Towards Principled Dynamic Analysis on Android

The vast amount of information and services accessible through mobile handsets running the Android operating system has led to the tight integration of such devices into our daily routines. However, their capability to capture and operate upon user data provides an unprecedented insight into our private lives that needs to be properly protected, which demands for comprehensive analysis and thorough testing. While dynamic analysis has been applied to these problems in the past, the corresponding literature consists of scattered work that often specializes on sub-problems and keeps on re-inventing the wheel, thus lacking a structured approach. To overcome this unsatisfactory situation, this dissertation introduces two major systems that advance the state-of-the-art of dynamically analyzing the Android platform. First, we introduce a novel, fine-grained and non-intrusive compiler-based instrumentation framework that allows for precise and high-performance modification of Android apps and system components. Second, we present a unifying dynamic analysis platform with a special focus on Android’s middleware in order to overcome the common challenges we identified from related work. Together, these two systems allow for a more principled approach for dynamic analysis on Android that enables comparability and composability of both existing and future work.Die enorme Menge an Informationen und Diensten, die durch mobile Endgeräte mit dem Android Betriebssystem zugänglich gemacht werden, hat zu einer verstärkten Einbindung dieser Geräte in unseren Alltag geführt. Gleichzeitig erlauben die dabei verarbeiteten Benutzerdaten einen beispiellosen Einblick in unser Privatleben. Diese Informationen müssen adäquat geschützt werden, was umfassender Analysen und gründlicher Prüfung bedarf. Dynamische Analysetechniken, die in der Vergangenheit hier bereits angewandt wurden, fokussieren sich oftmals auf Teilprobleme und reimplementieren regelmäßig bereits existierende Komponenten statt einen strukturierten Ansatz zu verfolgen. Zur Überwindung dieser unbefriedigenden Situation stellt diese Dissertation zwei Systeme vor, die den Stand der Technik dynamischer Analyse der Android Plattform erweitern. Zunächst präsentieren wir ein compilerbasiertes, feingranulares und nur geringfügig eingreifendes Instrumentierungsframework für präzises und performantes Modifizieren von Android Apps und Systemkomponenten. Anschließend führen wir eine auf die Android Middleware spezialisierte Plattform zur Vereinheitlichung von dynamischer Analyse ein, um die aus existierenden Arbeiten extrahierten, gemeinsamen Herausforderungen in diesem Gebiet zu überwinden. Zusammen erlauben diese beiden Systeme einen prinzipienorientierten Ansatz zur dynamischen Analyse, welcher den Vergleich und die Zusammenführung existierender und zukünftiger Arbeiten ermöglicht

A holistic framework for enhancing privacy awareness

Home users face increasingly higher risks of privacy loss and struggle with the difficult task of protecting large volumes of personal information. Most privacy research assumes that users have uniform privacy requirements. The main problem with this approach is that research has also shown that users have different privacy attitudes and expectations based upon a variety of factors, including (but not limited to) gender, age and education level. Privacy therefore can mean different things in different contexts, to different people at different times. For example, some uses are less concerned regarding the sharing and use of their location information while others will be very concerned. Therefore, it is important to factor these requirements in to a privacy-awareness model that can enhance user\u27s awareness and make more informed decisions to reduce their specific degree of exposure. The quantity and range of sensitive information also requires approaches that give users back the control over their data. Therefore, prioritization of privacy-related information based on an individual user basis should be utilised to ensure relevant and timely notification about privacy-related information that is important to the user. This paper presents a critical analysis of the current state of the art and proposes a novel mobile-based architecture to provide users with effective and usable privacy protection

A holistic framework for enhancing privacy awareness

Home users face increasingly higher risks of privacy loss and struggle with the difficult task of protecting large volumes of personal information. Most privacy research assumes that users have uniform privacy requirements. The main problem with this approach is that research has also shown that users have different privacy attitudes and expectations based upon a variety of factors, including (but not limited to) gender, age and education level. Privacy therefore can mean different things in different contexts, to different people at different times. For example, some uses are less concerned regarding the sharing and use of their location information while others will be very concerned. Therefore, it is important to factor these requirements in to a privacy-awareness model that can enhance user\u27s awareness and make more informed decisions to reduce their specific degree of exposure. The quantity and range of sensitive information also requires approaches that give users back the control over their data. Therefore, prioritization of privacy-related information based on an individual user basis should be utilised to ensure relevant and timely notification about privacy-related information that is important to the user. This paper presents a critical analysis of the current state of the art and proposes a novel mobile-based architecture to provide users with effective and usable privacy protection

Dynamic User Defined Permissions for Android Devices

Mobile computing devices have become an essential part of everyday life and are becoming the primary means for collecting and storing sensitive personal and corporate data. Android is, by far, the dominant mobile platform, which makes its permissions model responsible for securing the vast majority of this sensitive data. The current model falls well short of actual user needs, as permission assignments are made statically at installation time. Therefore, it is impossible to implement dynamic security policies that could be applied selectively depending on context. Users are forced to unconditionally trust installed apps without means to isolate them from sensitive data. We describe a new approach, app sanitization, which automatically instruments apps at installation time, such that users can dynamically grant and revoke individual permissions. The main advantage of our technique is that it runs in userspace and utilizes standard aspect-oriented methods to incorporate custom security controls into the app