Presentation is loading. Please wait.

Presentation is loading. Please wait.

SUPOR : Precise and Scalable Sensitive User Input Detection for Android Apps Jianjun Huang, Zhichun Li, Xusheng Xiao, Zhenyu Wu, Kangjie Lu, Xiangyu Zhang,

Published byEverett Sutton Modified over 9 years ago

Similar presentations

Presentation on theme: "SUPOR : Precise and Scalable Sensitive User Input Detection for Android Apps Jianjun Huang, Zhichun Li, Xusheng Xiao, Zhenyu Wu, Kangjie Lu, Xiangyu Zhang,"— Presentation transcript:

1 SUPOR : Precise and Scalable Sensitive User Input Detection for Android Apps Jianjun Huang, Zhichun Li, Xusheng Xiao, Zhenyu Wu, Kangjie Lu, Xiangyu Zhang, Guofei Jiang

2 Sensitive Data Disclosures Local Storage USENIX Security 20151 Disclosed to public Hijacked/maliciously retrieved 8/14/15

3 Sensitive Data Existing work focused on sensitive data defined by certain API methods. Most of them are permission protected E.g., in Android, TelephonyManager.getDeviceId() USENIX Security 20152 TaintDroid [OSDI’10], AndroidLeaks [TRUST’12], FlowDroid [PLDI’14] PiOS [NDSS’11] 8/14/15

4 Sensitive User Inputs USENIX Security 20153 We are among the first to detect user inputs as sensitive sources in mobile apps. None of them are permission protected E.g., user id/password, credit card number… Insensitive Sensitive 8/14/15

5 Example User Inputs Disclosures 1EditText txtCN = findViewById(R.id.cardnum); 2String cnum = txtCN.getText().toString(); 3… 1EditText txtCM = findViewById(R.id.comment); 2String comment = txtCM.getText().toString(); 3… Web Server HTTP USENIX Security 201548/14/15

6 Research Problems How to systematically discover the input fields from an app’s UI? How to identify which input fields are sensitive? How to associate the sensitive input fields to the corresponding variables in the apps that store their values? USENIX Security 201558/14/15

7 Intuition From the user’s perspective, if we can mimic how a user looks at the UIs, we can determine which input fields can contain sensitive data within the UI context. USENIX Security 201568/14/15

8 Feasibility Render the statically defined UI layouts USENIX Security 20157 AndroidiOSWindows Phone Layout formatXMLNIB/XIB/StoryboardXAML/HTML Static UI RenderADTXcodeVisual Studio APIs map widgets to codeYes Associate labels to input fields based on physical locations 8/14/15

9 USENIX Security 20158 SUPOR: Sensitive User inPut detectOR 8/14/15

10 Background - UI USENIX Security 20159 Text Label Input Field Input Hint Widget 8/14/15

11 Background – Layout File A piece in an Android layout example. USENIX Security 201510 <EditText android:id="@+id/pwd“ android:inputType=“textPassword”/> Identifier Interesting Attribute 8/14/15

12 Overview of SUPOR USENIX Security 201511 Layout Analysis Layout Parsing UI Rendering UI Sensitiveness Analysis Privacy Analysis Disclosure Keywords … Variable Binding SUPOR Vulnerability App 8/14/15

13 Parsing Layout USENIX Security 201512 We need to know which layout files contain input fields. ? Is Sensitive User Input Detection Needed ? Layout file layout contains input fields layout doesn’t contain input fields 8/14/15

14 Rendering UI USENIX Security 201513 Layout file A Layout file B Statically render layout files to UIs as users look at on smartphones via tools like ADT in Android. 8/14/15

15 Extracting Information USENIX Security 201514 Collect information Text Label Text: Card Number Coordinates: [16, 231, 109, 249] Input Field Hint: 15 or 16 digit Coordinates: [16, 249, 464, 297] 8/14/15

16 UI Sensitiveness Analysis USENIX Security 201515 Sensitive Attributes in Layout Files <EditText android:id="@+id/pwd“ android:inputType=“textPassword”/> The Input Field is Sensitive Yes Sensitive Input Hint Yes Sensitive Text Label The Input Field is Insensitive No 15 or 16 digit MM - YYYY No Yes Card number Expiration date Challenge: How to precisely associate the correlated text label to a given input field? Enter Password Comment 8/14/15

17 Associating Labels (1) Intuition: labels at different positions relative to the input field have different probabilities to be correlated. USENIX Security 201516 Input Field Label Input Field Label Input Field Label Input Field Label 8/14/15

18 Associating Labels (2) Assign position-based weights based on empirical observations The smaller the weight, the closer the correlation USENIX Security 201517 Input Field 0.8 2 48 89 9 10 8/14/15

19 Associating Labels (3) Geometry-based correlation score computation USENIX Security 201518 Label Input Field ( I ) (x1, y1) (x2, y2)  For each pixel ( x, y ) in a text label distance(I, x, y) * posWeight(I, x, y)  Average the correlation score for the text label 8/14/15

20 Associating Labels (4) Find out the label with the smallest correlation score among all potential labels for a given input field USENIX Security 201519 LabelNumber FieldDate Field Credit card type265.57456.42 Card number76.47271.23 Expiration date205.2975.40 Correlation scores 8/14/15

21 Determining Sensitiveness (1) USENIX Security 201520 Sensitive Keywords Dataset Card number Expiration date Comment Matches? Sensitive Insensitive Keyword matching approach 8/14/15 Yes No

22 Determining Sensitiveness (2) Why is keyword matching approach effective? USENIX Security 201521 We only analyze the most relevant text label Small screen and short phrases or sentences 8/14/15

23 Binding Variables (1) USENIX Security 201522 1Widget txtCN = findViewById(X); 2Data cnum = txtCN.getText(); 3// use of “cnum” Identifier: X 8/14/15

24 Binding Variables (2) Challenge: different widgets within one apps have the same identifier USENIX Security 201523 … … txtInput1 = this.findViewById(input1); txtInput2 = this.findViewById(input1); 8/14/15

25 Binding Variables (3) USENIX Security 201524 txtInput1 = this.findViewById(input1); … [layout: billing_information.xml] … [layout: search.xml] txtInput2 = this.findViewById(input1); id/input1 Sensitive Insensitive this.setContentView(billing_information); this.setContentView(search); Sensitive Insensitive 8/14/15

26 Implementation & Evaluation Implemented for Android apps and built on Dalysis [CHEX CCS’12], IBM WALA and ADT. Only input fields of type EditText are analyzed, i.e. other user inputs like checkbox are ignored. Implemented a sensitive user inputs disclosure detection system by combining SUPOR and static taint analysis 16,000 apps were evaluated USENIX Security 2015258/14/15

27 Evaluating UI Sensitiveness Analysis (1) 9,653 apps (60.33%) contains input fields Performance: Average analysis time is 5.7 seconds for one app USENIX Security 2015268/14/15

28 Evaluating UI Sensitiveness Analysis (2) 9,653 apps (60.33%) contains input fields Accuracy Manually examined 40 apps. 115 layouts are rendered and 485 input fields are analyzed. TP: sensitive user inputs are identified as sensitive FP: insensitive user inputs are identified as sensitive FN: sensitive user inputs are identified as insensitive USENIX Security 2015278/14/15

29 Causes for FN and FP USENIX Security 201528 Insufficient context to identify sensitive keywords. False negative: “Answer” vs “Security Answer” False Positive: “Height” of an image file and for a human being Inaccurate text label association False positive: e.g. the long sentence (with keyword “email”) is associated with the “Delivery Instructions” field Input Field Text Label 8/14/15

30 Evaluating Disclosure Analysis For all 16,000 apps USENIX Security 201529 Manually examined 104 apps False positive rate is 8.7% Limitations of underlying taint analysis framework E.g. lack of accurate modeling of arrays Throughput: 11.1 apps/minute A cluster of 8 servers 3 apps are analyzed on each server in parallel 8/14/15

31 Case Studies (1) USENIX Security 201530 com.canofsleep.wwdiary 3 input fields associated with labels “Weight”, “Height” and “Age” are identified sensitive. com.nitrogen.android The 3 marked inputs fields are identified sensitive and their data are disclosed. 8/14/15

32 Case Studies (2) USENIX Security 201531 txtWeight = this.findViewById(R.id.edt_weight); valWeight = txtWeight.getText().toString(); Log.i(“weight”, valWeight); Source Sink Disclosure analysis based on SUPOR Disclosure analysis based on existing approach which directly define certain APIs as sensitive sources. Detected Undetected 8/14/15

33 Conclusion We study the possibility of detecting sensitive user inputs, an important yet mostly neglected sensitive source in mobile apps. USENIX Security 201532 We propose SUPOR, among the first known approaches to detect sensitive user inputs with high recall and precision. Mimics from the user’s perspective by statically and scalably rendering the layout files. Leverages a geometry-based approach to precisely associated text labels to input fields. Utilizes textual analysis to determine the sensitiveness of the texts in labels. We perform a sensitive user inputs disclosure analysis, with FP rate of 8.7%, to demonstrate the usefulness of SUPOR. 8/14/15

34 USENIX Security 201533 Thank You! Q & A 8/14/15

35 Related work A lot of work focus on privacy disclosure problems on predefined sensitive data sources in the phone. [FlowDroid PLDI’14, PiOS NDSS’11, AAPL NDSS’15] USENIX Security 201534 FlowDroid employs a limited form of sensitive input fields— password fields. [PLDI’14] AsDroid checks checks UI text to detect the contradiction between the expected behaviors and program behaviors. [ICSE’14] UIPicker uses supervised learning to collect sensitive keywords and corresponding layouts. It also uses the sibling elements in layout files as the description text for a widget. [USENIX Security’15] 8/14/15

36 Keyword dataset construction Crawl texts from apps’ resource files Adapt NLP techniques to extract nouns and noun phrases from the top 5,000 frequent text lines. Manually inspect top frequent nouns and noun phrases to identify sensitive keywords. 8/14/15USENIX Security 201535

37 Why not use XML structure to compute correlation scores? Many developers defines relative positions of the widgets, which are not what users perceive XML structure in this case does not guarantee that sibling widgets are physically close. USENIX Security 2015368/14/15

38 Why not use XML structure to compute correlation scores? Some cases in real Android apps. USENIX Security 201537 Input 1 Label 1 Input 2 Label 2 8/14/15

Download ppt "SUPOR : Precise and Scalable Sensitive User Input Detection for Android Apps Jianjun Huang, Zhichun Li, Xusheng Xiao, Zhenyu Wu, Kangjie Lu, Xiangyu Zhang,"

Similar presentations

Android UserInterfaces Nasrullah Niazi. overView All user interface elements in an Android app are built using View and ViewGroup objects. A View is an.

Android UserInterfaces Nasrullah Niazi. overView All user interface elements in an Android app are built using View and ViewGroup objects. A View is an.
Chapter 3: Engage! Android User Input, Variables, and Operations

Chapter 3: Engage! Android User Input, Variables, and Operations
Long Lu, Zhichun Li, Zhenyu Wu, Wenke Lee and Guofei Jiang CHEX: Statically Vetting Android Apps for Component Hijacking Vulnerability.

Long Lu, Zhichun Li, Zhenyu Wu, Wenke Lee and Guofei Jiang CHEX: Statically Vetting Android Apps for Component Hijacking Vulnerability.
Peeking into Your App without Actually Seeing It: UI State Inference and Novel Android Attacks Qi Alfred Chen, Zhiyun Qian†, Z. Morley Mao University of.

Peeking into Your App without Actually Seeing It: UI State Inference and Novel Android Attacks Qi Alfred Chen, Zhiyun Qian†, Z. Morley Mao University of.
Search Engines and Information Retrieval

Search Engines and Information Retrieval
AutoCog: Measuring the Description-to-permission Fidelity in Android Applications Zhengyang Qu1, Vaibhav Rastogi1, Xinyi Zhang1,2, Yan Chen1, Tiantian.

AutoCog: Measuring the Description-to-permission Fidelity in Android Applications Zhengyang Qu1, Vaibhav Rastogi1, Xinyi Zhang1,2, Yan Chen1, Tiantian.
Internet Resources Discovery (IRD) IBM DB2 Digital Library Thanks to Zvika Michnik and Avital Greenberg.

Internet Resources Discovery (IRD) IBM DB2 Digital Library Thanks to Zvika Michnik and Avital Greenberg.
© 2013 IBM Corporation Efficient Multi-stage Image Classification for Mobile Sensing in Urban Environments Presented by Shashank Mujumdar IBM Research,

© 2013 IBM Corporation Efficient Multi-stage Image Classification for Mobile Sensing in Urban Environments Presented by Shashank Mujumdar IBM Research,
Android Security Enforcement and Refinement. Android Applications --- Example Example of location-sensitive social networking application for mobile phones.

Android Security Enforcement and Refinement. Android Applications --- Example Example of location-sensitive social networking application for mobile phones.
Tomer Sagi and Avigdor Gal Technion - Israel Institute of Technology Non-binary Evaluation for Schema Matching ER 2012 October 2012, Florence.

Tomer Sagi and Avigdor Gal Technion - Israel Institute of Technology Non-binary Evaluation for Schema Matching ER 2012 October 2012, Florence.
Efficient Privilege De-Escalation for Ad Libraries in Mobile Apps Bin Liu (SRA), Bin Liu (CMU), Hongxia Jin (SRA), Ramesh Govindan (USC)

Efficient Privilege De-Escalation for Ad Libraries in Mobile Apps Bin Liu (SRA), Bin Liu (CMU), Hongxia Jin (SRA), Ramesh Govindan (USC)
Understanding Android Security Yinshu Wu William Enck, Machigar Ongtang, and PatrickMcDaniel Pennsylvania State University.

Understanding Android Security Yinshu Wu William Enck, Machigar Ongtang, and PatrickMcDaniel Pennsylvania State University.
CS378 - Mobile Computing What's Next?. Fragments Added in Android 3.0, a release aimed at tablets A fragment is a portion of the UI in an Activity multiple.

CS378 - Mobile Computing What's Next?. Fragments Added in Android 3.0, a release aimed at tablets A fragment is a portion of the UI in an Activity multiple.
Mining and Summarizing Customer Reviews

Mining and Summarizing Customer Reviews
A METHODOLOGY FOR EMPIRICAL ANALYSIS OF PERMISSION-BASED SECURITY MODELS AND ITS APPLICATION TO ANDROID.

A METHODOLOGY FOR EMPIRICAL ANALYSIS OF PERMISSION-BASED SECURITY MODELS AND ITS APPLICATION TO ANDROID.
Supporting the Automatic Construction of Entity Aware Search Engines Lorenzo Blanco, Valter Crescenzi, Paolo Merialdo, Paolo Papotti Dipartimento di Informatica.

Supporting the Automatic Construction of Entity Aware Search Engines Lorenzo Blanco, Valter Crescenzi, Paolo Merialdo, Paolo Papotti Dipartimento di Informatica.
D2Taint: Differentiated and Dynamic Information Flow Tracking on Smartphones for Numerous Data Sources Boxuan Gu, Xinfeng Li, Gang Li, Adam C. Champion,

D2Taint: Differentiated and Dynamic Information Flow Tracking on Smartphones for Numerous Data Sources Boxuan Gu, Xinfeng Li, Gang Li, Adam C. Champion,
Authors: William Enck The Pennsylvania State University Peter Gilbert Duke University Byung-Gon Chun Intel Labs Landon P. Cox Duke University Jaeyeon Jung.

Authors: William Enck The Pennsylvania State University Peter Gilbert Duke University Byung-Gon Chun Intel Labs Landon P. Cox Duke University Jaeyeon Jung.
Title Extraction from Bodies of HTML Documents and its Application to Web Page Retrieval Microsoft Research Asia Yunhua Hu, Guomao Xin, Ruihua Song, Guoping.

Title Extraction from Bodies of HTML Documents and its Application to Web Page Retrieval Microsoft Research Asia Yunhua Hu, Guomao Xin, Ruihua Song, Guoping.
Characteristic Studies of User- Perceived Information in Security Analysis Wei Yang Univ. of Illinois.

Characteristic Studies of User- Perceived Information in Security Analysis Wei Yang Univ. of Illinois.

Similar presentations

Ads by Google