Slide 1

Characteristic Studies of User- Perceived Information in Security Analysis Wei Yang Univ. of Illinois

Slide 2

An Aesop's Fable

Slide 3

Security Warnings

Slide 4

Users stop paying attention When a security dialog does contain information that could alert users to a real risk, they are less likely to notice it.

Slide 5

Why So Many Warnings? Existing techniques report all security/privacy-sensitive operations Security is conservative Computer is unable to tell what is malicious and what is expected

Slide 6

Automating part of manual efforts Mimicking human analysis process Leveraging user-perceived information AsDroid (UI Text) WHYPER (App Description) CHABADA (App Description) Others (User Reviews; Category; Ratings etc.) Contextual Information (User Perceived ) Functionality Technical Information (User/Inspectors Knowledge) Expected Behavior Infer Program Behavior Compare

Slide 7

Is User-perceived Information Effective? Literature Survey What is the type of user-perceived information used, how it is used, and what is the effectiveness of the technique in each literature. Empirical Study What are the commonly used permission whose permission uses are often reflected by the user-perceived information? Which types of user-perceived information are often used to reflect these permission use? How these user-perceived information reflect the purpose of permission uses?

Slide 8

Taxonomy of User-Perceived Information Meta Information App Name, Permissions, Category, Number of installs, Ratings, Package Name, App Developers. UI Information UI Text/Icon Texts/Icons on the button triggering permission uses Texts/Icons on the surrounding labels Texts/Icons on the subsequent screen after the UI actions Transitional screen (middle of the screen) Other screen (Top of the screen (E.g., Titles)) Texts/Icons at other places that can indicate the permission uses or the app functionality using the permissions UI Layout Previous/Current/Subsequent screen Layout Descriptive Information Description, Reviews

Slide 9

Study Methodology Manually explore all the functionality of the app Log the functionality and user-perceived information if a permission is used. Verify the information by second authors Exploring LoggingVerifying

Slide 10

Exploring Priorities of UI actions on the same screen: Text entering Check Options (E.g., CheckBox, RadioButton) Clicks Gestures (E.g., Swipe, Drag) Strategies for the navigations among multiple screens: Depth-First Search

Slide 11

Logging Instrument and rebuilt Android System to log the permission uses. Manually log all the user-perceived information when permission uses occur. We use timestamp to build the link between UI actions and permission uses. Manually check the user-perceived information that reflect the permission uses.

Slide 12

Verifying Second authors will repeat the logging process to verify the results.

Slide 13

Preliminary Finding Existing techniques mainly used textual and numerical data in user-perceived information. They apply textual analysis and statistical analysis techniques on these data.

Slide 14

Preliminary Finding Sensitive operations are more frequently reflected from interfaces (E.g., READ_SMS) Common permissions are less likely to be reflected from interfaces. (E.g., INTERNET) PermissionReflect from Interfaces READ_EXTERNAL_STO RAGEY(>80%) READ_PHONE_STATEN(80%) RECEIVE_SMSY(>80%) VIBRATEN(