by Radoniaina Andriatsimandefitra, Valérie Viet Triem Tong, and Ludovic Mé
"In the world of mobile, there is no anonymity," says Michael Becker of the Mobile Marketing Association, an industry trade group. In recent work, Enck and colleagues have used information flow monitoring on a mobile device to show that, on average, over two thirds of the most popular applications of an Android market were responsible for data leakage . We believe data leakages are mainly due to the intrinsic limitations of Android's security mechanisms. Here we describe “Blare”, a tool that detects Androïd data leakages.
Android is an operating system for mobile devices. Because of its quick and wide-scale adoption, it has become the target of malicious applications which continue to increase in number. This increase is alarming given that more and more people are relying on such devices both for personal and professional use. A protection system is essential but unfortunately, existing mechanisms fail to efficiently protect sensitive data located on a smartphone. We argue that leakages are mainly due to intrinsic limitations to Android's security mechanisms that rely heavily on access control systems and, as such, offer no possible control over access to a piece of data once it has left its original location.
In CIDRe, a joint project team with SUPELEC and INRIA, we have designed and developed “Blare”, a Linux Intrusion Detection System (IDS). Blare makes use of tainting to monitor occurring information flows and detect illegal ones in the context of a predefined security policy . Blare relies on the LSM framework, a patch for the Linux kernel that inserts "hooks" at every point in the kernel where a user-level system call generates an information flow. Well-known security modules such as SELinux, AppArmor, Smack and TOMOYO also rely on LSM. Blare maintains two security tags for each object of the operating system (files, processes, etc.). The first tag lists the sensitive data that were used to produce the current content of the object. The second tag details which data mixture is allowed to flow in the object (ie describes the security policy that applied to the object). The legality of an information flow is thus easily established by comparing the tags’ values. When the values do not match, Blare raises an alert.
Having an efficient linux implementation of our tool, we then studied its applicability in the Androïd context. We have proposed an entire information flow policy dedicated to the protection of data usually located on a smartphone (eg contact list, geolocalization), and implemented an Androïd version of Blare. Our measurements on application overhead have offered encouraging results and we are able to detect violation of integrity or confidentiality of data.
To test our ability to detect attacks against integrity, we have used BaseBridge, an Android malware whose purpose is to install other malicious applications on the phone, thus violating the integrity of the system. To detect these malicious installations, we tagged each piece of data coming from the analysed sample and monitored its propagation within the system. As expected, alerts were raised by Blare. Using the alerts, we then built a graph that described the propagation of tainted data within the system, taking into account the timestamp of each alert. The graph showed that the application meant to be installed came from a file owned by the basebridge sample and that its content was accessed/stored by different containers in a way that indicates its installation and execution.
To test our ability to detect attacks against confidentiality, we exploited two well-known vulnerabilities. The first is related to the Android browser and allows data leakage out of the device. The second is related to the Androïd Skype app that leaks user-related data. We exploited these two vulnerabilities to leak Skype data through the browser to a remote entity. We tagged sensitive data container prior to the attack. Once our attack launched, Blare raised meaningful alerts. The alerts clearly showed that the default browser had read files with sensitive content and also leaked this sensitive data to the remote entity. Using the alerts, we built a graph that describes how sensitive tagged-data were leaked. The graph indicated that the browser first accessed the sensitive tagged-data stored in Skype directory and then wrote this data inside a socket to send it to the remote entity.
To conclude, Blare has proved efficient in detecting attacks, and especially data leakage, in the Android context.
 W. Enck, P. Gilbert, B. Gon Chun, L. P. Cox, J. Jung, P. McDaniel, and A. N. Sheth, “Taintdroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones” in Proc. of the USENIX Symposium on Operating Systems Design and Implementation (OSDI), 2010.
 V. Viet Triem Tong, A. Clark, and L. Mé, “Specifying and Enforcing a Fine-Grained Information Flow Policy: Model and Experiments” in Journal of Wireless Mobile Networks, Ubiquitous Computing and Dependable Applications, 2010.
 R. Andriatsimandefitra, S. Geller, and V. Viet Triem Tong, “Designing Information Flow Policies for Android’s Operating System” in Proceedings of the IEEE Internation Conference on Computer Communications (ICC), 2012.
EPC SUPELEC/Inria CIDRE, Rennes, France
Tel: +33 299844500