Detecting personally identifiable information transmission in android applications using light-weight static analysis

Abstract

This convenience of mobile devices has driven significant growth in the volume of personal information users store on their devices as well as everyday mobile application usage. However, users are becoming increasingly aware of the access these applications have to their personal information and the risk that applications may transmit Personally Identifiable Information (PII) to external servers, sometimes unknowingly to users. There is no easy way to know whether or not an application transmits PII. If this information could be made available to users as early as when they are browsing application markets looking for new applications to install on their devices, they can weigh the pros and cons to make an informed decision on the associated risk of their private information potentially being exposed. Previously, detection of PII transmission has been tackled using heavy-weight techniques such as static code analysis and dynamic behavior analysis requiring from several minutes to hours of testing and analysis per application. In constrast, we propose using light-weight methods to extract features that we then use to develop a classification model to detect PII transmission in under a minute with performance that rivals the heavy-weight techniques. We evaluate our model using an extensive set of more than 8700 top-ranked Android applications. Our approach is precise and fast, making it suitable for real-time detection and analysis of PII transmission in mobile applications.