TY - GEN
T1 - SuPOR
T2 - 24th USENIX Security Symposium
AU - Huang, Jianjun
AU - Li, Zhichun
AU - Xiao, Xusheng
AU - Wu, Zhenyu
AU - Lu, Kangjie
AU - Zhang, Xiangyu
AU - Jiang, Guofei
N1 - Publisher Copyright:
© 2015 Proceedings of the 24th USENIX Security Symposium. All rights reserved.
PY - 2015
Y1 - 2015
N2 - While smartphones and mobile apps have been an essential part of our lives, privacy is a serious concern. Previous mobile privacy related research efforts have largely focused on predefined known sources managed by smartphones. Sensitive user inputs through UI (User Interface), another information source that may contain a lot of sensitive information, have been mostly neglected. In this paper, we examine the possibility of scalably detecting sensitive user inputs from mobile apps. In particular, we design and implement SUPOR, a novel static analysis tool that automatically examines the UIs to identify sensitive user inputs containing critical user data, such as user credentials, finance, and medical data. SUPOR enables existing privacy analysis approaches to be applied on sensitive user inputs as well. To demonstrate the usefulness of SUPOR, we build a system that detects privacy disclosures of sensitive user inputs by combining SUPOR with off-the-shelf static taint analysis We apply the system to 16,000 popular Android apps, and conduct a measurement study on the privacy disclosures. SUPOR achieves an average precision of 97.3% and an average recall of 97.3% for sensitive user input identification. SUPOR finds 355 apps with privacy disclosures and the false positive rate is 8.7%. We discover interesting cases related to national ID, username/password, credit card and health information.
AB - While smartphones and mobile apps have been an essential part of our lives, privacy is a serious concern. Previous mobile privacy related research efforts have largely focused on predefined known sources managed by smartphones. Sensitive user inputs through UI (User Interface), another information source that may contain a lot of sensitive information, have been mostly neglected. In this paper, we examine the possibility of scalably detecting sensitive user inputs from mobile apps. In particular, we design and implement SUPOR, a novel static analysis tool that automatically examines the UIs to identify sensitive user inputs containing critical user data, such as user credentials, finance, and medical data. SUPOR enables existing privacy analysis approaches to be applied on sensitive user inputs as well. To demonstrate the usefulness of SUPOR, we build a system that detects privacy disclosures of sensitive user inputs by combining SUPOR with off-the-shelf static taint analysis We apply the system to 16,000 popular Android apps, and conduct a measurement study on the privacy disclosures. SUPOR achieves an average precision of 97.3% and an average recall of 97.3% for sensitive user input identification. SUPOR finds 355 apps with privacy disclosures and the false positive rate is 8.7%. We discover interesting cases related to national ID, username/password, credit card and health information.
UR - http://www.scopus.com/inward/record.url?scp=84979682861&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=84979682861&partnerID=8YFLogxK
M3 - Conference contribution
AN - SCOPUS:84979682861
T3 - Proceedings of the 24th USENIX Security Symposium
SP - 977
EP - 992
BT - Proceedings of the 24th USENIX Security Symposium
PB - USENIX Association
Y2 - 12 August 2015 through 14 August 2015
ER -