1. bookVolume 2018 (2018): Issue 4 (October 2018)
Journal Details
License
Format
Journal
First Published
16 Apr 2015
Publication timeframe
4 times per year
Languages
English
Copyright
© 2020 Sciendo

Panoptispy: Characterizing Audio and Video Exfiltration from Android Applications

Published Online: 29 Aug 2018
Page range: 33 - 50
Received: 28 Feb 2018
Accepted: 16 Jun 2018
Journal Details
License
Format
Journal
First Published
16 Apr 2015
Publication timeframe
4 times per year
Languages
English
Copyright
© 2020 Sciendo

The high-fidelity sensors and ubiquitous internet connectivity offered by mobile devices have facilitated an explosion in mobile apps that rely on multimedia features. However, these sensors can also be used in ways that may violate user’s expectations and personal privacy. For example, apps have been caught taking pictures without the user’s knowledge and passively listened for inaudible, ultrasonic audio beacons. The developers of mobile device operating systems recognize that sensor data is sensitive, but unfortunately existing permission models only mitigate some of the privacy concerns surrounding multimedia data.

Keywords

[1] Apache Thrift. https://thrift.apache.org/.Search in Google Scholar

[2] Appsee Mobile App Analytics. https://www.appsee.com/.Search in Google Scholar

[3] Appsee Tutorials: Protecting Users’ Privacy. https://www.appsee.com/tutorials/privacy. (last accessed 06/14/2018).Search in Google Scholar

[4] Autopsy. https://www.sleuthkit.org/autopsy/.Search in Google Scholar

[5] CalOPPA Chapter 22: Internet Privacy Requirements. https://leginfo.legislature.ca.gov/faces/codes_displayText.xhtml?lawCode=BPC&division=8.&title=&part=&chapter=22.&article=.Search in Google Scholar

[6] dex-method-list. https://github.com/JakeWharton/dexmethod-list.Search in Google Scholar

[7] FaceApp Privacy Policy. http://archive.today/2018.06.14-232005/https://www.faceapp.com/privacy. (last accessed 06/14/2018).Search in Google Scholar

[8] Fair Information Practice Principles (FIPPS). https://www.dhs.gov/sites/default/files/publications/consolidated-powerpoint-final.pdf.Search in Google Scholar

[9] Foremost. http://foremost.sourceforge.net/.Search in Google Scholar

[10] Fotoable Privacy Policy. http://archive.today/2018.06.14-230916/https://www.fotoable.com/privacy.html. (last accessed 06/14/2018).Search in Google Scholar

[11] General Data Protection Regulation (GDPR). https://eurlex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32016R0679&from=EN.Search in Google Scholar

[12] GoPuff Privacy Agreement. https://gopuff.com/privacyagreement. (last accessed 06/14/2018).Search in Google Scholar

[13] JustTrustMe. https://github.com/Fuzion24/JustTrustMe.Search in Google Scholar

[14] LaZy_NT. https://pypi.python.org/pypi/LaZy_NT.Search in Google Scholar

[15] Mediaextract. https://github.com/panzi/mediaextract.Search in Google Scholar

[16] Mitmproxy. https://mitmproxy.org/.Search in Google Scholar

[17] My.com Terms of Use. http://archive.today/2018.06.14-231903/https://legal.my.com/us/games/tou/. (last accessed 06/14/2018).Search in Google Scholar

[18] PhotoRec. https://www.cgsecurity.org/wiki/PhotoRec.Search in Google Scholar

[19] Picas.tech Privacy Policy. http://archive.today/2018.06.14-231220/https://www.picas.tech/privacyandroid.php. (last accessed 06/14/2018).Search in Google Scholar

[20] PIL. https://pypi.python.org/pypi/PIL.Search in Google Scholar

[21] Prisma Privacy Policy. http://archive.today/2018.06.14-232142/http://prisma-ai.com/privacy.html. (last accessed 06/14/2018).Search in Google Scholar

[22] Protocol Buffers. https://developers.google.com/protocol-buffers/.Search in Google Scholar

[23] Scalpel. https://github.com/sleuthkit/scalpel.Search in Google Scholar

[24] tcpxtract. http://tcpxtract.sourceforge.net/.Search in Google Scholar

[25] TestFairy Mobile Testing Platform. https://www.testfairy.com/.Search in Google Scholar

[26] UI/Application Exerciser Monkey. https://developer.android.com/tools/help/monkey.html.Search in Google Scholar

[27] Kevin Allix, Tegawendé F. Bissyandé, Jacques Klein, and Yves Le Traon. AndroZoo: Collecting Millions of Android Apps for the Research Community. In Proc. of the International Conference on Mining Software Repositories (MSR), 2016.Search in Google Scholar

[28] Daniel Arp, Erwin Quiring, Christian Wressnegger, and Konrad Rieck. Privacy Threats through Ultrasonic Side Channels on Mobile Devices. In Proc. of the IEEE European Symposium on Security and Privacy (EuroS&P), 2017.Search in Google Scholar

[29] Steven Arzt, Siegfried Rasthofer, Christian Fritz, Eric Bodden, Alexandre Bartel, Jacques Klein, Yves Le Traon, Damien Octeau, and Patrick McDaniel. FlowDroid: Precise Context, Flow, Field, Object-sensitive and Lifecycle-aware Taint Analysis for Android Apps. In Proc. of the ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI), 2014.Search in Google Scholar

[30] Michael Backes, Sven Bugiel, and Erik Derr. Reliable Third-Party Library Detection in Android and its Security Applications. In Proc. of the ACM Conference on Computer and Communications Security (CCS), 2016.Search in Google Scholar

[31] Rebecca Balebako, Jaeyeon Jung, Wei Lu, Lorrie Faith Cranor, and Carolyn Nguyen. “Little Brothers Watching You:” Raising Awareness of Data Leaks on Smartphones. In Proc. of the Symposium on Usable Privacy and Security (SOUPS), 2013.Search in Google Scholar

[32] Theodore Book, Adam Pridgen, and Dan S. Wallach. Longitudinal Analysis of Android Ad Library Permissions. In Proc. of the IEEE Mobile Security Technologies Workshop (MoST), 2013.Search in Google Scholar

[33] Theodore Book and Dan S. Wallach. A Case of Collusion: A Study of the Interface Between Ad Libraries and Their Apps. In Proc. of the ACM Workshop on Security and Privacy in Smartphones and Mobile Devices (SPSM), 2013.Search in Google Scholar

[34] Justin Brookman, Phoebe Rouge, Aaron Alva, and Christina Yeung. Cross-Device Tracking: Measurement and Disclosures. In Proc. of the Privacy Enhancing Technologies Symposium (PETS), 2017.Search in Google Scholar

[35] Paolo Calciati and Alessandra Gorla. How do Apps Evolve in Their Permission Requests? A Preliminary Study. In Proc. of the International Conference on Mining Software Repositories (MSR), 2017.Search in Google Scholar

[36] Yinzhi Cao, Yanick Fratantonio, Antonio Bianchi, Manuel Egele, Christopher Kruegel, Giovanni Vigna, and Yan Chen. EdgeMiner: Automatically Detecting Implicit Control Flow Transitions through the Android Framework. In Proc. of the Network and Distributed System Security Symposium (NDSS), 2015.Search in Google Scholar

[37] Patrick Carter, Collin Mulliner, Martina Lindorfer, William Robertson, and Engin Kirda. CuriousDroid: Automated User Interface Interaction for Android Application Analysis Sandboxes. In Proc. of the International Conference on Financial Cryptography and Data Security (FC), 2016.Search in Google Scholar

[38] Terence Chen, Imdad Ullah, Mohamed Ali Kaafar, and Roksana Boreli. Information Leakage through Mobile Analytics Services. In Proc. of the ACM Workshop on Mobile Computing Systems and Applications (HotMobile), 2014.Search in Google Scholar

[39] Shauvik Roy Choudhary, Alessandra Gorla, and Alessandro Orso. Automated Test Input Generation for Android: Are We There Yet? In Proc. of the IEEE/ACM International Conference on Automated Software Engineering (ASE), 2015.Search in Google Scholar

[40] Andrea Continella, Yanick Fratantonio, Martina Lindorfer, Alessandro Puccetti, Ali Zand, Christopher Kruegel, and Giovanni Vigna. Obfuscation-Resilient Privacy Leak Detection for Mobile Apps Through Differential Analysis. In Proc. of the Network and Distributed System Security Symposium (NDSS), 2017.Search in Google Scholar

[41] Shuaifu Dai, Alok Tongaonkar, Xiaoyin Wang, Antonio Nucci, and Dawn Song. NetworkProfiler: Towards Automatic Fingerprinting of Android Apps. In Proc. of IEEE International Conference on Computer Communications (INFOCOM), 2013.Search in Google Scholar

[42] Anupam Das, Nikita Borisov, and Matthew Caesar. Do You Hear What I Hear?: Fingerprinting Smart Devices Through Embedded Acoustic Components. In Proc. of the ACM Conference on Computer and Communications Security (CCS), 2014.Search in Google Scholar

[43] William Enck, Peter Gilbert, Byung-Gon Chun, Landon P. Cox, Jaeyeon Jung, Patrick McDaniel, and Anmol N. Sheth. TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones. In Proc. of the USENIX Symposium on Operating Systems Design and Implementation (OSDI), 2010.Search in Google Scholar

[44] Steven Englehardt. No boundaries: Exfiltration of personal data by session-replay scripts. https://freedom-totinker.com/2017/11/15/no-boundaries-exfiltration-of-personal-data-by-session-replay-scripts/, November 2017.Search in Google Scholar

[45] Tobias Fiebig, Jan Krissler, and Ronny Hänsch. Security Impact of High Resolution Smartphone Cameras. In Proc. of the USENIX Workshop on Offensive Technologies (WOOT), 2014.Search in Google Scholar

[46] Jessica Fridrich. Sensor Defects in Digital Image Forensic. In Digital Image Forensics, pages 179–218. Springer, 2013.Search in Google Scholar

[47] Clint Gibler, Jonathan Crussell, Jeremy Erickson, and Hao Chen. AndroidLeaks: Automatically Detecting Potential Privacy Leaks in Android Applications on a Large Scale. In Proc. of the International Conference on Trust and Trustworthy Computing (TRUST), 2012.Search in Google Scholar

[48] Lorenzo Gomez, Iulian Neamtiu, Tanzirul Azim, and Todd Millstein. RERAN: Timing- and Touch-sensitive Record and Replay for Android. In Proc. of the International Conference on Software Engineering (ICSE), 2013.Search in Google Scholar

[49] Shuai Hao, Bin Liu, Suman Nath, William G.J. Halfond, and Ramesh Govindan. PUMA: Programmable UI-Automation for Large-Scale Dynamic Analysis of Mobile Apps. In Proc. of the International Conference on Mobile Systems, Applications and Services (MobiSys), 2014.Search in Google Scholar

[50] Jinseong Jeon, Kristopher K. Micinski, and Jeffrey S. Foster. SymDroid: Symbolic Execution for Dalvik Bytecode. Technical Report CS-TR-5022, University of Maryland, College Park, 2012.Search in Google Scholar

[51] Michael Kassner. Take secret photos by exploiting Android’s camera app. https://www.techrepublic.com/article/take-secret-photos-by-exploiting-androids-cameraapp/, June 2014.Search in Google Scholar

[52] Jinyung Kim, Yongho Yoon, Kwangkeun Yi, and Junbum Shin. SCANDAL: Static Analyzer for Detecting Privacy Leaks in Android Applications. In Proc. of the IEEE Mobile Security Technologies Workshop (MoST), 2012.Search in Google Scholar

[53] Tadayoshi Kohno, Andre Broido, and KC Claffy. Remote Physical Device Fingerprinting. IEEE Transactions on Dependable and Secure Computing, 2(2):93–108, 2005.Search in Google Scholar

[54] Anh Le, Janus Varmarken, Simon Langhoff, Anastasia Shuba, Minas Gjoka, and Athina Markopoulou. AntMonitor: A System for Monitoring from Mobile Devices. In Proc. of the ACM Workshop on Crowdsourcing and Crowdsharing of Big (Internet) Data (C2B(1)D), 2015.Search in Google Scholar

[55] Christophe Leung, Jingjing Ren, David Choffnes, and Christo Wilson. Should You Use the App for That?: Comparing the Privacy Implications of App- and Web-based Online Services. In Proc. of the Internet Measurement Conference (IMC), 2016.Search in Google Scholar

[56] Martina Lindorfer, Matthias Neugschwandtner, Lukas Weichselbaum, Yanick Fratantonio, Victor van der Veen, and Christian Platzer. Andrubis - 1,000,000 Apps Later: A View on Current Android Malware Behaviors. In Proc. of the International Workshop on Building Analysis Datasets and Gathering Experience Returns for Security (BADGERS), 2014.Search in Google Scholar

[57] Ziang Ma, Haoyu Wang, Yao Guo, and Xiangqun Chen. LibRadar: Fast and Accurate Detection of Third-party Libraries in Android Apps. In Proc. of the International Conference on Software Engineering (ICSE), 2016.Search in Google Scholar

[58] Aravind Machiry, Rohan Tahiliani, and Mayur Naik. Dynodroid: An Input Generation System for Android Apps. In Proc. of the Joint Meeting on Foundations of Software Engineering (ESEC/FSE), 2013.Search in Google Scholar

[59] Vasilios Mavroudis, Shuang Hao, Yanick Fratantonio, Federico Maggi, Giovanni Vigna, and Christopher Kruegel. On the Privacy and Security of the Ultrasound Ecosystem. In Proc. of the Privacy Enhancing Technologies Symposium (PETS), 2017.Search in Google Scholar

[60] Giuseppe Petracca, Yuqiong Sun, Trent Jaeger, and Ahmad Atamli. AuDroid: Preventing Attacks on Audio Channels in Mobile Devices. In Proc. of the Annual Computer Security Applications Conference (ACSAC), 2015.Search in Google Scholar

[61] Ashwin Rao, Arash Molavi Kakhki, Abbas Razaghpanah, Anke Li, David Choffnes nad Arnaud Legout, Alan Mislove, and Phillipa Gill. Meddle: Enabling Transparency and Control for Mobile Internet Traffic. Journal of Technology Science (JoTS), (2015103003), October 2015.Search in Google Scholar

[62] Ashwin Rao, Arash Molavi Kakhki, Abbas Razaghpanah, Amy Tang, Shen Wang, Justine Sherry, Phillipa Gill, Arvind Krishnamurthy, Arnaud Legout, Alan Mislove, and David Choffnes. Using the Middle to Meddle with Mobile. Technical Report NEU-CCS-2013-12-10, Northeastern University, 2013.Search in Google Scholar

[63] Abbas Razaghpanah, Rishab Nithyanand, Narseo Vallina-Rodriguez, Srikanth Sundaresan, Mark Allman, Christian Kreibich, and Phillipa Gill. Apps, Trackers, Privacy, and Regulators: A Global Study of the Mobile Tracking Ecosystem. In Proc. of the Network and Distributed System Security Symposium (NDSS), 2018.Search in Google Scholar

[64] Jingjing Ren, Martina Lindorfer, Daniel Dubois, Ashwin Rao, David Choffnes, and Narseo Vallina-Rodriguez. Bug Fixes, Improvements, ... and Privacy Leaks – A Longitudinal Study of PII Leaks Across Android App Versions. In Proc. of the Network and Distributed System Security Symposium (NDSS), 2018.Search in Google Scholar

[65] Jingjing Ren, Ashwin Rao, Martina Lindorfer, Arnaud Legout, and David Choffnes. ReCon: Revealing and Controlling Privacy Leaks in Mobile Network Traffic. In Proc. of the International Conference on Mobile Systems, Applications and Services (MobiSys), 2016.Search in Google Scholar

[66] Irwin Reyes, Primal Wiesekera, Joel Reardon, Amit Elazari Bar On, Abbas Razaghpanah, Narseo Vallina-Rodriguez, and Serge Egelman. “Won’t Somebody Think of the Children?” Examining COPPA Compliance at Scale. In Proc. of the Privacy Enhancing Technologies Symposium (PETS), 2018.Search in Google Scholar

[67] Animesh Shrivastava, Puneet Jain, Soteris Demetriou, Landon P. Cox, and Kyu-Han Kim. CamForensics: Understanding Visual Privacy Leaks in the Wild. In Proc. of the ACM Conference on Embedded Networked Sensor Systems (SenSys), 2017.Search in Google Scholar

[68] Szymon Sidor. Exploring limits of covert data collection on Android: apps can take photos with your phone without you knowing. http://www.ez.ai/2014/05/exploring-limitsof-covert-data.html, May 2014.Search in Google Scholar

[69] Yihang Song and Urs Hengartner. PrivacyGuard: A VPNbased Platform to Detect Information Leakage on Android Devices. In Proc. of the ACM Workshop on Security and Privacy in Smartphones and Mobile Devices (SPSM), 2015.Search in Google Scholar

[70] Aatif Sulleyman. Facebook could secretly watch users through webcams, patents reveal. http://www.independent.co.uk/life-style/gadgets-and-tech/news/facebook-plans-to-watch-users-through-webcams-spypatent-application-social-media-a7779711.html, June 2017.Search in Google Scholar

[71] Vincent F. Taylor, Riccardo Spolaor, Mauro Conti, and Ivan Martinovic. AppScanner: Automatic Fingerprinting of Smartphone Apps from Encrypted Network Traffic. In Proc. of the IEEE European Symposium on Security and Privacy (EuroS&P), 2016.Search in Google Scholar

[72] Narseo Vallina-Rodriguez, Jay Shah, Alessandro Finamore, Hamed Haddadi, Yan Grunenberger, Konstantina Papagiannaki, and Jon Crowcroft. Breaking for Commercials: Characterizing Mobile Advertising. In Proc. of the Internet Measurement Conference (IMC), 2012.Search in Google Scholar

[73] Narseo Vallina-Rodriguez, Srikanth Sundaresan, Abbas Razaghpanah, Rishab Nithyanand, Mark Allman, Christian Kreibich, and Phillipa Gill. Tracking the Trackers: Towards Understanding the Mobile Advertising and Tracking Ecosystem. In Proc. of the Workshop on Data and Algorithmic Transparency (DAT), 2016.Search in Google Scholar

[74] Yan Wang, Haowei Wu, Hailong Zhang, and Atanas Rountev. Orlis: Obfuscation-Resilient Library Detection for Android. In Proc. of the IEEE/ACM International Conference on Mobile Software Engineering and Systems (MOBILESoft), 2018.Search in Google Scholar

[75] Mingyuan Xia, Lu Gong, Yuanhao Lyu, Zhengwei Qi, and Xue Liu. Effective Real-time Android Application Auditing. In Proc. of the IEEE Symposium on Security and Privacy (S&P), 2015.Search in Google Scholar

[76] Ning Xia, Han Hee Song, Yong Liao, Marios Iliofotou, Antonio Nucci, Zhi-Li Zhang, and Aleksandar Kuzmanovic. Mosaic: Quantifying Privacy Leakage in Mobile Networks. In Proc. of the Conference on Applications, Technologies, Architectures, and Protocols for Computer Communication (SIGCOMM), 2013.Search in Google Scholar

[77] Lok Kwong Yan and Heng Yin. DroidScope: Seamlessly Reconstructing the OS and Dalvik Semantic Views for Dynamic Android Malware Analysis. In Proc. of the USENIX Security Symposium, 2012.Search in Google Scholar

[78] Zhemin Yang, Min Yang, Yuan Zhang, Guofei Gu, Peng Ning, and X. Sean Wang. AppIntent: Analyzing Sensitive Data Transmission in Android for Privacy Leakage Detection. In Proc. of the ACM Conference on Computer and Communications Security (CCS), 2013.Search in Google Scholar

[79] Yuan Zhang, Min Yang, Bingquan Xu, Zhemin Yang, Guofei Gu, Peng Ning, X. Sean Wang, and Binyu Zang. Vetting Undesirable Behaviors in Android Apps with Permission Use Analysis. In Proc. of the ACM Conference on Computer and Communications Security (CCS), 2013.Search in Google Scholar

[80] Zhe Zhou, Wenrui Diao, Xiangyu Liu, and Kehuan Zhang. Acoustic Fingerprinting Revisited: Generate Stable Device ID Stealthily with Inaudible Sound. In Proc. of the ACM Conference on Computer and Communications Security (CCS), 2014.Search in Google Scholar

[81] Sebastian Zimmeck, Jie S. Li, Hyungtae Kim, Steven M. Bellovin, and Tony Jebara. A Privacy Analysis of Crossdevice Tracking. In Proc. of the USENIX Security Symposium, 2017.Search in Google Scholar

Plan your remote conference with Sciendo