A Privacy Enhanced Security Framework for Android Users (PDF ...

A Privacy Enhanced Security Framework for Android Users Shirish Kumar Singh

Bharavi Mishra

Poonam Gera

Computer Science and Engineering Dept. Computer Science and Engineering Dept. Computer Science and Engineering Dept. The LNM-Institute of The LNM-Institute of The LNM-Institute of Information Technology Information Technology Information Technology Jaipur, India Jaipur, India Jaipur, India [email protected] [email protected] [email protected] Abstract—In the past few years, the primary focus of computing has shifted from PCs to smart-phones and tablets. As a result, smart-phones have become more than a communication device, now it can store vast amount of users sensitive data. Further, its popularity also opens a new era of application development; because of which Googles Play Store now contains millions of free Android applications. To use these applications users are bound to give the permission to access their data as a cost of the application. The required permissions, sometimes are genuine (such as location information required by Google map, etc), however in most of the cases they need unnecessary permissions due to which security and the privacy of user are hampered. Considering these facts, in this paper, we proposed a computationally efficient framework to enhance the privacy as well as the security of Android users.

I.

I NTRODUCTION

Android is a popular open source smart-phone and tablet operating system developed by Android, Inc. which was later bought by Google [26]. According to IDC‘s 2014 report, 1.3 billion Android based mobile phones were shipped during the third quarter of 2014, and as a result, it captured over 84% of smart-phone market [22]. Android was originally based on Linux Kernel 2.6 [1] but to bring innovation and value to customers, Android applications are modified or extended extensively to use sophisticated hardware and software through the platform. In addition, Android smart-phones and tablets contain popular web applications such as YouTube, Gmail, social networks such as Facebook and Twitter, etc. [5] which are accessed through the native applications, instead of their web interface. In this context, smart-phones, tablet, and smart TVs contain huge amount of users personal data, which may become a serious threat to privacy of the user, if revealed. Unfortunately, popularity of Android based smart-phones also attract malicious application developers. An extensive study [23] performed by Kaspersky reveals that there are over 10 million malicious apps on the Play Store which might send sensitive information (such as call log, contact list, personal data) over the network to unknown destination without users awareness. Hence, default permission to access internet by all application makes it more cumbersome to protect user‘s privacy. Over the past decade there have been multiple instances of data theft from phones of many important people; one such case was of Australian Foreign Minister Julie Bishop. Her

phone was hacked on her foreign visit after MH17 incident [33]. Such instances pose as a threat to national security as well as the persons privacy. Therefore, to ensure the security and privacy of the user, Android system should have some robust security mechanism [2]. There are some popular existing methods to secure data such as data encryption; in which, the data is encoded such that only the authorized parties can access it. However, there is an overhead of encrypting and decrypting the data while storing and reading the file respectively. To reduce this overhead in compute intensive manner, we propose a framework; in which data is converted in un-readable format without any encryption. As the conversion of the data is random, traditional method such as Brute force/Dictionary/Rainbow Table will not be able to descramble the scrambled data. The organization of this paper is as follows: Section 2 discusses Fundamentals of Android operating system. Related Work & Existing security model(s) adopted by Google are discussed in Section 3. In Section 4 proposed framework is presented followed by a case study, Section 5. Conclusion and future work are discussed in Section 6. II.

A NDROID P ROCESS M ANAGEMENT

The Android platform can be sub-divided into 4 layers, application layer (Top layer), the application framework layer, libraries and the Linux kernel (Bottom Layer) as shown in Figure 1. Every Android application is executed on the virtual machine. If the program uses the library content, it calls the local program interface and executes the necessary functions in the library [11]. Android contains ART (Android Runtime) and Dalvik Virtual Machine as runtime environments to execute applications [12] [24]. It is based on the Linux kernel and uses the Zygote process model, similar to fork process of Linux Kernel to initiate applications execution [13]. Memory and process management of runtime environments depends on the Linux kernel [27]. To run several processes of Android simultaneously, runtime utilizes Linux kernels process management features [14]. Each Android application runs on a separate virtual machine instance, and each virtual machine instance runs in an independent process space. Each application runs in separate process space and the application

978-1-4673-6537-6/15/$31.00 ©2015 IEEE

of different sources, uses different Linux user space to execute [11]. Since Android is a single user OS, each application is assigned a unique UID during the installation time. Meaning, without extra efforts, the application files and memory can be protected by the underlying Linux Kernel [19]. Furthermore, each virtual machines process and thread is also a Linuxs process and thread respectively [15]. When the Android system starts an application, Zygote process uses fork operation of the Linux kernel to produce a child process, to start the application. Along with the mechanism to create Android application process quickly, it also saves memory as all the Android Application processes share the same set of core Java libraries [16].

In kernel space, each process is assigned a task struct data structure, shown in Figure 2, where the process data, like process name, UID, PID, GID, permissions, etc. are stored [21]. The currently running application thread is accessible using this structure in kernel space by the name “current” (Returns a pointer to currently running task struct). This structure is crucial to get the details of application thread which is transferring the data on the network.

Fig. 2.

struct task struct

III.

Fig. 1.

Android Layered Architecture [2]

As discussed earlier, Android is based on the Linux kernel, which is placed at the bottom layer of Android architecture. Like Linux, every process is a descendant process of the “init” process, which is the first process to start during boot time. All processes are directly or indirectly forked out by the init process, including the Zygote process. As soon as the Zygote process starts, it initializes the virtual machine, completes loading the library, loading the pre-set library and initializes operation and so on [11]. Whenever Zygote hatches a new application process, a virtual machine instance is copied to the new application process, thus assigning a separate virtual machine instance to each application [17]. When a process is created, Android uses the package‘s name from the AndroidManifest.xml file of activity‘s (An activity is a single, focused thing that the user can do which displays the UI of an application.) application, as process name by default. When an application has a name other than the package name, then it is assigned by the attribute “android:process” from the manifest file of the application [18]. Nonetheless, each application is assigned a unique UID during the installation phase. Inside Linux kernel layer, each application is assigned a unique UID, PID & GID [25]. Permissions are assigned to UID rather than package names of application [20]. When two or more activities of same application have multiple processes, their PID and GID are different, but UID remains same because they are running in same user space and belong to the same application.

R ELATED W ORK

Since the onset of mobile computing, new technologies are being developed rapidly; security experts have moved their attention towards enhancing the security and the privacy of mobile phone users. In this section we will critically discuss existing tools and techniques for mobile data security. This section is divided into three sections, Data Encryption methods, Android Security Model and Third Party Techniques: A. Data Encryption Method Encryption is an information/data encoding technique, which protects the data, from unauthorized access. Encryption can secure the data but it incurs encrypting/decrypting overhead while operation of the device due to which the performance and user experience drastically reduces. This is why Android Lollipop is no longer encrypted [34] which causes another security threat. B. Android Security Model To secure such an open platform, certain rigorous security protocols are implemented in Android. This section elaborates some of the security mechanisms undertaken by Android: 1) Application Manifest: The application manifest file is a major element of the Android security model. It provides the necessary information to Android for the execution of an application [27], since a developer defines the application permissions within it [4]. Every developer digitally signs his/her Android application and Androids security model, and then maps the developer signature with a unique ID of the application package which enforces signature level permission authorization [3]. This security model only provides origin and integrity protection for the source code. According to Googles play store updates, new updates of applications can get dangerous permissions without user

authority [8]. Unless an application adds permissions to a new group, users are not notified about the updated permission. To make it more user friendly, Google divided all the applications permissions in 13 different groups. An application can update its permission policy itself, to get access to other permissions within the group, without users knowledge [9]. In addition, Google also made a decision that since most of the applications utilize the internet, so this permission is now hidden under other [8] category, therefore, users will not be explicitly made aware about the internet uses of the application. 2) Sandboxing: In Android, each application is installed with a separate user-id (UID), which results in a separate home directory for the application, where its code and data reside. This directory is only accessible by the applications user ID. This secures each application data from all other applications. Hence, sharing of data between applications is explicit [7]. Similar to other security mechanisms, application sandbox is not invincible [7]. 3) Google Bouncer: It scans Android Market applications for potentially malicious software without disrupting the users experience by applying application approval process for developers. This service performs a set of analysis on applications already in the Android Market, new applications, and developer accounts. As soon as an application is uploaded, the service starts analysing it for known malware such as Trojans and Spyware. It compares the application behaviour against previously analysed apps and detects red flags. However, according to a research conducted on Google Bouncer [10], it was found that Bouncer can be fingerprinted [10]; it‘s easy to picture that a malicious Android application can take advantage of it and hide itself as a legitimate application when running on Bouncer. It was found that Bouncer only takes 5 minutes for an application; therefore, it is possible that any malicious application can act benign while being run on Bouncer and can do severe damage, once it gets on the user‘s device. Moreover, the malicious application can also commit an update attack; wherein there is no malicious code in initial installer but when application is updated, it will install the malicious code [10]. 4) Malware Removal: Android is designed to prevent malware from hiding or modifying the platform, so that if the device is affected, the malware can be easily removed. Play Store has the capability to remotely remove malware from your Android device, if required [7]. Even if Google can remotely remove installed applications from the user‘s device, it would be better if the malware doesn‘t reach the users device [10]. C. Third-party Applications Apart from default built-in methods, various third party techniques have also been proposed. Few of them are discusses below: 1) TaintDroid: TaintDroid monitors how third party applications utilize the private data of the smartphone user. It uses an efficient, dynamic taint tracking and analysis system. Capable of tracking many sources of sensitive data such as GPS, phone-number, IMEI, etc., TaintDroid provides real time analysis of application [6][?][30].

When an application is installed, user is prompted the permissions required by the application to function, but it doesn‘t show how the application will use the data acquired from the device. Taintdroid is a pragmatic approach toward making user aware of how the applications are using their data. It uses the technique of “Dynamic Taint Analysis” [29]. Dynamic Taint Analysis is the ability to monitor program code as it runs on the system [31].TaintDroid, marks the relevant information of the user and tracks it as it flows in Android. It taints the information at taint source and then tracks it at taint sink (where the information leaves the device) [29]. 2) LP-Guardian: LP-Guardian focuses on maintaining users location privacy. LP-Guardian provides tracking, profiling, and identification threats while maintaining full application functionality. The framework first intercepts the location API called from the application and then animalizes the data retrieved so that malicious applications cannot identify the users true location [32]. Although android based system has too many security consolidators there are still some breaches in consolidating the privacy and security of Android Smartphone. TaintDroid only reveals the type and the source of the data leaked. LPGuardian on the other hand, secures only the GPS location of the users device. Existing tools certainly provide a level of privacy but not comprehensive privacy for all data set. They are specific for set of applications and set of data. To provide a complete solution we cannot be generic about application or data sets. Further, existing tools uses encryption to attain privacy in data sets. But encryption is a traditional technique which can be broken though Cold-Boot Attack, Brute Force Attack and other such type of attacks [10][7]. IV.

SP-E NHANCER : P RIVACY E NHANCEMENT F RAMEWORK

Keeping above mentioned gap in mind we design a framework (SP-Enhancer) which addresses the privacy issue in compute intensive manner. Our framework is composed of four major components: Android application as Enhancer, App List, Internal Routine, and Scrambler. An overview of our framework is shown in Figure 3. The application creates & updates the App List file with the list of installed applications. The Internal Routine periodically checks new applications to update the list. While sending the data, the Scrambler identifies the process and scrambles the data based on the permission of that application. A. Application An android application named “Enhancer”, which will act as a user interface. Through this application, the user will either permit or prohibit an application to send authentic data. Enhancer will fetch and display all user installed applications on the device via the Package Manager. Based on user‘s choice, Application list file will be updated either with a ‘y’ or an ‘n’ corresponding to the application‘s user ID name. By default none of the application installed by the user will have permission to send authentic data. A list of system applications will also be recovered from the Package Manager and saved separately in the Application list file with permission to send authentic data. Moreover to mitigate the burden of

Manifest File Update List

Update List

Fetch List

Check

Permission

Background Service

of a process/thread. Then the module/function checks the Application List file for the permission of the sender threads UID. Based on the corresponding flag, it will either scramble the data or allow it to pass. If an application is identified to be a system application (Applications with UID zero), the data will transfer without being scrambled. To avoid a breach, in a case where there is no entry of an application in the Application List file, the processs data will be scrambled by default. The functioning of the framework is shown in Figure 5 above.

Scrambling Android Application

Original Data

Fig. 3.

Overview of Framework Authentic

the user, we apply the concept of user profiling. User profile, in this scenario, is defined as collection of applications, with category and permissions that the user has installed. Initially, our application will scan the system to create the user profile and prompt the information to the user regarding each and every application. Whenever any new application is being installed, it will allow or deny the permission based on the user proflie, update the profile and prompt the results to the user. B. App List File It is a mapping of all currently installed applications‘ (both user installed and system) UID with their respective permission to send authentic data. If the permission flag of an application is ‘y’, then the data transmitted by that application will not be scrambled, if ‘n’, then the data will be scrambled by the scrambling algorithm. To help keep it secure from access by other applications, this file is saved in the internal storage directory of the Enhancer application, where only the application has the permission to access it. But for the indepth attacker, that is, an attacker is able to get access to the internal storage directory may access application list file and modify the permissions. This may breach our security design. To withstand such types of attacker, the application list file will be secured by encrypting the files in efficient algorithm. C. Internal Routine A background service will follow pull model and run after every 5 seconds to check if any new application is installed or uninstalled. If an application is installed, the application list file will be appended with the entry of that application details and initial value ‘n’, else, if an application is uninstalled, its entry from the application list file would be removed. D. Scrambler Scrambling is done in the transport layer of the Linux kernel, just before the checksum calculation. Sequence diagram of the framework is depicted in Figure 4. Since, most of the applications use TCP/UDP protocol for data transfer; the scrambling is done only for TCP and UDP packets. This function first retrieves the PID (Process ID) and UID (User ID) of the calling process/thread through the task struct data structure, which holds all the information

Scrambled Data

Malicious Server

Fig. 5.

Overview of Scrambling

V.

C ASE S TUDY: S ENDER A PPLICATION

To recreate a scenario where background data are sent over the network without users knowledge, an Android application was developed, which sends an image from SD-card and contact list of the device to a remote server in every 30 seconds. After recurring evaluation of the image file received by the server for first 5 minutes of application installation, it was found that all instances of the image were illegible. This showed that newly installed applications by default dont have permission to send authentic data over network and as a result of which the data sent by such applications are scrambled. Then this application was given permission to send data via the framework application, it was observed that the authentic image file was retrieved in the server. Figure. 5 shows how the scrambled image data, viewed at the server, are illegible. Also, Table 1 and Table 2 depict how the contacts are scrambled. To conduct this study an Android emulator running, Linux kernel version android-goldfish-2.6.29, API level 19, RAM of 512 MB, SD-card of 100 MB and Virtual Memory of 32 MB is used. Inside Android, Linux kernel, it was found that the unique UID of the application was 10045 and package name (process name by default) was com.example.datasender. To send data, a new thread was being created by the name of Thread-64 in the applications user space. In kernel module, thread‘s UID was retrieved and matched with the list of UIDs in Application List of the Framework. The respective permission flag was checked to see if the application had permission and then the data was sent either scrambled or normally. The data bits were randomly generated and replaced with the original data so that the reader of the scrambled data

Kernel

Application List

Application

TCP/UDP

Task_Struct

Send Data Get Process UID

Process UID Get Application Process Permission

App Permission

Send Data in Network

Fig. 4.

Inter Communication of Framework TABLE III. Kernel Version

Original Kernel

Framwork‘s Kernel

Difference (Bytes)

goldfish-2.6.29

1,629,608

1,631,612

2004

goldfish-3.4

2,399,208

2,400,528

1320

VI.

Fig. 6. Data Sent from Smartphone by Malware is Scrambled When Received at Server

TABLE I.

TABLE II.

O RIGINAL C ONTACT L IST SENT FROM THE D EVICE Contact Name

Number

Alice

(749) 220-3023

John

(888) 743-9425

Shirish

(941) 325-8495

Test

(992) 456-6254

Number

Cnkeg

(96;)-422/5245

Lqhp

(:8:)-965/9645

Ujktiuj

(;63)-545-:4;5

Veuv

(9;4)-658/8276

In our method we send user sensitive data in scrambled form for all application other than system application. In this way, our proposed framework works for both technology aware and ignorant person. In general, larger population using android phone are technology ignorant so this application will be providing them secure service in an efficient manner. Our objective in this paper is to enhance the privacy of mobile users. In future, we extended our framework to enhance the privacy and security of cloud and other Linux-based systems. R EFERENCES [1] [2] [3] [4]

cannot descramble it. The comparison of sizes of two kernels‘ zImage.in shown in Table 3.

C ONCLUSION AND F UTURE W ORK

Android is a growing market and has multiple security mechanisms in place, but none of them are effective enough to fully eradicate the problem of data theft by malicious or free applications. In this paper a novel framework for security and privacy enhancement from the users perspective is proposed to protect sensitive data in a compute intensive manner. The proposed framework does not require any type of data encryption or computational overhead.

S CRAMBLED C ONTACTS R ECEIVED AT S ERVER Contact Name

S CRAMBLED C ONTACTS R ECEIVED AT S ERVER

[5]

Maker, F., Chan, Y., A Survey on Android vs. Linux, University of California, 2009, pp. 1-10 ‘Security: Introduction’, http://source.android.com/devices/tech/security/index.html, accessed April 2015 Security Tips’, http://developer.android.com/guide/topics/security/security.htm, accessed April 2015 ‘App Manifest’, http://developer.android.com/guide/topics/manifest/manifestintro.html, accessed April 2015 Hogben, G., Dekkar, M., Smartphone: Information Security Risks, Opportunities and Recommendation for users, (ENISA, 2010), pp.1-61.

[6]

TaintDroid: An Information Flow Tracking System for Real-Time Privacy Monitoring on Smartphones, http://cacm.acm.org/magazines/2014/3/172514-taintdroid/fulltext, accessed April 2015

[7]

The Application Sandbox, https://source.android.com/devices/tech/security/ overview/kernel-security.html, accessed April 2015

[8]

Android‘s App Permissions Were Just Simplified - Now Theyre Much Less Secure, http://www.howtogeek.com/190863/androids-apppermissions-were-just-simplified-now-theyre-much-less-secure, accessed April 2015

[9]

Play Store Permissions Change Opens Door to Rogue Apps, http://www.xda-developers.com/play-store-permissions-change-opensdoor-to-rogue-apps, accessed April 2015

[10]

A Look at Google Bouncer, http://blog.trendmicro.com/trendlabssecurity-intelligence/a-look-at-google-bouncer, accessed April 2015

[11]

Wen H., Yanli Z., Analysis on Process Code schedule of Android Dalvik Virtual Machine, Int. Journal of Hybrid Information Technology, Harbin University of Commerce, Harbin, China, 2014, 7, (3), pp. 401-412

[12]

Y. Pengxiang, Research on the structure and performance of Dalvik virtual machine, JinLin university, 2011.

[13]

Z. Yimin, C. Rong, Analysis about Process in Dalvik Virtual Machine, computer technology and development, 20, (2), 2010.

[14]

Neil M., Richard S.: Beginning Linux Programming 2nd Edition, (China Machine Press, 2002)

[15]

Yang F., Android Internals: System, China Machine Press, Beijing, 2011, pp. 468524

[16]

K. Yuan Dan.: Android kernel analysis, (Publishing House of Electronics Industry, 2011)

[17]

Zygote, http://anatomyofandroid.com/2013/10/15/zygote, April 2015

[18]

¡attributes¿, http://developer.android.com/guide/topics/manifest/applicationelement.html, accessed April 2015

[19]

Android Applications, http://coltf.blogspot.in/p/android-os-processesand-zygote.html, accessed April 2015

[20]

Sandboxes, processes, and permissions, http://www.ibm.com/developerworks/library/x-androidsecurity, accessed April 2015

[21]

android / kernel/goldfish / android-goldfish-2.6.29 / . / include / linux /sched.h,https://android.googlesource.com/kernel/goldfish/+/androidgoldfish-2.6.29/include/linux/sched.h, accessed April 2015

[22]

Smartphone OS Market Share, Q3 2014, http://www.idc.com/prodserv/smartphone-os-market-share.jsp, accessed April 2015

[23]

Number of the week: list of malicious Android apps hits 10 million, http://www.kaspersky.co.in/about/news/virus/2014/Number-of-the-weeklist-of-malicious-Android-apps-hits-10-million, accessed April 2015

[24]

ART and Dalvik, http://source.android.com/devices/tech/dalvik, accessed April 2015

[25]

User IDs and File Access, http://developer.android.com/guide/topics/ security/permissions.html, accessed April 2015

[26]

Google buys Android for its Mobile Arsenal, http://www.bloomberg.com/bw/stories/2005-08-16/google-buys-androidfor-its-mobile-arsenal, accessed on April 2015

[27]

Asim S. Y., Abdul H. Z., Muhammed A. A., A Comprehensive Analysis of Android Security and Proposed Solutions, I.J. Computer Network and Information Security, 2014,12, pp. 9-20

[28]

Realtime Pirvacy Monitoring on Smartphones, http://appanalysis.org/, accessed April 2015

[29]

Taintdroid: Warns about Android app leaking sensitive data, http://www.techrepublic.com/blog/it-security/taintdroid-warns-aboutandroid-apps-leaking-sensitive-data/, accessed April 2015

[30]

W. Enck, et. Al, TaintDroid: an information-flow tracking system for realtime privacy monitoring on smartphones, 9th USENIX conference on Operating systems design and implementation (OSDI’10). USENIX Association, Berkeley, CA, USA, 1-6

[31]

E. J. Schwartz, T. Avgerinos, D. Brumley, All You Ever Wanted to Know About Dynamic Taint Analysis and Forward Symbolic Execution

accessed

(but might have been afraid to ask), 2010 IEEE Symposium on Security and Privacy [32] Kassem Fawaz and Kang G. Shin. 2014. Location Privacy Protection for Smartphone Users. In Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security (CCS ’14). ACM, New York, NY, USA, 239-250. DOI=10.1145/2660267.2660270 http://doi.acm.org/10.1145/2660267.2660270 [33] Foreign Minister Julie Bishop’s ’mobile phone was HACKED on foreign soil’ while she was dealing with MH17 tragedy, http://www.dailymail.co.uk/news/article-2726227/Revealed-ForeignMinister-Julie-Bishops-phone-HACKED-foreign-soil-dealing-MH17tragedy.html, accessed April 2015 [34] Google wont force Android encryption by default (update), http://www.engadget.com/2015/03/02/android-lollipop-automaticencryption/, accessed April 2015