An Empirical Study on Android for Saving Non-shared Data on Public Storage

Abstract : With millions of apps provided from official and third-party markets, Android has become one of the most active mobile platforms in recent years. These apps facilitate people’s lives in a broad spectrum of ways but at the same time touch numerous users’ information, raising huge privacy concerns. To prevent leaks of sensitive information, especially from legitimate apps to malicious ones, developers are encouraged to store users’ sensitive data into private folders which are isolated and securely protected. But for non-sensitive data, there is no specific guideline on how to manage them, and in many cases, they are simply stored on public storage which lacks fine-grained access control and is almost open to all apps.Such storage model appears to be capable of preventing privacy leaks, as long as the sensitive data are correctly identified and kept in private folders by app developers. Unfortunately, this is not true in reality. In this paper, we carry out a thorough study over a number of Android apps to examine how the sensitive data are handled, and the results turn out to be pretty alarming: most of the apps we surveyed fail to handle the data correctly, including extremely popular apps. Among these problematic apps, some directly store the sensitive data into public storage, while others leave non-sensitive data on public storage which could give out users’ private information when being combined with data from other sources. An adversary can exploit these leaks to infer users’ location, friends and other information without requiring any critical permission. We refer to both types of data as “non-shared” data, and argue that Android’s storage model should be refined to protect the non-shared data if they are saved to public storage. In the end, we propose several approaches to mitigate such privacy leaks.
Type de document :
Communication dans un congrès
Hannes Federrath; Dieter Gollmann. 30th IFIP International Information Security Conference (SEC), May 2015, Hamburg, Germany. IFIP Advances in Information and Communication Technology, AICT-455, pp.542-556, 2015, ICT Systems Security and Privacy Protection. 〈10.1007/978-3-319-18467-8_36〉
Liste complète des métadonnées

Littérature citée [20 références]  Voir  Masquer  Télécharger

https://hal.inria.fr/hal-01345145
Contributeur : Hal Ifip <>
Soumis le : mercredi 13 juillet 2016 - 11:14:51
Dernière modification le : mercredi 13 juillet 2016 - 11:18:40

Fichier

337885_1_En_36_Chapter.pdf
Fichiers produits par l'(les) auteur(s)

Licence


Distributed under a Creative Commons Paternité 4.0 International License

Identifiants

Citation

Xiangyu Liu, Zhe Zhou, Wenrui Diao, Zhou Li, Kehuan Zhang. An Empirical Study on Android for Saving Non-shared Data on Public Storage. Hannes Federrath; Dieter Gollmann. 30th IFIP International Information Security Conference (SEC), May 2015, Hamburg, Germany. IFIP Advances in Information and Communication Technology, AICT-455, pp.542-556, 2015, ICT Systems Security and Privacy Protection. 〈10.1007/978-3-319-18467-8_36〉. 〈hal-01345145〉

Partager

Métriques

Consultations de la notice

98

Téléchargements de fichiers

16