A recent test of prototype security code for Android phones found that 15 of 30 free Android Market applications sent users' private information to remote advertising servers, without the users being aware of what was being sent or to whom. In some cases, the user's location data was sent as often as every 30 seconds.
The software, called TaintDroid, was designed to uncover how user-permitted applications actually access and use private or sensitive data, including location, phone numbers and even SIM card identifiers, and to notify users within seconds. The findings suggest that Android, and other phone operating systems, need to do more to monitor what third-party applications are doing under the covers of smartphones.
TaintDroid is a joint effort by Peter Gilbert and Landon Cox, Duke University; Jaeyeon Jung, Byung-Gon Chun and Anmol Sheth, of Intel Labs; and William Enck and Patrick McDaniel, of Penn State University. The team's paper, "TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones" is online and is being presented next week at the USENIX Symposium on Operating Systems Design and Implementation (OSDI).
Smartphone apps can combine data from remote cloud services with data pulled from the phone and its sensors, such as GPS receiver, camera, accelerometer, and microphone. And there are legitimate reasons for applications to access a range of user privacy data.
But today, Android, and other mobile operating systems, offer only basic controls: users can allow or not allow an application to access such information. But they can't control how that data is subsequently used by the application. The online Android Market passed the 50,000 apps milestone last April.
"For example, if a user allows an application to access her location information, she has no way of knowing if the application will send her location to a location-based service, to advertisers, to the application developer, or to any other entity," the authors note. "As a result, users must blindly trust that applications will properly handle their private data. This lack of transparency forces users to blindly trust that applications will properly handle private data."
A controversial study released in June 2010 by smartphone security vendor SMobile (just acquired by Juniper) said that 20% of Android applications were seeking access to sensitive data. The report was trumpeted in an barrage of scare headlines implying the applications therefore were unsafe. (Network World's own headline was a more circumspect: "20 percent of Android apps can threaten privacy, says vendor".) Many Android developers noted that users explicitly grant permission to these applications, and access to such data is often necessary.
But the TaintDroid project digs deeper: the question is, once access is granted, what actually does the application do with the data?
TaintDroid begins with the assumption that every one of those 50,000 applications can't be trusted. Technically, says Duke's Peter Gilbert, TaintDroid is an extension to Android's virtual machine, called Dalvik, on which Android apps actually run. "In order to use TaintDroid, one must install our custom-built firmware," he says.
The code uses a technique called "dynamic tainting analysis," essentially labeling ("tainting") specific sensitive data, and then tracking the propagation of that data through files, programs and interprocess messages.
When tainted data are sent over the network, or leave the system in any way, TaintDroid logs the labels, the application responsible for the transmission and the transmission's destination. It creates a simple text alert for the user, showing what information was sent, and to whom.
"The current notification UI is just a preliminary prototype that we built to demo the TaintDroid system," says Jaeyeon Jung, research scientist with Intel Labs Seattle. "The research is well underway to build a privacy interface through which users can configure privacy settings and control data exposure on smartphones."
The prototype code was tested against 30 randomly selected, popular Android apps that use location, camera, or microphone data. The software flagged 105 instances in which these applications transmitted tainted data. The researchers concluded that 37 of those instances – just over one-third, were legitimate. Fifteen of the apps reported users' locations to remote advertising servers. Seven collected the device ID and, sometimes, the phone number and the phone’s SIM card serial number.
"In all, two thirds of the applications in our study used sensitive data suspiciously," the paper concludes.
TaintDroid's information flow tracking is not foolproof: it can be circumvented by using what are called "implicit flows" to "leak" the data, according to the paper. The very use of implicit flows is an indicator of malicious intent, say the authors, who outline some countermeasures that can be applied.
One challenge in taint tracking is making it efficient, and the TaintDroid team focused a lot of work on using as few CPU cycles as possible. The researchers tested TaintDroid's performance, and found it created a runtime overhead of less than 14% in a CPU-bound benchmark.