Nav: Home

Android apps can conspire to mine information from your smartphone

April 03, 2017

Mobile phones have increasingly become the repository for the details that drive our everyday lives. But Virginia Tech researchers have recently discovered that the same apps we regularly use on our phones to organize lunch dates, make convenient online purchases, and communicate the most intimate details of our existence have secretly been colluding to mine our information.

Associate Professor Daphne Yao and Assistant Professor Gang Wang, both in the Department of Computer Science in Virginia Tech¹s College of Engineering, are part of a research team to conduct the first ever large-scale and systematic study of exactly how the trusty apps on Android phones are able to talk to one another and trade information.

Yao will present the team¹s findings in Dubai at the Association for Computing Machinery Asia Computer and Communications Security Conference on April 3.

"Researchers were aware that apps may talk to one another in some way, shape, or form," said Wang. "What this study shows undeniably with real-world evidence over and over again is that app behavior, whether it is intentional or not, can pose a security breach depending on the kinds of apps you have on your phone."

The types of threats fall into two major categories, either a malware app that is specifically designed to launch a cyberattack or apps that simply allow for collusion and privilege escalation. In the latter category, it is not possible to quantify the intention of the developer, so collusion, while still a security breach, can in many cases be unintentional.

In order to run the programs to test pairs of apps, the team developed a tool called DIALDroid to perform their massive inter-app security analysis. The study, funded by the Defense Advanced Research Projects Agency as part of its Automated Program Analysis for Cybersecurity initiative, took 6,340 hours using the newly developed DIALDroid software, a task that would have been considerably longer without it.

First author of the paper Amiangshu Bosu, an assistant professor at Southern Illinois University, spearheaded the software development effort and the push to release the code to the wider research community. Fang Liu, a fifth year Ph.D. candidate studying under Yao, also contributed to the malware detection research.

"Our team was able to exploit the strengths of relational databases to complete the analysis, in combination with efficient static program analysis, workflow engineering and optimization, and the utilization of high performance computing. Of the apps we studied, we found thousands of pairs of apps that could potentially leak sensitive phone or personal information and allow unauthorized apps to gain access to privileged data," said Yao, who is both an Elizabeth and James E. Turner Jr. '56 and L-3 Faculty Fellow.

The team studied a whopping 110,150 apps over three years including 100,206 of Google Play¹s most popular apps and 9,994 malware apps from Virus Share, a private collection of malware app samples. The set up for cybersecurity leaks works when a seemingly innocuous sender app like that handy and ubiquitous flashlight app works in tandem with a receiver app to divulge a user¹s information such as contacts, geolocation, or provide access to the web.

The team found that the biggest security risks were some of the least utilitarian. Apps that pertained to personalization of ringtones, widgets, and emojis.

"App security is a little like the Wild West right now with few regulations," said Wang. "We hope this paper will be a source for the industry to consider re-examining their software development practices and incorporate safeguards on the front end. While we can¹t quantify what the intention is for app developers in the non-malware cases we can at least raise awareness of this security problem with mobile apps for consumers who previosuly may not have thought much about what they were downloading onto their phones."
-end-


Virginia Tech

Related Engineering Articles:

Engineering a new cancer detection tool
E. coli may have potentially harmful effects but scientists in Australia have discovered this bacterium produces a toxin which binds to an unusual sugar that is part of carbohydrate structures present on cells not usually produced by healthy cells.
Engineering heart valves for the many
The Wyss Institute for Biologically Inspired Engineering and the University of Zurich announced today a cross-institutional team effort to generate a functional heart valve replacement with the capacity for repair, regeneration, and growth.
Geosciences-inspired engineering
The Mackenzie Dike Swarm and the roughly 120 other known giant dike swarms located across the planet may also provide useful information about efficient extraction of oil and natural gas in today's modern world.
Engineering success
Academically strong, low-income would-be engineers get the boost they need to complete their undergraduate degrees.
HKU Engineering Professor Ron Hui named a Fellow by the UK Royal Academy of Engineering
Professor Ron Hui, Chair Professor of Power Electronics and Philip Wong Wilson Wong Professor of Electrical Engineering at the University of Hong Kong, has been named a Fellow by the Royal Academy of Engineering, UK, one of the most prestigious national academies.
Engineering a better biofuel
The often-maligned E. coli bacteria has powerhouse potential: in the lab, it has the ability to crank out fuels, pharmaceuticals and other useful products at a rapid rate.
Pascali honored for contributions to engineering education
Raresh Pascali, instructional associate professor in the Mechanical Engineering Technology Program at the University of Houston, has been named the 2016 recipient of the Ross Kastor Educator Award.
Scaling up tissue engineering
A team at the Wyss Institute for Biologically Inspired Engineering at Harvard University and the Harvard John A.
Engineering material magic
University of Utah engineers have discovered a new kind of 2-D semiconducting material for electronics that opens the door for much speedier computers and smartphones that also consume a lot less power.
Engineering academic elected a Fellow of the IEEE
A University of Bristol academic has been elected a Fellow of the world's largest and most prestigious professional association for the advancement of technology.

Related Engineering Reading:

Best Science Podcasts 2019

We have hand picked the best science podcasts for 2019. Sit back and enjoy new science podcasts updated daily from your favorite science news services and scientists.
Now Playing: TED Radio Hour

Anthropomorphic
Do animals grieve? Do they have language or consciousness? For a long time, scientists resisted the urge to look for human qualities in animals. This hour, TED speakers explore how that is changing. Guests include biological anthropologist Barbara King, dolphin researcher Denise Herzing, primatologist Frans de Waal, and ecologist Carl Safina.
Now Playing: Science for the People

#SB2 2019 Science Birthday Minisode: Mary Golda Ross
Our second annual Science Birthday is here, and this year we celebrate the wonderful Mary Golda Ross, born 9 August 1908. She died in 2008 at age 99, but left a lasting mark on the science of rocketry and space exploration as an early woman in engineering, and one of the first Native Americans in engineering. Join Rachelle and Bethany for this very special birthday minisode celebrating Mary and her achievements. Thanks to our Patreons who make this show possible! Read more about Mary G. Ross: Interview with Mary Ross on Lash Publications International, by Laurel Sheppard Meet Mary Golda...