UIPicker: User-Input Privacy Identification in Mobile Applications
Yuhong Nan, Min Yang, Zhemin Yang, and Shunfan Zhou, Fudan University; Guofei Gu, Texas A&M University; Xiaofeng Wang, Indiana University Bloomington
Identifying sensitive user inputs is a prerequisite for privacy protection. When it comes to today’s program analysis systems, however, only those data that go through well-defined system APIs can be automatically labelled. In our research, we show that this conventional approach is far from adequate, as most sensitive inputs are actually entered by the user at an app’s runtime: in our research, we inspect 17, 425 top apps from Google Play, and find that 35.46% of them involve sensitive user inputs. Manually marking them involves a lot of effort, impeding a large-scale, automated analysis of apps for potential information leaks. To address this important issue, we present UIPicker, an adaptable framework for automatic identification of sensitive user inputs. UIPicker is designed to detect the semantic information within the application layout resources and program code, and further analyze it for the locations where security-critical information may show up. This approach can support a variety of existing security analysis on mobile apps. We further develop a runtime protection mechanism on top of the technique, which helps the user make informed decisions when her sensitive data is about to leave the device in an unexpected way. We evaluate our approach over 200 randomly selected popular apps on Google- Play. UIPicker is able to accurately label sensitive user inputs most of the time, with 93.6%precision and 90.1% recall.
Open Access Media
USENIX is committed to Open Access to the research presented at our events. Papers and proceedings are freely available to everyone once the event begins. Any video, audio, and/or slides that are posted after the event are also free and open to everyone. Support USENIX and our commitment to Open Access.
author = {Yuhong Nan and Min Yang and Zhemin Yang and Shunfan Zhou and Guofei Gu and XiaoFeng Wang},
title = {{UIPicker}: {User-Input} Privacy Identification in Mobile Applications},
booktitle = {24th USENIX Security Symposium (USENIX Security 15)},
year = {2015},
isbn = {978-1-939133-11-3},
address = {Washington, D.C.},
pages = {993--1008},
url = {https://www.usenix.org/conference/usenixsecurity15/technical-sessions/presentation/nan},
publisher = {USENIX Association},
month = aug
}
connect with us