Takeaway: Unfortunately, there is no simple way to determine what personal data is leaking from your smartphone. Michael Kassner interviews members of a research team that want to change that.
The Android operating systems gives us a choice on whether an app can access our sensitive information or not. We say sure, the app gets installed. Or, we say no way, and the app is not installed. Not the best solution, but at least we know what permissions are being used.I’m afraid that is not enough. We still have no idea what the app does with our sensitive information.
Meet TaintDroid
I first learned of TaintDroid while researching last week’s article about App Scanner: A research project determined to shed light on the vagaries of the Android permission system and installing third party applications.One important part of the App Scanner project was learning what happens when you give an app certain permissions. You may remember the following slide from last week’s article.
Even after an additional week of research, I still haven’t found any reason why a flashlight app needs to know the phone’s GPS location. Here’s where TaintDroid comes into play. TaintDroid allows App Scanner to track what apps do with data — GPS location data, for example.
To get an idea how TaintDroid works, I watched this video demonstration. The demo shows how TaintDroid reacts when it determines sensitive data is leaking from an application installed on the host phone. The icon in the upper left corner is the first indication something is going on.
The next slide shows what information is leaving the phone.
Fascinating.
The TaintDroid website also linked the research team’s paper — another daunting title: “TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones.” I learned my lesson last week and didn’t even try to figure out what I was reading this time. I contacted one of the lead authors, Dr. William Enck, Assistant Professor at NC State University, asking if he would explain how TaintDroid works.
Kassner: Professor Enck, how did you decide what apps to test? What did you find?
Enck: We started out with a snapshot of the top 50 free applications from each of the categories in the Android Market. This gave us 1,100 applications — way too many to test manually. So we pruned the list down to applications that wanted access to the Internet plus the ability to use one of the following — GPS, camera, or microphone. That gave us 358 apps, still more than we could handle, so we randomly selected 30.
We then ran those 30 apps and recorded both the TaintDroid logs as well as the network traces (in order to confirm what TaintDroid found). After running this experiment we had over 1,000 TCP network connects, and 105 contained sensitive information.
Looking at those 105 connections, we observed 37 were legitimate. However, the remaining 68 network connections weren’t as clear. Upon close inspection, we found 15 of the 30 applications shared location information with advertisement servers, and seven applications shared phone identifiers with a remote Internet server. This all happened without the knowledge of the user, from which I mean, no End User License Agreements (EULA), and no visual indicators suggesting the information was being used in this way.
Kassner: I don’t quite understand, I thought we give the app permission?
Enck: Before an app can access most types of privacy sensitive information, it must have a permission to do so. In Android, these permissions are conveyed to the user when the app is installed. At this point, the user has the ability to install the application after allowing all of the permissions it requests, or not install the application.
Note that this just describes what information the app can access, and not what it can do with the information once it has accessed it. This last piece is what TaintDroid determines.
Some applications include EULAs that are presented to the user the first time the application starts. EULAs are fairly common for PC software. If written correctly, EULAs can convey to the user how sensitive information will be used, and at that point, the user can choose not to use the app.
In our study, some apps included a EULA, but few, if any, indicated how sensitive information was to be used. Regardless, a EULA is just a textual statement and there is no code that actually enforces a EULA. It is simply a way to convey intention to the user.
That said, in general not all applications are going to steal your information. Some applications have checkboxes in settings menus to configure whether or not certain types of information (e.g., location) is used or not. However, you must trust the application developer to respect those settings.
Kassner: Professor Enck, why the name TaintDroid?
Enck: TaintDroid uses a scientific technique called “dynamic taint analysis,” which is also known as “taint tracking.” The idea is that you mark, or “taint,” information you care about at a point where you know its type for certain (e.g., at the API method used to access the value or data).
The idea of “taint tracking” was first used in server software to track potentially bad inputs received from the network. These values were tainted until they were cleansed in some way. Later work flipped taint tracking around and used it to track how inputs leave a system. This is how TaintDroid uses taint tracking.
Kassner: The paper’s explanation on how TaintDroid works refers to the following slide.
Would you briefly explain what we are looking at?
Enck: Whenever you talk about taint tracking, the first think you do is identify “taint sources” and “taint sinks.” The taint source is where you initially mark information as being a certain type (e.g., location, IMEI, address book, etc). The taint sink is where you care if it goes. In our case, the taint sink is in the Java library that writes information to the network.
The rest of the figure shows how the taint markings propagate through the system as it executes. On the left, we see a taint marking moving from one variable to another, indicated as (3). If an application sends that variable to another application through Android’s Binder communication system, TaintDroid propagates the marking, indicated as (5). Propagation continues on the right side, and when the variable is sent to the network, we identify it at the taint sink, indicated as (9).
Kassner: Professor Enck, I’m curious. Do you have an Android phone? If so, what precautions do you take to prevent unwanted use of your personal data?
Enck: I follow the same best practices that I suggest to all Android users. Just like when browsing the Web, if an app looks sketchy, I suggest not downloading it. Also, look for permissions that give access to location and phone identity. Ask yourself, why? If you’re not sure, don’t install the app, carefully read the comments from other users, and if desired, email the developer for an explanation (and be circumspect of the answer).
Of course, I also have the ability to test an app on a separate phone running TaintDroid. There are a few projects that run TaintDroid in an emulator on your PC, therefore having a spare phone isn’t a requirement. So, if you’re up to the challenge, you can test apps too.
Different viewpoint
If you have been following our Android exploits, you know William Francis is my mentor on all things Android and an app developer — a good one. Being a developer affords William a completely different point of view. So I asked him to comment on the paper’s conclusion:“Our study revealed that two-thirds of the applications in our study exhibit suspicious handling of sensitive data, and that 15 of the 30 applications reported users’ locations to remote advertising servers. Our findings demonstrate the effectiveness and value of enhancing smartphone platforms with monitoring tools such as TaintDroid.”
Francis: The conclusion — in my opinion — is to be expected. The research team is saying half of the applications in the study sent location or user data to a remote ad network.
But, the researchers aren’t sure what was being done with the data. I can tell you from experience that most of it went to advertisers. When you choose to use an app supported by advertising, you are willing to trade some info in exchange for a “free” program or service. A better test might be to run the tests on apps not supported by ads.
I believe the authors of TaintDroid are trying to do something important for the mobile community at large. They are attempting to address security and privacy concerns at the lowest level — in other words not as an add-on or something that happens after the fact but as an integrated part of the platform.
My understanding from reading the paper is they have a ways to go before the software can be considered ready for the world at large. Users of small footprint devices like mobile phones expect a whole lot of performance from their devices, and techniques like those used by TaintDroid can add considerable overhead. That said, the TaintDroid team seems to have overcome a lot of the technical obstacles already and are making impressive strides.
Finally, I believe TaintDroid or something similar is the next phase in the evolving smartphone ecosystem.
Final thoughts
My hope with these two articles is to remove the perception that saying yes or no to a permission set is good enough. What apps actually do with personal and sensitive information should be transparent and readily available to smartphone owners.Thank you Dr. Enck and the research team behind TaintDroid. It is a good start.