Top

World Wide Web

Published in:

20-03-2017

Discovering and understanding android sensor usage behaviors with data flow analysis

Authors: Xing Liu, Jiqiang Liu, Wei Wang, Yongzhong He, Xiangliang Zhang

Published in: World Wide Web | Issue 1/2018

Activate our intelligent search to find suitable subject content or patents.

search-config

AI-assisted search

Off

Abstract

Today’s Android-powered smartphones have various embedded sensors that measure the acceleration, orientation, light and other environmental conditions. Many functions in the third-party applications (apps) need to use these sensors. However, embedded sensors may lead to security issues, as the third-party apps can read data from these sensors without claiming any permissions. It has been proven that embedded sensors can be exploited by well designed malicious apps, resulting in leaking users’ privacy. In this work, we are motivated to provide an overview of sensor usage patterns in current apps by investigating what, why and how embedded sensors are used in the apps collected from both a Chinese app. market called “AppChina” and the official market called “Google Play”. To fulfill this goal, We develop a tool called “SDFDroid” to identify the used sensors’ types and to generate the sensor data propagation graphs in each app. We then cluster the apps to find out their sensor usage patterns based on their sensor data propagation graphs. We apply our method on 22,010 apps collected from AppChina and 7,601 apps from Google Play. Extensive experiments are conducted and the experimental results show that most apps implement their sensor related functions by using the third-party libraries. We further study the sensor usage behaviors in the third-party libraries. Our results show that the accelerometer is the most frequently used sensor. Though many third-party libraries use no more than four types of sensors, there are still some third-party libraries registering all the types of sensors recklessly. These results call for more attentions on better regulating the sensor usage in Android apps.

previous article Personalized app recommendation based on app permissions

next article An automatically vetting mechanism for SSL error-handling vulnerability in android hybrid Web apps

Dont have a licence yet? Then find out more about our products and how to get one now:

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 340 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

inform now

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

inform now

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 390 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Maschinenbau + Werkstoffe

Jetzt Wissensvorsprung sichern!

inform now

Apktool. Apktool. http://ibotpeaches.github.io/Apktool/, 2015-05-20

AppBrain. Google play stats. http://www.appbrain.com/stats/, 2016-10-28

Android. Android sensor overview. http://developer.android.com/guide/topics/sensors/sensors_overview.html, 2015-03-28

Android. Android sensor type. http://developer.android.com/reference/android/hardware/Sensor.html, 2015-03-29

Android. Dalvik bytecode. https://source.android.com/devices/tech/dalvik/dalvik-bytecode.html (2016)

Arzt, S., Rasthofer, S., Fritz, C., Bodden, E., Bartel, A., Klein, J., Le Traon, Y., Octeau, D., McDaniel, P.: Flowdroid: Precise context, flow, field, object-sensitive and lifecycle-aware taint analysis for android apps. In: Proceedings of the 35th ACM SIGPLAN Conference on Programming Language Design and Implementation, p 29. ACM (2014)

Aviv, A.J., Sapp, B., Blaze, M., Smith, J.M.: Practicality of accelerometer side channels on smartphones. In: ACSAC 2012, pp. 41–50. ACM (2012)

Cai, L., Chen, H.: Touchlogger: inferring keystrokes on touch screen from smartphone motion. In: Proceedings of the 6th USENIX conference on Hot topics in security, pp. 9–9. USENIX Association (2011)

Chen, K., Liu, P., Zhang, Y.: Achieving accuracy and scalability simultaneously in detecting application clones on android markets. In: Proceedings of the 36th International Conference on Software Engineering, pp. 175–186. ACM (2014)

10.

Chen, K., Wang, P., Lee, Y., Wang, X.F., Zhang, N., Huang, H., Zou, W., Liu, P.: Finding unknown Malice in 10 seconds Mass vetting for new threats at the google-play scale. In: 24th USENIX Security Symposium (USENIX Security 15), pp. 659–674 (2015)

11.

Desnos, A.: Androguard: Reverse engineering, malware and goodware analysis of android applications... and more (ninja!). http://code.google.com/p/androguard, 2013-03-26

12.

Elish, K.O., Shu, X., Yao, D.D., Ryder, B.G, Jiang, X.: Profiling user-trigger dependence for android malware detection. Comput. Secur. 49, 255–273 (2015)CrossRef

13.

Ester, M., Kriegel, H.-P., Sander, J., Xiaowei, X.: A density-based algorithm for discovering clusters in large spatial databases with noise. In: Kdd, vol. 96, pp. 226–231 (1996)

14.

Gascon, H., Yamaguchi, F., Arp, D., Rieck, K.: Structural detection of android malware using embedded call graphs. In: Proceedings of the ACM Workshop on Artificial Intelligence and Security, p. 2013. ACM (2013)

15.

Gephi: The open graph viz platform https://gephi.org (2016)

16.

Hido, S., Hisashi, K.: Linear-Time Graph Kernel. In: 9th IEEE International Conference on Data Mining, 2009. ICDM ’09, pp. 179–188 (2009)

17.

Hoffmann, J., Ussath, M., Holz, T., Spreitzenbarth, M.: Slicing droids: program slicing for smali code. In: Proceedings of the 28th Annual ACM Symposium on Applied Computing, pp. 1844–1851. ACM (2013)

18.

I.D.Corporation. Smartphone os market share, q2 2016. http://www.idc.com/prodserv/smartphone-os-market-share.jsp, 2016-08

19.

Klieber, W., Flynn, L., Bhosale, A., Jia, L., Bauer, L.: Android taint flow analysis for app. sets. In: Proceedings of the 3rd ACM SIGPLAN International Workshop on the State of the Art in Java Program Analysis, pp. 1–6. ACM (2014)

20.

Lee, W.-H., Lee, R.B.: Multi-sensor authentication to improve smartphone security. In: Conference on Information Systems Security and Privacy (2015)

21.

Li, L., Bartel, A., Bissyande, T.F.D.A., Klein, J., Le Traon, Y., Arzt, S., Rasthofer, S., Bodden, E., Octeau, D., McDaniel, P.: Iccta: detecting inter-component privacy leaks in android apps. In: 2015 IEEE/ACM 37th IEEE International Conference on Software Engineering (ICSE 2015) (2015)

22.

Lin, C.-C., Liang, D., Chang, C.-C., Yang, C.-H.: A new non-intrusive authentication method based on the orientation sensor for smartphone users. In: IEEE 6th International Conference on Software Security and Reliability (SERE), p. 2012. IEEE (2012)

23.

Liu, X., Liu, J., Wang, W.: Exploring sensor usage behaviors of android applications based on data flow analysis. In: 34th IEEE International Performance Computing and Communications Conference, IPCCC 2015, Nanjing, China, December 14-16, 2015, pp. 1–8 (2015)

24.

Liu, X., Zhu, S., Wang, W., Jiqiang, L.: Alde: Privacy risk analysis of analytics libraries in the android ecosystem. In: 12th EAI International Conference on Security and Privacy in Communication Networks (SecureComm 2016), Guangzhou, China, October, 10–12, 2016 (2016)

25.

Miluzzo, E., Varshavsky, A., Balakrishnan, S., Choudhury, R.R.: Tapprints: your finger taps have fingerprints. In: Proceedings of the 10th International Conference on Mobile Systems, Applications, and Services, pp. 323–336. ACM (2012)

26.

Octeau, D., McDaniel, P., Jha, S., Bartel, A., Bodden, E., Klein, J., Le Traon, Y.: Effective inter-component communication mapping in android with epicc: An essential step towards holistic security analysis. In: Proceedings of the 22nd USENIX Security Symposium. Citeseer (2013)

27.

Owusu, E., Han, J., Das, S., Perrig, A., Zhang, J.: Accessory: password inference using accelerometers on smartphones. ACM (2012)

28.

Soot. Soot. http://sable.github.io/soot/, 2015-12-09

29.

Spreitzer, R., Skimming, P.: Exploiting the ambient-light sensor in mobile devices. In: Proceedings of the 4th ACM Workshop on Security and Privacy in Smartphones & Mobile Devices, pp. 51–62. ACM (2014)

30.

Su, D., Wang, W., Wang, X., Liu, J.: Anomadroid: profiling android application behaviors for identifying unknown malapps. In: 15th IEEE International Conference on Trust, Security and Privacy in Computing and Communications (IEEE TrustCom 2016), Tianjin, China, 23-26 August, 2016 (2016)

31.

The Hacker News: Taplogger android trojan can determine tapped keys. http://thehackernews.com/2012/04/taplogger-android-trojan-can-determine.html, 2012-04-21

32.

The Verge: Taplogger android app. can read your password based on motion sensor data. http://www.theverge.com/2012/4/20/2963110/taplogger-android-app-motion-sensor-data, 2012-04-20

33.

Wang, W., Wang, X., Feng, D., Liu, J., Han, Z., Zhang, X.: Exploring permission-induced risk in android applications for Malicious application detection. IEEE Trans. Inf. Forensics Secur. 9(11), 1869–1882 (2014)CrossRef

34.

Wei, F., Roy, S., Ou, X., et al.: Amandroid: A precise and general inter-component data flow analysis framework for security vetting of android apps. In: CCS 2014, pp. 1329–1341. ACM (2014)

35.

WIKI. Dbscan. http://en.wikipedia.org/wiki/DBSCAN, 2015-04-05

36.

Zeng, Z., Tung, A.K.H., Wang, J., Feng, J., Lizhu, Z.: Comparing Stars: On Approximating Graph Edit Distance.. In: Proceedings of the Vldb Endowment 2, 25–36 (2009)CrossRef

37.

Zhi, X., Bai, K., Zhu, S.: Taplogger: Inferring user inputs on smartphone touchscreens using on-board motion sensors. In: Proceedings of the 5th ACM Conference on Security and Privacy in Wireless and Mobile Networks, pp. 113–124. ACM (2012)

38.

Zhang, F., Huang, H., Zhu, S., Dinghao, W., Liu, P.: Viewdroid: Towards obfuscation-resilient mobile application repackaging detection. In: Proceedings of the 7th ACM Conference on Security and Privacy in Wireless and Mobile Networks(WiSec 2014). Citeseer (2014)

39.

Zhang, M., Duan, Y., Yin, H., Zhao, Z.: Semantics-aware android malware classification using weighted contextual api dependency graphs. In: CCS 2014, pp. 1105–1116. ACM (2014)

40.

Zhu, J., Wu, P., Wang, X., Zhang, J.: Sensec: Mobile security through passive sensing. In: 2013 International Conference on Computing, Networking and Communications (ICNC), pp. 1128–1133. IEEE (2013)

Title: Discovering and understanding android sensor usage behaviors with data flow analysis
Authors: Xing Liu
Jiqiang Liu
Wei Wang
Yongzhong He
Xiangliang Zhang
Publication date: 20-03-2017
Publisher: Springer US
Published in: World Wide Web / Issue 1/2018
Print ISSN: 1386-145X
Electronic ISSN: 1573-1413
DOI: https://doi.org/10.1007/s11280-017-0446-0

Springer Professional

Abstract

Please log in to get access to your license.

Dont have a licence yet? Then find out more about our products and how to get one now:

Springer Professional "Wirtschaft"

Springer Professional "Wirtschaft+Technik"

Springer Professional "Technik"

Other articles of this Issue 1/2018

Editorial: Special Issue on Security and Privacy of IoT

An automatically vetting mechanism for SSL error-handling vulnerability in android hybrid Web apps

IIoT-SIDefender: Detecting and defense against the sensitive information leakage in industry IoT

Practical chosen-message CPA attack on message blinding exponentiation algorithm and its efficient countermeasure

Spoofing attacks and countermeasures in fm indoor localization system

DECENT: Secure and fine-grained data access control with policy updating for constrained IoT devices

Premium Partner