On the effectiveness of dynamic taint analysis for protecting against private information leaks on Android-based devices

Golam Sarwar, Olivier Mehani, Roksana Boreli, Mohamed Ali Kaafar

Research output: Chapter in Book/Report/Conference proceedingConference proceeding contributionpeer-review

79 Citations (Scopus)

Abstract

We investigate the limitations of using dynamic taint analysis for tracking privacy-sensitive information on Android-based mobile devices. Taint tracking keeps track of data as it propagates through variables, interprocess messages and files, by tagging them with taint marks. A popular taint-tracking system, TaintDroid, uses this approach in Android mobile applications to mark private information, such as device identifiers or user's contacts details, and subsequently issue warnings when this information is misused (e.g., sent to an undesired third party). We present a collection of attacks on Android-based taint tracking. Specifically, we apply generic classes of anti-taint methods in a mobile device environment to circumvent this security technique. We have implemented the presented techniques in an Android application, ScrubDroid. We successfully tested our app with the TaintDroid implementations for Android OS versions 2.3 to 4.1.1, both using the emulator and with real devices. Finally, we evaluate the success rate and time to complete of the presented attacks. We conclude that, although taint tracking may be a valuable tool for software developers, it will not effectively protect sensitive data from the black-box code of a motivated attacker applying any of the presented anti-taint tracking methods.

Original languageEnglish
Title of host publicationSECRYPT 2013
Subtitle of host publicationProceedings of the 10th International Conference on Security and Cryptography
EditorsPierangela Samarati
Place of PublicationPiscataway, NJ
PublisherInstitute of Electrical and Electronics Engineers (IEEE)
Pages461-468
Number of pages8
ISBN (Electronic)9789897581311
Publication statusPublished - 2013
Externally publishedYes
Event10th International Conference on Security and Cryptography, SECRYPT 2013 - Part of 10th International Joint Conference on E-Business and Telecommunications, ICETE 2013 - Reykjavik, Iceland
Duration: 29 Jul 201331 Jul 2013

Conference

Conference10th International Conference on Security and Cryptography, SECRYPT 2013 - Part of 10th International Joint Conference on E-Business and Telecommunications, ICETE 2013
Country/TerritoryIceland
CityReykjavik
Period29/07/1331/07/13

Keywords

  • Android
  • Anti-taint-analysis
  • Anti-taintdroid
  • Dynamic taint analysis
  • Malware
  • Privacy

Fingerprint

Dive into the research topics of 'On the effectiveness of dynamic taint analysis for protecting against private information leaks on Android-based devices'. Together they form a unique fingerprint.

Cite this