobile and Internet Services in Ubiquitous Computing (IMIS), Birmingham, UK, 2014: 229-235.

BAL G, KAI R, and HONG J I. Styx: Privacy risk communication for the Android smartphone platform based on apps' data-access behavior patterns[J]. Computers Security, 2015, 53: 187-202.

CUI X, YU D, CHAN P, et al. Cochecker: Detecting capability and sensitive data leaks from component chains in android[C]. Information Security and Privacy. Springer International Publishing, Wollongong, NSW, Australia, 2014: 446-453.

ZHANG M and YIN H. Efficient, context-aware privacy leakage confinement for android applications without firmware modding[C]. Proceedings of the 9th ACM Symposium on Information, Computer and Communications Security. Kyoto, Japan, 2014: 259-270.

相關(guān)文章

施引文獻(xiàn)

資源附件(0)

訪問統(tǒng)計