개인정보 보호 정책과 모바일 어플리케이션의 일관성 분석

학위논문 (석사) -- 서울대학교 대학원 : 공과대학 컴퓨터공학부, 2021. 2. 권태경.모바일 사용자가 증가함에 따라, 모바일 어플리케이션을 사용하는 동안 민감한 개인정보가 유출되는 프라이버시 문제가 많아졌다. 이를 해결하기 위해 구글 앱스토어에서는 개발자들이 앱이 데이터를 어떻게 활용하는지 개인정보 보호 정책에 공개하도록 했다. 앱 제공자들은 법적인 요구사항을 만족하기 위해 개인정보 보호 정책에 앱의 활동을 명시하고 있다. 하지만 개인정보 보호 정책과 앱 활동의 일관성을 확인할 수 있는 기술적인 해결책이 없으며, 사용자는 앱이 데이터를 어떻게 활용하는지 알기 위해 개인정보 보호 정책에 의존해야만 한다. 이 논문에서는 앱을 통해 쉽게 유출될 수 있는 개인정보 목록을 선정하고 개인정보 보호 정책과 앱을 분석해 민감한 정보와 관련있는 키워드 및 API를 찾아 그 결과를 비교한다. 데이터셋으로 구글 플레이 스토어에 등록된 13,223개 앱의 패키지 파일과 부가정보를 수집했고, 이를 전처리하여 실험 대상이 되는 앱을 선정했다. 우리는 실험 결과를 바탕으로 모바일 앱이 프라이버시 보호 정책에 명시된 것보다 더 많은 개인정보에 접근할 수 있음을 입증한다.With the increase of mobile users, there have been many privacy issues that sensitive and personal data is leaked while using mobile applications. To deal with this problem, Google App Store has required developers to disclose how the app uses data in privacy protection policies. App developers describe all of the app practices in the privacy policy to meet these legal requirements. However, there is no technical solution to verify the consistency between privacy policies and app activities. Users must rely on privacy protection policies to see how the app uses data. In this paper, we select personal data categories that can be easily exposed through the app and analyze privacy policies and apps to find keywords and APIs related to personal data. We collected the APK files and metadata of 13,223 apps registered in Google Play Store as datasets and select the apps for analysis by preprocessing them by four conditions. According to the results, many apps can access more personal data than they disclosed in the privacy policy.Abstract i Chapter 1 Introduction 1 Chapter 2 Related work 4 2.1 Privacy Policy Analysis 4 2.2 Mobile App Analysis 5 Chapter 3 System Design 6 3.1 Overview 6 3.2 Playstore Crawler 7 3.3 Policy Analyzer 10 3.4 App Analyzer 11 Chapter 4 Result 13 4.1 Dataset 13 4.2 Personal Data Category 14 4.3 Consistency Check 17 4.4 App Genre 20 Chapter 5 Conclusion 23 Bibliography 24 초록 29Maste

A Security & Privacy Analysis of US-based Contact Tracing Apps

With the onset of COVID-19, governments worldwide planned to develop and deploy contact tracing (CT) apps to help speed up the contact tracing process. However, experts raised concerns about the long-term privacy and security implications of using these apps. Consequently, several proposals were made to design privacy-preserving CT apps. To this end, Google and Apple developed the Google/Apple Exposure Notification (GAEN) framework to help public health authorities develop privacy-preserving CT apps. In the United States, 26 states used the GAEN framework to develop their CT apps. In this paper, we empirically evaluate the US-based GAEN apps to determine 1) the privileges they have, 2) if the apps comply with their defined privacy policies, and 3) if they contain known vulnerabilities that can be exploited to compromise privacy. The results show that all apps violate their stated privacy policy and contain several known vulnerabilities

Advanced Security Analysis for Emergent Software Platforms

Emergent software ecosystems, boomed by the advent of smartphones and the Internet of Things (IoT) platforms, are perpetually sophisticated, deployed into highly dynamic environments, and facilitating interactions across heterogeneous domains. Accordingly, assessing the security thereof is a pressing need, yet requires high levels of scalability and reliability to handle the dynamism involved in such volatile ecosystems. This dissertation seeks to enhance conventional security detection methods to cope with the emergent features of contemporary software ecosystems. In particular, it analyzes the security of Android and IoT ecosystems by developing rigorous vulnerability detection methods. A critical aspect of this work is the focus on detecting vulnerable and unsafe interactions between applications that share common components and devices. Contributions of this work include novel insights and methods for: (1) detecting vulnerable interactions between Android applications that leverage dynamic loading features for concealing the interactions; (2) identifying unsafe interactions between smart home applications by considering physical and cyber channels; (3) detecting malicious IoT applications that are developed to target numerous IoT devices; (4) detecting insecure patterns of emergent security APIs that are reused from open-source software. In all of the four research thrusts, we present thorough security analysis and extensive evaluations based on real-world applications. Our results demonstrate that the proposed detection mechanisms can efficiently and effectively detect vulnerabilities in contemporary software platforms. Advisers: Hamid Bagheri and Qiben Ya