Visible to the public Scalable Privacy Analysis - January 2021Conflict Detection Enabled

Submitted by Serge Egelman on Wed, 02/10/2021 - 6:32pm

PI(s), Co-PI(s), Researchers:

  • Serge Egelman (ICSI)
  • Narseo Vallina-Rodriguez (ICSI)
  • Primal Wijesekera (ICSI)
  • Abbas Razaghpannah (ICSI)

HARD PROBLEM(S) ADDRESSED
Scalability and Composability, Policy-Governed Secure Collaboration, Metrics

PUBLICATIONS

  • Nothing to report this quarter.

KEY HIGHLIGHTS

  • Mobile Operating Systems (OSes) are mostly locked down to ensure the interactions between the user, the apps, and the OS remain tightly controlled by the OS for security. Some mobile devices, however, can be altered, physically or through software means, to run altered OSes that allow users and some apps to have higher privileges than they normally would, breaking the locked-down isolated model. So-called "rooted" or "jailbroken" mobile devices are not only popular among users who like to tinker with and customize their devices outside the realm of what is sanctioned or even allowed by manufacturers, but also a staple in the arsenal of researchers and app store owners who use them to to analyze mobile apps for a variety of purposes. These include privacy and security research, app store policy enforcement, and anti-piracy and law enforcement. This is why it is a well-known and well-studied fact that various strains of mobile malware look for root access (perhaps to try and exploit it when found) or detect analysis tools to ensure they are not running on a monitored device or a honey-pot.

    Regardless of their intent, the use of root-detection and anti-analysis techniques hinders the ability of researchers to accurately study these apps and the ability of app stores to effectively enforce their policies, as both groups rely on analysis tools that are detected and flagged by apps that use root detection and anti-analysis techniques.
    Despite their importance and huge potential impact on mobile app research, our knowledge of these techniques used in legitimate mobile apps (and not just mobile malware) is limited at best. To the best of our knowledge there is no comprehensive study of the usage of root detection and anti-analysis techniques in non-malware mobile apps. As a result, we set out to study these techniques and their popularity among mobile apps.

    We have implemented tools that allow us to statically analyze Android apps to detect and flag code that could potentially detect root access, and have effective means of defeating these checks to better study the apps that use them. Additionally, we are designing and implementing a dynamic analysis pipeline that would help us measure the difference in app behavior in cases where these checks fail (i.e. root is detected), compared to when they succeed.
    Moreover, we have been studying and developing analysis tools for other forms of anti-analysis techniques and methods as well. These include studying the various methods mobile apps implement certificate pinning and other forms of non-standard and custom certificate chain trust verification methods.

    We are currently working on a paper about this, which we expect to publish within the next several months.

COMMUNITY ENGAGEMENTS

  • Nothing to report this quarter.

EDUCATIONAL ADVANCES:

  • Nothing to report this quarter.
Groups: