Automatic detection, correction, and visualization of security vulnerabilities in mobile apps

Abstract

Mobile devices have revolutionized many aspects of our lives. We use them as portable computers and, often without realizing it, we run various types of security-sensitive programs on them, such as personal and enterprise email and instant-messaging applications, as well as social, banking, insurance and retail programs. These applications access and transmit over the network numerous pieces of private information. Guaranteeing that such information is not exposed to unauthorized observers is very challenging given the level of complexity that these applications have reached. Furthermore, using program-analysis tools with out-of-the-box configurations in order to detect confidentiality violations may not yield the desired results because only a few pieces of private data, such as the device's ID and geographical location, are obtained from standard sources. The majority of confidentiality sources (such as credit-card and bank-account numbers) are application-specific and require careful configuration. This paper presents ASTRAEA, a privacy-enforcement system for Android and iOS that dynamically detects and repairs leakage of private data originating from standard as well as application-specific sources. ASTRAEA features several novel contributions: (i) it allows for visually configuring, directly atop the application's User Interface (UI), the fields that constitute custom sources of private data; (ii) it relies on application-level instrumentation, without interfering with the underlying operating system; (iii) it performs an enhanced form of value-similarity analysis to detect and repair data leakage even when sensitive data has been encoded or hashed, and (iv) it displays the results of the privacy analysis on top of a visual representation of the application's UI.