HideMyApp: Hiding the Presence of Sensitive Apps on Android · Apps Inquiring about Other Apps •...

17
HideMyApp: Hiding the Presence of Sensitive Apps on Android Anh Pham 1,2 , Italo Dacosta 1 , Eleonora Losiouk 3 , John Stephan 1 , Kévin Huguenin 4 , Jean-Pierre Hubaux 1 1 EPFL 2 ABB Switzerland 3 Uni. of Padova 4 Uni. of Lausanne

Transcript of HideMyApp: Hiding the Presence of Sensitive Apps on Android · Apps Inquiring about Other Apps •...

Page 1: HideMyApp: Hiding the Presence of Sensitive Apps on Android · Apps Inquiring about Other Apps • Analysis on 2917 popular APKs from Google Play • Static and dynamic analysis!8

HideMyApp: Hiding the Presence of Sensitive Apps on Android

Anh Pham1,2, Italo Dacosta1, Eleonora Losiouk3, John Stephan1, Kévin Huguenin4, Jean-Pierre Hubaux1

1EPFL2ABB Switzerland

3Uni. of Padova4Uni. of Lausanne

Page 2: HideMyApp: Hiding the Presence of Sensitive Apps on Android · Apps Inquiring about Other Apps • Analysis on 2917 popular APKs from Google Play • Static and dynamic analysis!8

Mobile Health (mHealth)

!2

Page 3: HideMyApp: Hiding the Presence of Sensitive Apps on Android · Apps Inquiring about Other Apps • Analysis on 2917 popular APKs from Google Play • Static and dynamic analysis!8

Privacy Threat: Apps Fingerprinting Other Apps

!3

Third-Party Servers

Installed Apps: ‣ Diabetes‣ Depression‣ Cancer‣ …

The presence of an app already reveals sensitive information

Page 4: HideMyApp: Hiding the Presence of Sensitive Apps on Android · Apps Inquiring about Other Apps • Analysis on 2917 popular APKs from Google Play • Static and dynamic analysis!8

Research Questions

!4

Apps’ interest in fingerprinting other apps

Our solution (HideMyApp)

Fingerprintability of apps

Page 5: HideMyApp: Hiding the Presence of Sensitive Apps on Android · Apps Inquiring about Other Apps • Analysis on 2917 popular APKs from Google Play • Static and dynamic analysis!8

Fingerprintability of Apps

!5

Java API Framework Linux-Layer Interface

w/o Permissions

w/ Permissions

w/ Default Privilege

w/ Debugging Privilege

Page 6: HideMyApp: Hiding the Presence of Sensitive Apps on Android · Apps Inquiring about Other Apps • Analysis on 2917 popular APKs from Google Play • Static and dynamic analysis!8

Fingerprintability of Apps

Package name

Components’ names

Label

Resources

Permissions

Theme

Icon

!6

Default privilege + No permissions

Page 7: HideMyApp: Hiding the Presence of Sensitive Apps on Android · Apps Inquiring about Other Apps • Analysis on 2917 popular APKs from Google Play • Static and dynamic analysis!8

Fingerprintability of Apps

Default privilege + No permissions

!7

• To retrieve the list of installed apps:- getInstalledApplications()- getInstalledPackages()

• To check if a specific app is installed:- getResourcesForApplication()- getPackageInfo()- ….

Package name

Removing methods or adding permissions is complicated.

Page 8: HideMyApp: Hiding the Presence of Sensitive Apps on Android · Apps Inquiring about Other Apps • Analysis on 2917 popular APKs from Google Play • Static and dynamic analysis!8

Apps Inquiring about Other Apps

• Analysis on 2917 popular APKs from Google Play

• Static and dynamic analysis

!8

• 19.2% to 57% of apps query for the list of installed apps

• Most requests come from third-party libs

• Free apps query for the list of installed apps more than paid apps

Apps want to fingerprint other apps and millions of users are affected.

Page 9: HideMyApp: Hiding the Presence of Sensitive Apps on Android · Apps Inquiring about Other Apps • Analysis on 2917 popular APKs from Google Play • Static and dynamic analysis!8

Apps’ Compliance w/ Privacy GuidelinesFrom Google privacy guidelines: - A list of installed apps (LIA) is sensitive- Apps collecting LIA w/o users’ consent are classified as Mobile Unwanted Software

!9

• Only 162 apps inform users about LIA collection

• 76 apps state that LIA is non-sensitive

• From 2917 APKs, collected 2499 privacy policies

Lack of effective protection mechanisms

Page 10: HideMyApp: Hiding the Presence of Sensitive Apps on Android · Apps Inquiring about Other Apps • Analysis on 2917 popular APKs from Google Play • Static and dynamic analysis!8

Our Solution: HideMyApp (HMA)

!10

App Store (controlled by hospitals)

• To host apps developed by the hospitals

• To (un)install and update apps

• To launch apps installed from the App Store

Page 11: HideMyApp: Hiding the Presence of Sensitive Apps on Android · Apps Inquiring about Other Apps • Analysis on 2917 popular APKs from Google Play • Static and dynamic analysis!8

Adversarial Model

!11

• Wants to learn if a specific app is installed • Is nosy

- Has default app privilege- Has all dangerous permissions

• Trusted and secure• Trusted and secure

App Store (controlled by hospitals)

Page 12: HideMyApp: Hiding the Presence of Sensitive Apps on Android · Apps Inquiring about Other Apps • Analysis on 2917 popular APKs from Google Play • Static and dynamic analysis!8

HMA Overview

!12

Request to retrieve an mHealth app

A container app

• Has a generic package name

• Obfuscated- Static information- Runtime information

App Store (controlled by hospitals)

Page 13: HideMyApp: Hiding the Presence of Sensitive Apps on Android · Apps Inquiring about Other Apps • Analysis on 2917 popular APKs from Google Play • Static and dynamic analysis!8

Obfuscation: Static Information

Generic package name

Randomized names for components

Generic label

Resources loaded from the APK at runtime

Permissions Generic icon

!13

Homogenized theme

Page 14: HideMyApp: Hiding the Presence of Sensitive Apps on Android · Apps Inquiring about Other Apps • Analysis on 2917 popular APKs from Google Play • Static and dynamic analysis!8

Evaluation: Dataset

• 50 mHealth apps from Google Play

• Chosen based on their popularity, sensitivity and functionality

• Examples:

!14

Beurer HealthManager Cancer.Net Mobile What's Up? - Mental Health

Page 15: HideMyApp: Hiding the Presence of Sensitive Apps on Android · Apps Inquiring about Other Apps • Analysis on 2917 popular APKs from Google Play • Static and dynamic analysis!8

Evaluation Criteria and Implementation

• Implementation: [1]- HMA App Store- Manager App- Rely on DroidPlugin library for user-level virtualization [2]

!15

Compatibility w/ apps UsabilityPerformance overhead

[1] https://hma.epfl.ch[2] https://github.com/DroidPluginTeam/DroidPlugin

Page 16: HideMyApp: Hiding the Presence of Sensitive Apps on Android · Apps Inquiring about Other Apps • Analysis on 2917 popular APKs from Google Play • Static and dynamic analysis!8

Cold-Start Delays: w/ and w/o HMA

!16

Cold-start delays are less than 3 s

Page 17: HideMyApp: Hiding the Presence of Sensitive Apps on Android · Apps Inquiring about Other Apps • Analysis on 2917 popular APKs from Google Play • Static and dynamic analysis!8

Conclusions• Apps can and do fingerprint other apps

- 57% of apps query for the list of apps

• Existing solutions are ineffective

• HMA: the first solution for hiding apps- Compatible with existing apps- Effective and usable- Runs on stock Android devices

!17

Installed Apps:

‣ Diabetes‣ Depression‣ Cancer‣ …

Installed Apps:

‣ App-1‣ App-2‣ App-3‣ …

w/o HMA

w/ HMA

https://hma.epfl.ch