Automatic Mediation of Privacy-Sensitive Resource Access in Smartphone Applications

Benjamin Livshits, Jaeyeon Jung
2013 USENIX Security Symposium  
Mobile app development best practices suggest that developers obtain opt-in consent from users prior to accessing potentially sensitive information on the phone. We study challenges that mobile application developers have with meeting such requirements, and highlight the promise of using new automated, static analysis-based solutions that identify and insert missing prompts in order to guard otherwise unprotected resource accesses. We find evidence that third-party libraries, incorporated by
more » ... elopers across the mobile industry, may access privacysensitive resources without seeking consent or even against the user's choice. Based on insights from real examples, we develop the theoretical underpinning of the problem of mediating resource accesses in mobile applications. We design and implement a graphtheoretic algorithm to place mediation prompts that protect every resource access, while avoiding repetitive prompting and prompting in background tasks or third-party libraries. We demonstrate the viability of our approach by analyzing 100 apps, averaging 7.3 MB in size and consisting of dozens of DLLs. Our approach scales well: once an app is represented in the form of a graph, the remaining static analysis takes under a second on average. Overall, our strategy succeeds in about 95% of all unique cases.
dblp:conf/uss/LivshitsJ13 fatcat:gi3gpzhhtjdknercymncv3cnsq