Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

9/29/2010
12:56 PM
Dark Reading
Dark Reading
Products and Releases
50%
50%

Duke Researchers: Smartphone Apps Send Private Data Without Notification

Notification came from TaintDroid, a prototype extension to the Android mobile-phone platform

DURHAM, N.C. -- Flicking through a wallpaper app with backgrounds of Mickey Mouse and a tropical waterfall, Peter Gilbert gets a plain, black and white text notification on his smartphone.

A third of the way down the screen it says, “Taint: Phone Number, IMEI, ICCID (sim card identifier).” The message alerts Gilbert that the wallpaper app has sent his phone’s number and other identifying information to imnet.us. Checking online, it appears the address is a website in Shenzhen, China.

The notification came from TaintDroid, a prototype extension to the Android mobile-phone platform designed to identify apps that transmit private data. The phone-based tool monitors how applications access and use privacy sensitive data, such as location, microphone, camera and phone numbers, and provides feedback within seconds of using a newly installed app.

TaintDroid recently identified that 15 of 30 randomly selected, popular, free Android Marketplace applications sent users’ private information to remote advertising servers and two-thirds of the apps handled data in ambiguous ways.

Gilbert, a graduate student in computer science at Duke University, and his adviser, Landon Cox, an assistant computer science professor, helped develop TaintDroid. They collaborated with Jaeyeon Jung, Byung-Gon Chun and Anmol Sheth of Intel Labs, and William Enck and Patrick McDaniel of Penn State University.

“We found it surprising that location information was shared with ad networks without further explanation or notification,” said Jung, lead co-author, along with Enck, of a new study that describes TaintDroid and the team’s results.

The paper will be posted online Sept. 30 as part of the USENIX Symposium on OSDI, or Operating Systems Design and Implementation. Enck will also present the research findings Oct. 6 at the affiliated OSDI conference in Vancouver, BC.

The team found that some applications shared GPS sensor location information with advertisement servers only when displaying ads to the user. Other applications shared location even when the user was not running the application. In some cases, location information was being shared as frequently as every 30 seconds.

The results support and expand upon a controversial SMobile Systems study published in June 2010 which found that 20 percent of the then-available 48,000 third-party applications for the Android operating system provided sensitive or private information to outside sources. In the new study, the team only monitored the Android platform, but the findings suggest that investigating other operating systems is warranted.

“We don’t have the data to say that a majority of third-party apps are untrustworthy. This study, however, is a proof-of-concept to show the value of enhancing smartphone platforms to include real-time monitoring tools like TaintDroid to give users an awareness of how their information is being shared,” Cox said.

Currently, mobile-phone operating systems do offer users some controls to regulate whether an application can access private information. When installing an app, like the wallpaper app, for example, Android asks the user which services and data an app may access, Gilbert says.

If the user chooses not to allow this access, the application cannot be installed. But if the user does install the app, the permission checks don't always explain how these services and data will be used. This forces users to blindly trust that applications will handle private data properly once they are installed, he says.

”The permissions don’t tell the user how their data will be used, and in some cases misused,” Cox adds, noting that in some cases, a privacy violation can occur where services and data are used in ways that are unexpected. Mobile anti-virus packages such as software sold by SMobile Systems can alert users to the presence of previously identified malicious applications, but they do not provide real-time information about where applications send users' data.

TaintDroid uses a scientific technique called "dynamic taint analysis” to mark information of interest with an identifier called a "taint." The taint stays with the information when it is used, and the tracking system then monitors the movement of tainted information, such as the Internet destination of the user’s information. It then sends the user a notification of the movement of information as soon as the app is closed.

“This automatic feedback gives users greater insight into what their mobile applications are doing and could help users decide whether they should consider uninstalling an app,” Gilbert says.

The team plans to make TaintDroid publicly available to continue to improve smartphone application monitoring.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Manchester United Suffers Cyberattack
Dark Reading Staff 11/23/2020
As 'Anywhere Work' Evolves, Security Will Be Key Challenge
Robert Lemos, Contributing Writer,  11/23/2020
Cloud Security Startup Lightspin Emerges From Stealth
Kelly Sheridan, Staff Editor, Dark Reading,  11/24/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-20934
PUBLISHED: 2020-11-28
An issue was discovered in the Linux kernel before 5.2.6. On NUMA systems, the Linux fair scheduler has a use-after-free in show_numa_stats() because NUMA fault statistics are inappropriately freed, aka CID-16d51a590a8c.
CVE-2020-29368
PUBLISHED: 2020-11-28
An issue was discovered in __split_huge_pmd in mm/huge_memory.c in the Linux kernel before 5.7.5. The copy-on-write implementation can grant unintended write access because of a race condition in a THP mapcount check, aka CID-c444eb564fb1.
CVE-2020-29369
PUBLISHED: 2020-11-28
An issue was discovered in mm/mmap.c in the Linux kernel before 5.7.11. There is a race condition between certain expand functions (expand_downwards and expand_upwards) and page-table free operations from an munmap call, aka CID-246c320a8cfe.
CVE-2020-29370
PUBLISHED: 2020-11-28
An issue was discovered in kmem_cache_alloc_bulk in mm/slub.c in the Linux kernel before 5.5.11. The slowpath lacks the required TID increment, aka CID-fd4d9c7d0c71.
CVE-2020-29371
PUBLISHED: 2020-11-28
An issue was discovered in romfs_dev_read in fs/romfs/storage.c in the Linux kernel before 5.8.4. Uninitialized memory leaks to userspace, aka CID-bcf85fcedfdd.