XUETAO WEI LORENZO GOMEZ PROFESSOR IULIAN NEAMTIU PROFESSOR MICHALIS FALOUTSOS

UNIVERSITY OF CALIFORNIA, RIVERSIDE

PROFILEDROID: MULTI-LAYER PROFILING

OF ANDROID APPLICATIONS

WE DEPEND ON SMARTPHONES MORE AND MORE

US Army CSDA initiative (Connecting Soldiers to Digital Applications) to replace handheld radio + BLUE FORCE tracker + portable GPS + video feed ROVER

source:defenseindustrydaily.com

“FDA approves Mobisante’s smartphone ultrasound app” [Feb 2011] source:mobilehealthnews.com

ANDROID IS A POPULAR SMARTPHONE PLATFORM

Operating system share of smartphone sales (US)

850,000 Android phones activated every day [Google letter to investors, April 2012]

BUT WE DON’T UNDERSTAND APP BEHAVIOR

source:washingtonpost.com

Will this app leak my photos?

Will this app drain my battery?

Will this app tell my friends that I’m a

moron?

THE ANDROID APP MARKET IS A JUNGLE

Which radio is best for me?

FIRST STEP TO MAINTAINING THE JUNGLE

Provide a low-cost method to profile the behavior of an app Given a few short executions:

• What did the app do? • How does the app use resources? • What entities does it communicate with?

• What was the app supposed to do? • Where there conflicts? Why?

BENEFICIAL TO Application developers

• Assess performance and security implications • Make better use of resources

End users

• Enhance user control and improve experience • Push developers to make better use of resources

ANDROID APPS Written in Java, compiled into Dalvik VM bytecode Packaged as name.apk

• Signed with developer’s private key • Essentially a .zip file containing:

• .dex bytecode file (similar to .class) • “Manifest” file (XML): permissions

Permission model • Permissions last FOREVER! • Shown before install • All or nothing

Permissions alone aren’t enough to describe app behavior

DYNAMIC ANALYSIS WITH PROFILEDROID

Android Device

Mon

itorin

g

Android Debugging Bridge

Prof

iling

Desktop/laptop

• Goal Multi-level profiling based on static and

dynamic application analysis

MONITORING AND ANALYSIS WITH PROFILEDROID

PROFILING FRAMEWORK: MONITORING

Capture 3 user traces, 5 minutes per app

Trace File

Trace File

Trace File

Playback original trace and collect logs

Logs

Trace File Playback

PROFILING FRAMEWORK: MONITORING

A QUICK REPLAY DEMO

PROFILING FRAMEWORK: MONITORING

Repeat playback 10 times per user

Logs Trace File

Logs

Total of 30 runs of each app to build profile (5 in morning and 5 at night, per app)

PROFILING FRAMEWORK: MULTI-LAYER ANALYSIS

Android software stack

Linux Kernel

Libraries, Android Runtime

Application Framework

Application Static

User

OS

Network

Logs

What metrics can be used to capture app behavior?

SELECTED APPS Category App Social Facebook Games Angry Birds, Angry Birds$$ Music & Audio Pandora, Shazam, Shazam$$ Media & Video Youtube Shopping Amazon Travel Gasbuddy Health & Fitness Instant Heart Rate, Instant Heart

Rate$$ Communication Dolphin browser Sports ESPN Reference Dictionary.com, Dictionary.com$$

total 27 apps: 19 free , 8 paid

Wide range of apps, spanning many categories Popular apps with >1,000,000 installs

STATIC LAYER Source: manifest & bytecode decompilation

• Permissions (shown at install) • Internet • Location (GPS or network) • Phone • …

• Intents (not shown at install) • Resource use

without permission via deputy apps Linux Kernel

Libraries, Android Runtime

Application Framework

Application Static

User

OS

Network

STATIC LAYER ANALYSIS RESULTS

App Internet GPS Camera Mic Bluetooth Telephony Facebook p p i* p Dictionary.com p i i Instant Heart Rate p p i i Shazam p p p Total (out of 27) 27 9 6 4 3 5

p = use via permissions i = use via intents (deputy apps)

*for version originally tested March 2012

USER LAYER Source: logcat, /dev/input/event

• Input devices and events • Touchscreen • Physical Buttons • Accelerometer • Compass • Light proximity sensor

… Linux Kernel

Libraries, Android Runtime

Application Framework

Application Static

User

OS

Network

USER LAYER ANALYSIS RESULTS

OPERATING SYSTEM LAYER Source: strace

• System call categories • Network sockets • File system • VM & IPC

• Enforces isolation • Overhead: scheduling,

idling, IPC

Linux Kernel

Libraries, Android Runtime

Application Framework

Application Static

User

OS

Network

OPERATING SYSTEM LAYER RESULTS

App Intensity (syscalls/sec)

Filesystem (%)

Network (%)

VM & IPC (%)

Misc (%)

Tiny Flashlight 436 1 1 77 21 Facebook 1,031 4 3 72 21 Amazon 693 1 6 77 16 InstHeartRate 944 8 2 75 15

NETWORK LAYER Source: tcpdump (packets and content) App traffic

• Origin (app's website) • CDN and Cloud • Google • 3rd party: ads & tracking

Linux Kernel

Libraries, Android Runtime

Application Framework

Application Static

User

OS

Network

NETWORK LAYER RESULTS

App Intensity

(bytes/ sec)

In/out ratio

Origin

(%)

CDN+ Cloud

(%)

Google

(%)

3rd party (%)

HTTP/ HTTPS

split (%)

Tiny Flashlight 134 2.49 - - 99 - 100/- AdvTaskKiller 26 0.94 - - 100 - 92/8 AdvTaskKiller$$ - - - - - - - Facebook 4,606 1.45 68 32 - - 23/77 Amazon 7,758 8.17 95 5 - - 99/1 InstHeartRate 575 2.39 - 4 86 10 86/14 InstHeartRate$$ 6 0.31 - 9 90 1 20/80

APPLICATION THUMBNAILS

High usage Medium usage Low usage

READING BETWEEN THE LINES Free apps are not as free as we might think

• 50—100% higher system call intensity • Dramatically higher network traffic (usually ads&tracking)

Bad for your dataplan, your battery life, and your privacy

VM-based isolation comes at a cost • 64—87% of system calls are due to VM and IPC

READING BETWEEN THE LINES Apps talk to many servers spread across many top-level domains

• AngryBirds$$: 4 domains, AngryBirds free: 8 domains • Weatherbug: 13 domains, Shazam: 13 domains

Most network traffic is not encrypted Google traffic is predominant

• Except for Amazon and Facebook which have 0 (zero) Google traffic

FUTURE WORK • Expand study to include more apps • User profiles

• Study the variance across users • Fully automate process • Profiler as an app to run on the device

• Provide summary of usage on close

QUESTIONS?