A Comprehensive Study of Privacy Leakage Vulnerability in Android App Logs

Privacy leakage is a forever critical issue for data sharing and cooperation. Therefore, many Privacy-Preserving-Computation-aimed services (PPCS) are published to provide a secure environment in which data can be processed in its encrypted or opaque state by specific programs (i.e. PPCS program). However, PPCS programs still face the risk of privacy leakage due to the intentionally or careless designed privacy leakage vulnerabilities (PLV) that may leak sensitive data in the returned result. Unfortunately, traditional PLV-detection approaches like quantitative estimation and taint analysis become inefficient for these PLVs due to the extremely large input domain and the complex data-processing logic of PPCS programs. In this paper, we propose a fuzzing-based approach named FuzzLeaks to detect PLVs. It uses coverage-oriented fuzz testing to generate test cases for checking PPCS programs and thus to carry out leakage estimation to detect PLVs. It effectively quantifies privacy leakage under the extremely large input domain via path-sensitive byte-level entropy analysis, and handles the complex data-processing logic via input mutation based on dynamic information flow analysis. We implement FuzzLeaks and validate it on the PLDA data set and LAVA-M data set. The experimental results show that FuzzLeaks outperforms traditional approaches in accuracy by 35.72% on the PLDA dataset, and the dynamic-analysis-based mutation guidance adopted by FuzzLeaks can even resulted in 50 more non-PLV bugs found on the LAVA-M data set.

Android system has a large number of users and application markets, but its security situation is worrying. Unlike most of the PC apps, Android apps manipulates private information such as contacts and SMS messages, and leakage of such information may cause great loss to the Android users. Thus, detecting privacy leakage on Android is in urgent need. In this paper, we propose a new approach called SymFinder, which detects privacy leakage vulnerabilities on Android with reverse symbolic execution technology. Unlike dynamic approaches, SymFinder analyzes applications without the need of code execution. Thus, it has a higher coverage and less false negative rate of vulnerabilities, and can avoid the path explosion problem in dynamic analysis. Besides, SymFinder can increase accuracy of vulnerability analysis and reduce false positive rate by recognizing invalid and inaccessible sensitive paths. Experimental results show that, SymFinder can detect the existence of 14 real privacy leakages from a 100 provided application set.

Android apps frequently leak private data off the device with or without intentions. Researchers have proposed a large number of methods, for example, static and dynamic analysis methods, to pick out the apps which tend to leak private data. However, they are only able to identify part of private data leakage vulnerabilities, due to the dynamic features in codes or code coverage problem. This paper presents a novel hybrid approach that can find out more private data leakages than the existing static or dynamic methods. The approach, realized in a tool, called HybriDroid, which employs both static and dynamic analysis methods to extract the models of each apps, and then refines the behavior model to a more adequate one according to the dynamic analysis result. As a consequence, HybriDroid inherits the advantages of both static and dynamic analysis methods, which not only achieves a high code coverage, but also can deal with the dynamic features in codes. The evaluation results show that HybriDroid is effective in detecting privacy leakages for both inter- and intra-app communication. Comparing with the existing methods, it can achieve considerable improvements in data leakage detection performance with a 97.8% precision and 90% recall on the selected apps from DroidBench 3.0 test suite.

In this world, where everything around use is linked with technology, be it smart homes, smart cities, smart cars, etc. Internet of Things (IoT) or Internet Connected Things (ICT) are connected todays everywhere, with everywhere which is used to build a smart environment (with physical world). In fact, these internet linked gadgets have made our lives extremely easy, secure, and quick. But, using such devices in our daily life, people are very much concern about “their personal information”. So a question raised here: “Is it (personal information) safe with these (such) devices”? When these devices are connected together, they build an ecosystem together for human being/for various applications. A lot of data is being captured and transformed into valuable forms, which is used in future for increase productivity by forms/ organisation (in many application areas), ranging from automated home appliances, smart grids and high-resolution assets, to product management. This captured and collected data creates several issues, so it requires new/ useful strategies of enhancing the present status of IoT by incorporating (or overcoming) security and privacy into its current design, structure and implementation. Hence, this article explains such issues (in IoT) like privacy breaches, security vulnerability etc., in clear manner.

Android phones are among the most popular mobile devices today, providing users with a wide array of convenient services through various apps. These apps generate software logs during their runtime, which record their behavior, status, and error information. However, these logs can also inadvertently capture sensitive information and user privacy data, often without the developer's awareness. In this study, we constructed a dataset comprising 67,702 log records from 83 Android apps. Our analysis of this dataset identified 610 instances of privacy leakage, which indicates the prevalence of such issues in Android app logs. Additionally, our analysis identified characteristics of Android app logs with exposed sensitive information and revealed a gap between developers' awareness of privacy protection and privacy leakage in real-world scenarios.

Privacy leakage in software logs, especially in Android apps, has become a major concern. While the significance of software logs in debugging and monitoring software state is well recognized, the exponential growth in log size has led to challenges in identifying unexpected information, including sensitive user information. This paper provides a comprehensive study of privacy leakage in Android app logs to address the lack of extensive research in this area. From a dataset constructed from PlayDrone-selected Android apps, we analyze privacy leaks, detect instances of privacy leakage, and identify third-party libraries that are implicated. The findings highlight the prevalence of privacy leaks in Android app logs, with implications for user security and potential economic losses. This study emphasizes the need for developers to be more aware and take proactive measures to protect user privacy in software logging practices.

App repackaging has been raising serious concerns about the health of the Android ecosystem, and repackage-proofing is an important mitigation against threat of such attacks. However, existing app repackage-proofing schemes were only evaluated against trivial adversaries simulated using analyzers for other purposes (e.g., disclosing privacy leakage vulnerabilities), hence were shown “effective” mainly because their key programming features were not even supported by those toolkits. Furthermore, existing works have also neglected dynamic adversaries capable of manipulating victim apps at runtime, making them vulnerable against such stronger opponents. In this article, we propose a novel repackage-proofing framework, which deploys distributed detection and response sites into the subject app's native partition to cross-verify all its code files. The detection sites transmit obtained integrity metrics to response sites via secure communication channels built on the subject app's own control flows using a specialized obfuscation technique based on Collatz conjecture, turning the repackage-proofing process into complicated implicit flows that are intrinsically difficult to be resolved due to the conjecture's nonlinear dynamical behaviors. We evaluated our framework using sophisticated Android data-flow analyzers. Results showed that our prototype effectively impeded analyses aiming to trace the information flows of its cross-verification.