Automatic Privacy Leakage Detection for Massive Android Apps via a Novel Hybrid Approach
ABSTRACT
Android apps frequently leak private data off
the device with or without intentions. Researchers have proposed a large number
of methods, for example, static and dynamic analysis methods, to pick out the
apps which tend to leak private data. However, they are only able to identify
part of private data leakage vulnerabilities, due to the dynamic features in
codes or code coverage problem. This paper presents a novel hybrid approach
that can find out more private data leakages than the existing static or
dynamic methods. The approach, realized
in a tool, called HybriDroid, which employs
both static and dynamic analysis methods to extract the models of each apps, and
then refines the behavior model to a more adequate one according to the dynamic
analysis result. As a consequence, HybriDroid inherits the advantages of both
static and dynamic analysis methods, which not only achieves a high code
coverage, but also can deal with the dynamic features in codes. The evaluation
results show that HybriDroid is effective in detecting privacy leakages for
both inter- and intra-app communication. Comparing with the existing methods,
it can achieve considerable improvements in data leakage detection performance
with a 97.8% precision and 90% recall on the selected apps fromDroidBench 3.0
test suite.
Proposed
System
The contributions of this paper are
summarized as follows.
1) We have surveyed and identified
various solution weaknesses of existing user privacy protection systems or
mechanisms for the Android platform. To manage user privacy, we proposed the
border patrol concept. By monitoring user input operations and message
transmission operations from running Apps, effective and efficient warning or
detection mechanisms for user privacy risk can be constructed and developed
quickly.
2) A user privacy analysis framework
called LRPdroid is introduced to manage user privacy and customize the
tolerance level of personal information leakage for each individual mobile
user.
3) A privacy analysis model is
presented to support the proposed LRPdroid framework. Using the information
from App execution data flow, user perception setting and leakage awareness
detection, three levels of privacy measure are designed, respectively: privacy
risk assessment, privacy disclosure evaluation, and information leakage
detection.
4) Five novel modules are implemented
as an LRPdroid App service under the Android platform. To evaluate the proposed
framework, two general App usage scenarios are applied.
We study data privacy in the context
of information leakage. As more of our sensitive data gets exposed to
merchants, health care providers, employers, social sites and so on, there is a
higher chance that an adversary can “connect the dots” and piece together a lot
of our information. The more complete the integrated information, the more our
privacy is compromised. We present a model that captures this privacy loss
(information leakage) relative to a target person, on a continuous scale from 0
(no information about the target is known by the adversary) to 1 (adversary
knows everything about the target). The model takes into account the confidence
the adversary has for the gathered information (leakage is less if the
adversary is not confident), as well as incorrect information (leakage is less
if the gathered information does not match the target’s). We compare our
information leakage model with existing privacy models, and we propose several
interesting problems that can be formulated with our model. We also propose
efficient algorithms for computing information leakage and evaluate their
performance and scalability.
In recent work we have developed a
software reliability analysis technique [9] that uses a bounded symbolic
execution to collect a set of symbolic paths over the analyzed programs. The
path constraints associated with the paths are combined with given
probabilistic usage profiles and analyzed using model counting techniques [1]
to quantify the probability of reaching designated program states (e.g.
successful termination or the opposite, failure states such as assert
violations). In this work we adapt the reliability analysis to QIF by
considering information leakage as the failure states and using model counting
over the input constraints to quantify the likelihood of leakage assuming a
uniform usage profile. Example. Figure 1 shows an example function that we use
to illustrate QIF. It is a convention in the security literature to use the
label L (“low”) to denote non-sensitive input, to use the label H (“high”) to
denote sensitive private input, and to use the label O (“output”) to denote the
output. A malicious user has access to the public data, L and O, and tries to
infer the hidden secret, H, from that. Automating QIF analysis is a challenge.
For example, to analyze the program above, in [16] and more recently [17], the
authors manually transformed it into bit vector predicates. Other papers
require users to have verification expertise to use an interactive theorem
prover [12], or require user to write a driver following a template [10] or to
instrument the program under test
1.1 Objectives
Here, when we use online purchase mean time
how to secure our transaction details and card details.
1.2 System Specifications
Hardware
Requirements:-
Ø Windows OS
Software
Requirements: -
Operating System : Windows
OS
Front-End : HTML,
CSS, and JS
Back-End : Angular
JS, PHP, MYSQL
Tool : Cordova
codeshoppy.com
http://codeshoppy.com/android-ieee-projects-titles-2017-2018.html
Android Youtube Channel
arudhrainnovations.com
contact@codeshoppy.com
9790675343
Comments
Post a Comment