Android

TaintDroid: Warns about Android apps leaking sensitive data

Unfortunately, there is no simple way to determine what personal data is leaking from your smartphone. Michael Kassner interviews members of a research team that want to change that.

The Android operating systems gives us a choice on whether an app can access our sensitive information or not. We say sure, the app gets installed. Or, we say no way, and the app is not installed. Not the best solution, but at least we know what permissions are being used.

I'm afraid that is not enough. We still have no idea what the app does with our sensitive information.

Meet TaintDroid

I first learned of TaintDroid while researching last week's article about App Scanner: A research project determined to shed light on the vagaries of the Android permission system and installing third party applications.

One important part of the App Scanner project was learning what happens when you give an app certain permissions. You may remember the following slide from last week's article.

Even after an additional week of research, I still haven't found any reason why a flashlight app needs to know the phone's GPS location. Here's where TaintDroid comes into play. TaintDroid allows App Scanner to track what apps do with data -- GPS location data, for example.

To get an idea how TaintDroid works, I watched this video demonstration. The demo shows how TaintDroid reacts when it determines sensitive data is leaking from an application installed on the host phone. The icon in the upper left corner is the first indication something is going on.

The next slide shows what information is leaving the phone.

Fascinating.

The TaintDroid website also linked the research team's paper -- another daunting title: "TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones." I learned my lesson last week and didn't even try to figure out what I was reading this time. I contacted one of the lead authors, Dr. William Enck, Assistant Professor at NC State University, asking if he would explain how TaintDroid works.

Kassner: Professor Enck, how did you decide what apps to test? What did you find? Enck: We started out with a snapshot of the top 50 free applications from each of the categories in the Android Market. This gave us 1,100 applications -- way too many to test manually. So we pruned the list down to applications that wanted access to the Internet plus the ability to use one of the following -- GPS, camera, or microphone. That gave us 358 apps, still more than we could handle, so we randomly selected 30.

We then ran those 30 apps and recorded both the TaintDroid logs as well as the network traces (in order to confirm what TaintDroid found). After running this experiment we had over 1,000 TCP network connects, and 105 contained sensitive information.

Looking at those 105 connections, we observed 37 were legitimate. However, the remaining 68 network connections weren't as clear. Upon close inspection, we found 15 of the 30 applications shared location information with advertisement servers, and seven applications shared phone identifiers with a remote Internet server. This all happened without the knowledge of the user, from which I mean, no End User License Agreements (EULA), and no visual indicators suggesting the information was being used in this way.

Kassner: I don't quite understand, I thought we give the app permission? Enck: Before an app can access most types of privacy sensitive information, it must have a permission to do so. In Android, these permissions are conveyed to the user when the app is installed. At this point, the user has the ability to install the application after allowing all of the permissions it requests, or not install the application.

Note that this just describes what information the app can access, and not what it can do with the information once it has accessed it. This last piece is what TaintDroid determines.

Some applications include EULAs that are presented to the user the first time the application starts. EULAs are fairly common for PC software. If written correctly, EULAs can convey to the user how sensitive information will be used, and at that point, the user can choose not to use the app.

In our study, some apps included a EULA, but few, if any, indicated how sensitive information was to be used. Regardless, a EULA is just a textual statement and there is no code that actually enforces a EULA. It is simply a way to convey intention to the user.

That said, in general not all applications are going to steal your information. Some applications have checkboxes in settings menus to configure whether or not certain types of information (e.g., location) is used or not. However, you must trust the application developer to respect those settings.

Kassner: Professor Enck, why the name TaintDroid? Enck: TaintDroid uses a scientific technique called "dynamic taint analysis," which is also known as "taint tracking." The idea is that you mark, or "taint," information you care about at a point where you know its type for certain (e.g., at the API method used to access the value or data).

The idea of "taint tracking" was first used in server software to track potentially bad inputs received from the network. These values were tainted until they were cleansed in some way. Later work flipped taint tracking around and used it to track how inputs leave a system. This is how TaintDroid uses taint tracking.

Kassner: The paper's explanation on how TaintDroid works refers to the following slide.

Would you briefly explain what we are looking at?

Enck: Whenever you talk about taint tracking, the first think you do is identify "taint sources" and "taint sinks." The taint source is where you initially mark information as being a certain type (e.g., location, IMEI, address book, etc). The taint sink is where you care if it goes. In our case, the taint sink is in the Java library that writes information to the network.

The rest of the figure shows how the taint markings propagate through the system as it executes. On the left, we see a taint marking moving from one variable to another, indicated as (3). If an application sends that variable to another application through Android's Binder communication system, TaintDroid propagates the marking, indicated as (5). Propagation continues on the right side, and when the variable is sent to the network, we identify it at the taint sink, indicated as (9).

Kassner: Professor Enck, I'm curious. Do you have an Android phone? If so, what precautions do you take to prevent unwanted use of your personal data? Enck: I follow the same best practices that I suggest to all Android users. Just like when browsing the Web, if an app looks sketchy, I suggest not downloading it. Also, look for permissions that give access to location and phone identity. Ask yourself, why? If you're not sure, don't install the app, carefully read the comments from other users, and if desired, email the developer for an explanation (and be circumspect of the answer).

Of course, I also have the ability to test an app on a separate phone running TaintDroid. There are a few projects that run TaintDroid in an emulator on your PC, therefore having a spare phone isn't a requirement. So, if you're up to the challenge, you can test apps too.

Different viewpoint

If you have been following our Android exploits, you know William Francis is my mentor on all things Android and an app developer -- a good one. Being a developer affords William a completely different point of view. So I asked him to comment on the paper's conclusion:

"Our study revealed that two-thirds of the applications in our study exhibit suspicious handling of sensitive data, and that 15 of the 30 applications reported users' locations to remote advertising servers. Our findings demonstrate the effectiveness and value of enhancing smartphone platforms with monitoring tools such as TaintDroid."

Francis: The conclusion -- in my opinion -- is to be expected. The research team is saying half of the applications in the study sent location or user data to a remote ad network.

But, the researchers aren't sure what was being done with the data. I can tell you from experience that most of it went to advertisers. When you choose to use an app supported by advertising, you are willing to trade some info in exchange for a "free" program or service. A better test might be to run the tests on apps not supported by ads.

I believe the authors of TaintDroid are trying to do something important for the mobile community at large. They are attempting to address security and privacy concerns at the lowest level -- in other words not as an add-on or something that happens after the fact but as an integrated part of the platform.

My understanding from reading the paper is they have a ways to go before the software can be considered ready for the world at large. Users of small footprint devices like mobile phones expect a whole lot of performance from their devices, and techniques like those used by TaintDroid can add considerable overhead. That said, the TaintDroid team seems to have overcome a lot of the technical obstacles already and are making impressive strides.

Finally, I believe TaintDroid or something similar is the next phase in the evolving smartphone ecosystem.

Final thoughts

My hope with these two articles is to remove the perception that saying yes or no to a permission set is good enough. What apps actually do with personal and sensitive information should be transparent and readily available to smartphone owners.

Thank you Dr. Enck and the research team behind TaintDroid. It is a good start.

About

Information is my field...Writing is my passion...Coupling the two is my mission.

13 comments
ndrquack
ndrquack

I would be very curious what TaintDroid could find while performing similar tests on some of the eReaders applications as these run on top of an Android OS.

AZ_IT
AZ_IT

are ambiguous at best. It is difficult to explain to a non-technical person why they need to be cautious about what apps they install. When I have explained how I vet the permissions on an app most of the time I can tell that the person I'm trying to teach has no idea what I'm talking about. The flashlight app is the easiest example to use because it only needs one permission: Hardware controls - control flashlight. So if a flashlight app requires/requests other permissions you probably shouldn't install it. But when you move to a more complex program like a browser for example it starts to get difficult to decipher which permissions are truly necessary and which are not. Dolphin Browser requests the following: Your Location - course & fine, Your Personal Information - read browser's history and bookmarks, read sensitive log data, write browsers history and bookmarks, Storage - modify/delete SD card contents, System Tools - prevent phone from sleeping, automatically start at boot, install shortcuts, set wallpaper, Network Communication - view network state, view wi-fi state, Hardware control - control vibrator. It makes perfect sense that a browser needs to access bookmarks and history both to import them and to add new ones. Preventing the phone from sleeping, setting the wallpaper, and installing shortcuts also make sense. The storage component allows you to download files, pictures, etc. The sensitive log info I can only assume is used for debugging. Not quite sure why a browser needs my location info, to control the vibrator on my phone, or why it needs to be able to monitor the networks (since finding the correct route out seems more a function of the OS than individual apps). You could argue that a browser app is a relatively simple app as well. So determining why an app needs different permissions can be difficult especially for a non-technical user. The above are my assumptions based on my knowledge of how a browser works but even vetting the apps permissions doesn't really allow you any insight into what it uses those permissions for. A program like DroidTaint fills that important gap. DroidTaint seems to be a really useful tool because it can identify what apps are doing with the permissions that they have(at least in regards to sending data). I would be extremely interested in an article explaining how to use the emulated version of DroidTaint. I'm not willing to add additional overhead to my phone but if my computer can help me vet android apps that would be fantastic.

IMADJamil
IMADJamil

Actually this subject is very interesting ... If TraintDroid succeeded to track leaking data without adding an undesirable overhead it will be an important shift in mobile security ...

Michael Kassner
Michael Kassner

New Post TaintDroid: one of the few tools that actually knows how an app is using our sensitive data.

Michael Kassner
Michael Kassner

If you will stay tuned, I'm researching another project that may not require rooting the phone. Can't say a bunch about it yet, but should have it together for next Monday.

Michael Kassner
Michael Kassner

It certainly is interesting. I hope we can encourage the team to continue with their efforts.

1ronman
1ronman

Great article. Keep up th egood work but my question is, there is a list of apps that at the present anyway, shouldnt be trusted. Makes me wonder if I have any of those apps installed. Can you share your list of questionable apps so we can see if we have any installed and decide whether to keep them or not?

Lolovivi
Lolovivi

Thanks for sharing this article and information. I'm not the most tech-savvy person around and I'm new to the smartphone world. I have noticed while installing some apps that the permissions (as I understand them) seem quite a bit MUCH. I am VERY interested in knowing where my information is going and what's being done with it. I suspect that I'm one of the few that doesn't mind ads but I don't think that they need to know EXACTLY where I am. Apps that want to access what my camera is seeing "at any time" leave me extremely leery, too, mainly because I'm not sure if that "at any time" includes when I'm not using the camera (I know, probably one too many bad SyFy movie).

AZ_IT
AZ_IT

While I don't lack for curiosity or interest I do lack the time necessary to research these things. Thanks for the work you do to delve into these subjects.

Michael Kassner
Michael Kassner

I don't think most people are concerned about the actual ads. It's the information that becomes available to the ad networks that does. The app developer has little control over the ad network and what they do with your personal information that you agree to turn over.

Michael Kassner
Michael Kassner

I avoid ad-based apps. But, I am learning that even ad-free apps maybe capturing our personal information. That's why tools like TaintDroid are so important.

ed
ed

It will be interesting to see how many of us back up our data and then send our phones back to absolute zero so we can read the permissions more carefully when we reinstall the apps.

Michael Kassner
Michael Kassner

Knowing that, I then appreciate you taking the time to comment and share your experiences with us.

Editor's Picks