SuPOR: Precise and scalable sensitive user input detection for android apps

Jianjun Huang; Zhichun Li; Xusheng Xiao; Zhenyu Wu; Kangjie Lu; Xiangyu Zhang; Guofei Jiang

SuPOR: Precise and scalable sensitive user input detection for android apps

Jianjun Huang, Zhichun Li, Xusheng Xiao, Zhenyu Wu, Kangjie Lu, Xiangyu Zhang, Guofei Jiang

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

Abstract

While smartphones and mobile apps have been an essential part of our lives, privacy is a serious concern. Previous mobile privacy related research efforts have largely focused on predefined known sources managed by smartphones. Sensitive user inputs through UI (User Interface), another information source that may contain a lot of sensitive information, have been mostly neglected. In this paper, we examine the possibility of scalably detecting sensitive user inputs from mobile apps. In particular, we design and implement SUPOR, a novel static analysis tool that automatically examines the UIs to identify sensitive user inputs containing critical user data, such as user credentials, finance, and medical data. SUPOR enables existing privacy analysis approaches to be applied on sensitive user inputs as well. To demonstrate the usefulness of SUPOR, we build a system that detects privacy disclosures of sensitive user inputs by combining SUPOR with off-the-shelf static taint analysis We apply the system to 16,000 popular Android apps, and conduct a measurement study on the privacy disclosures. SUPOR achieves an average precision of 97.3% and an average recall of 97.3% for sensitive user input identification. SUPOR finds 355 apps with privacy disclosures and the false positive rate is 8.7%. We discover interesting cases related to national ID, username/password, credit card and health information.

Original language	English (US)
Title of host publication	Proceedings of the 24th USENIX Security Symposium
Publisher	USENIX Association
Pages	977-992
Number of pages	16
ISBN (Electronic)	9781931971232
State	Published - 2015
Externally published	Yes
Event	24th USENIX Security Symposium - Washington, United States Duration: Aug 12 2015 → Aug 14 2015

Publication series

Name	Proceedings of the 24th USENIX Security Symposium

Conference

Conference	24th USENIX Security Symposium
Country/Territory	United States
City	Washington
Period	8/12/15 → 8/14/15

Bibliographical note

Funding Information:
The authors would like to thank the anonymous reviewers for their insightful comments that helped improve the presentation of this paper. Jianjun Huang and Xiangyu Zhang are supported, in part, by National Science Foundation (NSF) under grants 0845870, 1320444, 1320326 and 1409668. Any opinions, findings, and conclusions or recommendations in this paper are those of the authors and do not necessarily reflect the views of NSF.

Publisher Copyright:
© 2015 Proceedings of the 24th USENIX Security Symposium. All rights reserved.

OpenUrl availability

Full text

Cite this

@inproceedings{27e101470f3d46f0906033f86b8bf605,

title = "SuPOR: Precise and scalable sensitive user input detection for android apps",

abstract = "While smartphones and mobile apps have been an essential part of our lives, privacy is a serious concern. Previous mobile privacy related research efforts have largely focused on predefined known sources managed by smartphones. Sensitive user inputs through UI (User Interface), another information source that may contain a lot of sensitive information, have been mostly neglected. In this paper, we examine the possibility of scalably detecting sensitive user inputs from mobile apps. In particular, we design and implement SUPOR, a novel static analysis tool that automatically examines the UIs to identify sensitive user inputs containing critical user data, such as user credentials, finance, and medical data. SUPOR enables existing privacy analysis approaches to be applied on sensitive user inputs as well. To demonstrate the usefulness of SUPOR, we build a system that detects privacy disclosures of sensitive user inputs by combining SUPOR with off-the-shelf static taint analysis We apply the system to 16,000 popular Android apps, and conduct a measurement study on the privacy disclosures. SUPOR achieves an average precision of 97.3% and an average recall of 97.3% for sensitive user input identification. SUPOR finds 355 apps with privacy disclosures and the false positive rate is 8.7%. We discover interesting cases related to national ID, username/password, credit card and health information.",

author = "Jianjun Huang and Zhichun Li and Xusheng Xiao and Zhenyu Wu and Kangjie Lu and Xiangyu Zhang and Guofei Jiang",

note = "Funding Information: The authors would like to thank the anonymous reviewers for their insightful comments that helped improve the presentation of this paper. Jianjun Huang and Xiangyu Zhang are supported, in part, by National Science Foundation (NSF) under grants 0845870, 1320444, 1320326 and 1409668. Any opinions, findings, and conclusions or recommendations in this paper are those of the authors and do not necessarily reflect the views of NSF. Publisher Copyright: {\textcopyright} 2015 Proceedings of the 24th USENIX Security Symposium. All rights reserved.; 24th USENIX Security Symposium ; Conference date: 12-08-2015 Through 14-08-2015",

year = "2015",

language = "English (US)",

series = "Proceedings of the 24th USENIX Security Symposium",

publisher = "USENIX Association",

pages = "977--992",

booktitle = "Proceedings of the 24th USENIX Security Symposium",

}

TY - GEN

T1 - SuPOR

T2 - 24th USENIX Security Symposium

AU - Huang, Jianjun

AU - Li, Zhichun

AU - Xiao, Xusheng

AU - Wu, Zhenyu

AU - Lu, Kangjie

AU - Zhang, Xiangyu

AU - Jiang, Guofei

N1 - Funding Information: The authors would like to thank the anonymous reviewers for their insightful comments that helped improve the presentation of this paper. Jianjun Huang and Xiangyu Zhang are supported, in part, by National Science Foundation (NSF) under grants 0845870, 1320444, 1320326 and 1409668. Any opinions, findings, and conclusions or recommendations in this paper are those of the authors and do not necessarily reflect the views of NSF. Publisher Copyright: © 2015 Proceedings of the 24th USENIX Security Symposium. All rights reserved.

PY - 2015

Y1 - 2015

N2 - While smartphones and mobile apps have been an essential part of our lives, privacy is a serious concern. Previous mobile privacy related research efforts have largely focused on predefined known sources managed by smartphones. Sensitive user inputs through UI (User Interface), another information source that may contain a lot of sensitive information, have been mostly neglected. In this paper, we examine the possibility of scalably detecting sensitive user inputs from mobile apps. In particular, we design and implement SUPOR, a novel static analysis tool that automatically examines the UIs to identify sensitive user inputs containing critical user data, such as user credentials, finance, and medical data. SUPOR enables existing privacy analysis approaches to be applied on sensitive user inputs as well. To demonstrate the usefulness of SUPOR, we build a system that detects privacy disclosures of sensitive user inputs by combining SUPOR with off-the-shelf static taint analysis We apply the system to 16,000 popular Android apps, and conduct a measurement study on the privacy disclosures. SUPOR achieves an average precision of 97.3% and an average recall of 97.3% for sensitive user input identification. SUPOR finds 355 apps with privacy disclosures and the false positive rate is 8.7%. We discover interesting cases related to national ID, username/password, credit card and health information.

AB - While smartphones and mobile apps have been an essential part of our lives, privacy is a serious concern. Previous mobile privacy related research efforts have largely focused on predefined known sources managed by smartphones. Sensitive user inputs through UI (User Interface), another information source that may contain a lot of sensitive information, have been mostly neglected. In this paper, we examine the possibility of scalably detecting sensitive user inputs from mobile apps. In particular, we design and implement SUPOR, a novel static analysis tool that automatically examines the UIs to identify sensitive user inputs containing critical user data, such as user credentials, finance, and medical data. SUPOR enables existing privacy analysis approaches to be applied on sensitive user inputs as well. To demonstrate the usefulness of SUPOR, we build a system that detects privacy disclosures of sensitive user inputs by combining SUPOR with off-the-shelf static taint analysis We apply the system to 16,000 popular Android apps, and conduct a measurement study on the privacy disclosures. SUPOR achieves an average precision of 97.3% and an average recall of 97.3% for sensitive user input identification. SUPOR finds 355 apps with privacy disclosures and the false positive rate is 8.7%. We discover interesting cases related to national ID, username/password, credit card and health information.

UR - http://www.scopus.com/inward/record.url?scp=84979682861&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=84979682861&partnerID=8YFLogxK

M3 - Conference contribution

AN - SCOPUS:84979682861

T3 - Proceedings of the 24th USENIX Security Symposium

SP - 977

EP - 992

BT - Proceedings of the 24th USENIX Security Symposium

PB - USENIX Association

Y2 - 12 August 2015 through 14 August 2015

ER -

SuPOR: Precise and scalable sensitive user input detection for android apps

Abstract

Publication series

Conference

Bibliographical note

OpenUrl availability

Other files and links

Fingerprint

Cite this