AUTOMATED SYSTEMS FOR TESTING ANDROID APPLICATIONS TO DETECT SENSITIVE INFORMATION LEAKAGE

Abstract

Smart phones have become an important daily companion and often used by users to store various private data such as contacts, photos, messages, various social network accounts etc. Users can furthermore extend the functionality of their phone by downloading applications (or apps) from various developers and online application stores. However, apps may misuse the data stored on the phone or obtained from the sensors and users do not have any direct means to track that. Hence, the need for improved mechanisms to better manage the privacy of user data is very important.

There has been a lot of effort to detect and thwart unauthorized access to these private data. However, there is no consensus method which can ensure protection of user sensitive information from mobile devices and at the same time easily deployable at user side. This dissertation aims at developing methods to test Android applications for privacy leakage detection. For this, it presents a new technique: if an application is run twice and all program inputs and environment conditions are kept equal, then it should produce identical outputs. So, if a sensitive input is changed in two separate executions of the target application, and a variance is observed at output, then the output contains information from that sensitive input. Based on this idea we developed two systems namely DroidTest and MirrorDroid to detect leakage of privacy sensitive data.

DroidTest instruments the Android framework APIs to insert security monitoring code. The instrumented APIs help to record user interactions and sensitive API values in record phase (first run of application) and restore the recorded information during replay execution (second run of the target application). Program inputs (except sensitive data) and environment conditions are kept equal in both runs and change in corresponding outputs corresponds to leakage of sensitive data. DroidTest does not require costly platform update and can be easily distributed as a modified Android SDK. On the other hand, MirrorDroid places the monitoring code within the Android Runtime (Dalvik Virtual Machine). It does not explicitly run an application twice like DroidTest. Rather, the instrumented Dalvik VM intercepts execution of each instruction and duplicates it before fetching next instructions, essentially running a separate execution (mirror execution) of the target program in parallel. Then the outgoing data in original and mirror execution is compared to find evidences of information leakage.

We have evaluated the proposed systems on two data sets. The first data set is taken from the Android Malware Genome Project containing 225 samples from 20 malware families. Using DroidTest and MirrorDroid to monitor information leakage, we could successfully detect leakage already reported in literature. The second data set consists of 50 top free applications from the official Android Market Place (Google Play Store). We found 36 out of this 50 applications leak some kind of information, which is very alarming considering these are very popular and highly downloaded applications. Although, the proposed systems either instruments the application framework APIs or the Dalvik Virtual Machine, they produce low run time overhead (DroidTest 22% and MirrorDroid 8.2%). The accuracy of the proposed detection mechanisms also proves the effectiveness of our methods. DroidTest produces 22% false positives. If we ignore false warnings generated by different ordering of thread executions in record and replay phase, the false positives rate stands at 10%. MirrorDroid does better than DroidTest and generates only 6% false positives for the applications in test data sets.