X-Decaf : Android平台社交类应用的缓存文件泄露检测

doi:10.11999/JEIT160555

摘要
图/表
参考文献(16)
相关文章 (15)

全文: PDF (511 KB)
输出: BibTeX | EndNote (RIS)

摘要

由于社交类应用涉及的隐私数据类型非常多，导致这类应用在被广泛使用的同时，频繁出现用户隐私泄露事件，但是目前还鲜有针对社交应用的隐私泄露检测机制的研究。该文结合Android系统的特性，提出一个面向Android社交类应用检测框架X-Decaf(Xposed-based-detecting-cache-file)，创新性地利用污点追踪技术以及Xposed框架，获取应用内疑似泄露路径，监测隐私数据的缓存文件。此外，该文给出了对隐私泄露进行评级的建议，并利用该框架对50款社交类应用进行了检测，发现社交类应用普遍存在泄露用户隐私信息的漏洞。

	服务

	把本文推荐给朋友
	加入我的书架
	加入引用管理器
	E-mail Alert
	RSS
	作者相关文章
	李晖
	王斌
	张文
	汤祺
	张艳丽

关键词 ：隐私泄露, 污点追踪, 缓存文件, Xposed, Android系统

Abstract：

Since social applications involve various types of information related to the user privacy, events of privacy leakage occur frequently along with their popular applications and few studies are available on the privacy leakage detection for social applications. With the combination of the characteristics of the Android system as well as the exploitation of the taint tracking technology and Xposed framework, a privacy leakage detection tool named X-Decaf (Xposed-based-detecting-cache-file) is proposed, which is oriented to social applications on Android platform. It suspects the leakage paths within the applications and detects the privacy data’s cache files. This paper also presents a suggestion for the evaluation of the privacy leakage. Evaluation results of 50 kinds of Android social applications show that many vulnerabilities of user privacy leakage exist in the social applications on Android platform.

Key words： Privacy leakage Taint tracking Cache file Xposed Android system

收稿日期: 2016-05-28 出版日期: 2016-12-14

PACS:

TP309

基金资助:

国家自然科学基金资助(61370195)，中兴通讯产学研项目

通讯作者: 王斌 E-mail: wangbin_bupt@163.com

作者简介: 李晖：女，1970年生，副教授，硕士生导师，研究方向为密码学及其应用、移动通信安全、智能终端安全. 王斌：男，1992年生，硕士生，研究方向为智能终端安全、移动操作系统安全和软件安全. 张文：男，1982年生，博士生，研究方向为智能终端安全、移动操作系统安全和软件安全. 汤祺：女，1991年生，硕士生，研究方向为智能终端安全、移动操作系统安全和软件安全. 张艳丽：女，1990年生，硕士生，研究方向为智能终端安全、移动操作系统安全和软件安全.

引用本文:

李晖,王斌,张文,汤祺,张艳丽. X-Decaf : Android平台社交类应用的缓存文件泄露检测[J]. 电子与信息学报, 2017, 39(1): 66-74. LI Hui, WANG Bin, ZHANG Wen, TANG Qi,ZHANG Yanli. X-Decaf : Detection of Cache File Leaks in Android Social Apps. JEIT, 2017, 39(1): 66-74.

链接本文:

http://jeit.ie.ac.cn/CN/10.11999/JEIT160555 或 http://jeit.ie.ac.cn/CN/Y2017/V39/I1/66

[1]	ZHANG Y, YANG M, YANG Z, et al. Permission use analysis for vetting undesirable behaviors in android apps[J]. IEEE Transactions on Information Forensics and Security, 2014, 9(11): 1828-1842. doi: 10.1109/TIFS.2014.2347206.
[2]	SHEBARO B, OLUWATIMI O, and BERTINO E. Context- based access control systems for mobile devices[J]. IEEE Transactions on Dependable and Secure Computing, 2015, 12(2): 150-163. doi: 10.1109/TDSC.2014.2320731.
[3]	NAUMAN M, KHAN S, OTHMAN A T, et al. Realization of a user-centric, privacy preserving permission framework for Android[J]. Security and Communication Networks, 2015, 8(3): 368-382. doi: 10.1002/sec.986.
[4]	WU L, DU X, and ZHANG H. An effective access control scheme for preventing permission leak in Android[C]. 2015 International Conference on Computing, Networking and Communications (ICNC), IEEE, Anaheim, CA, USA, 2015: 57-61. doi: 10.1109/ ICCNC.2015.7069315.
[5]	LU L, LI Z, WU Z, et al. Chex: Statically vetting android apps for component hijacking vulnerabilities[C]. Proceedings of the 2012 ACM Conference on Computer and Communications Security, North Carolina, USA, 2012: 229-240.
[6]	TAN J, DROLIA U, MARTINS R, et al. Short paper: Chips: Content-based heuristics for improving photo privacy for smartphones[C]. Proceedings of the 2014 ACM Conference on Security and Privacy in Wireless & Mobile Networks. Oxford, UK, 2014: 213-218. doi: 10.1145/2627393.2627394.
[7]	NAVEED M, ZHOU X, DEMETRIOU S, et al. Inside job: Understanding and mitigating the threat of external device mis-binding on Android[C]. Network and Distributed System Security Symposium, San Diego, California, USA, 2014. doi: 10.14722/ndss.2014.23097.
[8]	RAHMAN M, BALLESTEROS J, CARBUNAR B, et al. Toward preserving privacy and functionality in geosocial networks[C]. Proceedings of the 19th ACM Annual International Conference on Mobile Computing & Networking, Miami, Florida, USA, 2013: 207-210.
[9]	FAWAZ K, FENG H, and SHIN K G. Anatomization and protection of mobile apps’ location privacy threats[C]. 24th USENIX Security Symposium (USENIX Security 15). Washington, D.C., USA, 2015: 753-768.
[10]	YAN L, GUO Y, and CHEN X. SplitDroid: isolated execution of sensitive components for mobile applications[C]. International Conference on Security and Privacy in Communication Systems. Springer International Publishing, Dallas, TX, USA, 2015: 78-96.
[11]	TRIPP O and RUBIN J. A Bayesian approach to privacy enforcement in smartphones[C]. 23rd USENIX Security Symposium (USENIX Security 14). California, USA, 2014: 175-190.
[12]	ENCK W, GILBERT P, HAN S, et al. TaintDroid: An information-flow tracking system for realtime privacy monitoring on smartphones[J]. ACM Transactions on Computer Systems (TOCS), 2014, 32(2): 5. doi: 10.1145/ 2619091.
[13]	HSIAO S W, HUNG S H, CHIEN R, et al. PasDroid: real- time security enhancement for Android[C]. 2014 Eighth International Conference on Innovative Mobile and Internet Services in Ubiquitous Computing (IMIS), Birmingham, UK, 2014: 229-235.
[14]	BAL G, KAI R, and HONG J I. Styx: Privacy risk communication for the Android smartphone platform based on apps' data-access behavior patterns[J]. Computers & Security, 2015, 53: 187-202.
[15]	CUI X, YU D, CHAN P, et al. Cochecker: Detecting capability and sensitive data leaks from component chains in android[C]. Information Security and Privacy. Springer International Publishing, Wollongong, NSW, Australia, 2014: 446-453.
[16]	ZHANG M and YIN H. Efficient, context-aware privacy leakage confinement for android applications without firmware modding[C]. Proceedings of the 9th ACM Symposium on Information, Computer and Communications Security. Kyoto, Japan, 2014: 259-270.