a presentation of taintdroid & related topics

Intro

duct

ion

| Tai

ntDr

oid

| Exp

erim

ent |

Con

cludi

ng R

emar

ks

1

A Presentation OfTaintDroid & Related TopicsBased on the OSDI’10 paper “TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones”Presented by Toby Tobkinfor CAP6135 Spring 2013

Intro

duct

ion

| Tai

ntDr

oid

| Exp

erim

ent |

Con

cludi

ng R

emar

ks

2

Paper InformationTaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones9th USENIX Symposium on Operating Systems Design and ImplementationAuthors:

William Enck The Pennsylvania State UniversityPeter Gilbert Duke UniversityByung-Gon Chun Intel LabsLandon P. Cox Duke UniversityJaeyeon Jung Intel LabsPatrick McDaniel The Pennsylvania State UniversityAnmol N. Sheth Intel Labs

3

Presentation Overview• Introduction 15 slides• TaintDroid 5 slides• Experiment 5 slides• Concluding Remarks 4 slides

Intro

duct

ion

| Tai

ntDr

oid

| Exp

erim

ent |

Con

cludi

ng R

emar

ks

4

IntroductionMotivation, Taint Analysis

Intr

oduc

tion

| Ta

intD

roid

| Ex

perim

ent |

Con

cludi

ng R

emar

ks

5

Motivation• Historical problem with

computer software: privacy violations Unwitting users

• Problem exacerbated by smartphones Almost ubiquitously store

private information Large array of sensors Monetization pressures to

detriment of user privacy Cited by paper: [12, 19,

35]

Android’s coarse-grained privacy control

Intr

oduc

tion

| Ta

intD

roid

| Ex

perim

ent |

Con

cludi

ng R

emar

ks

Toby Tobkin

Read these abstracts and summarize in comments.

6

Motivation• Current privacy control

methods arguably inadequate

• Idea: Can’t change the current

system without repercussions

Instead, create a method to audit untrusted applications

• Execution: Must be able to detect

potential misuses of private information, and

be fast enough to be usable

Android’s coarse-grained privacy control

Intr

oduc

tion

| Ta

intD

roid

| Ex

perim

ent |

Con

cludi

ng R

emar

ks

7

Dynamic Taint Analysis• The mechanism by which TaintDroid operates• Basic idea: keep track of what some input does• Considered a type of data flow analysis• Done on concrete executions

Intr

oduc

tion

| Ta

intD

roid

| Ex

perim

ent |

Con

cludi

ng R

emar

ks

8

Dynamic Taint Analysisi = get_input();two = 2;if(i%2 == 0){j = i+two;l = j;

} else {k = two*two;l = k;

}jmp l;

• Example sourced from CMU ECE Source

• Will show the basic approach of dynamic taint analysis

• Two concrete executions will be presented

• Goal: evaluate whether control can be hijacked by [malicious] user input

Intr

oduc

tion

| Ta

intD

roid

| Ex

perim

ent |

Con

cludi

ng R

emar

ks

http://users.ece.cmu.edu/~dbrumley/courses/18487-f10/files/taint-analysis-overview.pdf

9



}jmp l;

Variable Value

Taint Status

Intr

oduc

tion

| Ta

intD

roid

| Ex

perim

ent |

Con

cludi

ng R

emar

ks

10



}jmp l;

Variable Value

Taint Status

i 6 true

Intr

oduc

tion

| Ta

intD

roid

| Ex

perim

ent |

Con

cludi

ng R

emar

ks

11



}jmp l;

Variable Value

Taint Status

i 6 truetwo 2 false

Intr

oduc

tion

| Ta

intD

roid

| Ex

perim

ent |

Con

cludi

ng R

emar

ks

12



}jmp l;

Variable Value

Taint Status

i 6 truetwo 2 false

j 8 true

Intr

oduc

tion

| Ta

intD

roid

| Ex

perim

ent |

Con

cludi

ng R

emar

ks

13



}jmp l;

Variable Value

Taint Status

i 6 truetwo 2 false

j 8 truel 8 true

Intr

oduc

tion

| Ta

intD

roid

| Ex

perim

ent |

Con

cludi

ng R

emar

ks

14



}jmp l;

Variable Value

Taint Status

Intr

oduc

tion

| Ta

intD

roid

| Ex

perim

ent |

Con

cludi

ng R

emar

ks

15



}jmp l;

Variable Value

Taint Status

i 7 true

Intr

oduc

tion

| Ta

intD

roid

| Ex

perim

ent |

Con

cludi

ng R

emar

ks

16



}jmp l;

Variable Value

Taint Status

i 7 truetwo 2 false

Intr

oduc

tion

| Ta

intD

roid

| Ex

perim

ent |

Con

cludi

ng R

emar

ks

17



}jmp l;

Variable Value

Taint Status

i 7 truetwo 2 falsek 4 false

Intr

oduc

tion

| Ta

intD

roid

| Ex

perim

ent |

Con

cludi

ng R

emar

ks

18



}jmp l;

Variable Value

Taint Status

i 7 truetwo 2 falsek 4 falsel 4 false

Intr

oduc

tion

| Ta

intD

roid

| Ex

perim

ent |

Con

cludi

ng R

emar

ks

19

TaintDroidTaintDroid Architecture

Intro

duct

ion

| Tai

ntD

roid

| Ex

perim

ent |

Con

cludi

ng R

emar

ks

20

TaintDroid Architecture

Source: TaintDroid Paper

Intro

duct

ion

| Tai

ntD

roid

| Ex

perim

ent |

Con

cludi

ng R

emar

ks

http://appanalysis.org/tdroid10.pdf


21

TaintDroid ArchitectureBinder IPC


Intro

duct

ion

| Tai

ntD

roid

| Ex

perim

ent |

Con

cludi

ng R

emar

ks



22

TaintDroid ArchitectureDalvik VM Interpreter


Intro

duct

ion

| Tai

ntD

roid

| Ex

perim

ent |

Con

cludi

ng R

emar

ks



23

TaintDroid ArchitectureAndroid Middleware


Intro

duct

ion

| Tai

ntD

roid

| Ex

perim

ent |

Con

cludi

ng R

emar

ks



24

ExperimentExperimental Setup, Experimental Results

Intro

duct

ion

| Tai

ntDr

oid

| Exp

erim

ent |

Con

cludi

ng R

emar

ks

25

Experimental Setup• Sample set of popular Android applications: 1100

applications• 358 of 1100 required Internet permissions plus one

or more of the following data access permissions: location camera camera

• Of these 358, 30 applications randomly selected for examination

Intro

duct

ion

| Tai

ntDr

oid

| Exp

erim

ent |

Con

cludi

ng R

emar

ks

26

Experimental Setup• Each application manually exercised and monitored

using TaintDroid• Results verified by comparing TaintDroid logs to

network packet capture• Also noted whether applications asked user consent

for information used

Intro

duct

ion

| Tai

ntDr

oid

| Exp

erim

ent |

Con

cludi

ng R

emar

ks

27

Experimental ResultsObserved Behavior (# of apps)

Details

Phone Information to Content Servers (2)

2 apps sent out the phone number IMSI, and ICC-ID along with geo-coordinates to the app’s content server

Device ID to Content Servers (7)*

2 social, 1 shopping, 1 reference and 3 other apps transmitted the IMEI number to the app’s content server

Location to Advertisement Servers (15)

5 apps sent geo-coordinates to ad.qwapi.com, 5 apps to admob.com,2 apps to ads.mobclix.com (1 sent location both to admob.com andads.mobclix.com) and 4 apps sent locationyto data.flurry.com

Intro

duct

ion

| Tai

ntDr

oid

| Exp

erim

ent |

Con

cludi

ng R

emar

ks

28

Experimental Results• TaintDroid produced no false positives on the

application set tested• 1/2 of applications shared location data with

advertising servers• ~1/3 expose device ID• Authors claim no perceived latency in using

interactive applications• TaintDroid shown to be qualitatively useful

Intro

duct

ion

| Tai

ntDr

oid

| Exp

erim

ent |

Con

cludi

ng R

emar

ks

29

Concluding Remarks

Intro

duct

ion

| Tai

ntDr

oid

| Exp

erim

ent |

Con

clud

ing

Rem

arks

30

Contributions• TaintDroid produced useful results for every

application tested• A useful privacy analysis tool was implemented

produced no false positives in experiments completed high performance in design also, released to public

Intro

duct

ion

| Tai

ntDr

oid

| Exp

erim

ent |

Con

clud

ing

Rem

arks

31

Weaknesses• Mentioned by Enck et al.:

TaintDroid can be circumvented by implicit information flow

TaintDroid cannot tell if tainted information re-enters the phone after leaving

• Interactive application latency was reported anecdotally, but could have been measured more formally perhaps like this: “Project Butter”

Intro

duct

ion

| Tai

ntDr

oid

| Exp

erim

ent |

Con

clud

ing

Rem

arks

http://www.youtube.com/watch?v=FCVMvvXHqxU

32

Improvements• Mentioned on last slide: certain performance

metrics could have been reported more formally

Intro

duct

ion

| Tai

ntDr

oid

| Exp

erim

ent |

Con

clud

ing

Rem

arks

a presentation of taintdroid & related topics

Documents