Prevention of Cross-update Privacy Leaks on Android

Beumjin Cho1, Sangho Lee2, Meng Xu2, Sangwoo Ji1, Taesoo Kim2 and Jong Kim1

  1. Department of Computer Science and Engineering, Pohang University of Science and Technology (POSTECH)
    Pohang, Republic of Korea
    beumjincho, sangwooji, jkim@postech.ac.kr
  2. School of Computer Science, Georgia Institute of Technology
    Atlanta, GA, USA
    sangho, meng.xu, taesoo@gatech.edu

Abstract

Updating applications is an important mechanism to enhance their availability, functionality, and security. However, without careful considerations, application updates can bring other security problems. In this paper, we consider a novel attack that exploits application updates on Android: a cross-update privacy-leak attack called COUPLE. The COUPLE attack allows an application to secretly leak sensitive data through the cross-update interaction between its old and new versions; each version only has permissions and logic for either data collection or transmission to evade detection. We implement a runtime security system, BREAKUP, that prevents cross-update sensitive data transactions by tracking permission-use histories of individual applications. Evaluation results show that BREAKUP’s time overhead is below 5%. We further show the feasibility of the COUPLE attack by analyzing the versions of 2;009 applications (28;682 APKs).

Key words

Android, Privacy, Information flow, Permission

Digital Object Identifier (DOI)

https://doi.org/10.2298/CSIS170728047C

Publication information

Volume 15, Issue 1 (January 2018)
Year of Publication: 2018
ISSN: 1820-0214 (Print) 2406-1018 (Online)
Publisher: ComSIS Consortium

Full text

DownloadAvailable in PDF
Portable Document Format

How to cite

Cho, B., Lee, S., Xu, M., Ji, S., Kim, T., Kim, J.: Prevention of Cross-update Privacy Leaks on Android. Computer Science and Information Systems, Vol. 15, No. 1, 111–137. (2018), https://doi.org/10.2298/CSIS170728047C