1、SUPOR: Precise and Scalable Sensitive User Input Detection for Android Apps,Jianjun Huang, Zhichun Li, Xusheng Xiao, Zhenyu Wu, Kangjie Lu, Xiangyu Zhang, Guofei Jiang,Sensitive Data Disclosures,Local Storage,USENIX Security 2015,1,Disclosed to public,Hijacked/maliciously retrieved,8/14/15,Sensitive
2、 Data,Existing work focused on sensitive data defined by certain API methods. Most of them are permission protected E.g., in Android, TelephonyManager.getDeviceId(),USENIX Security 2015,2,TaintDroidOSDI10, AndroidLeaksTRUST12, FlowDroidPLDI14,PiOSNDSS11,8/14/15,Sensitive User Inputs,USENIX Security
3、2015,3,We are among the first to detect user inputs as sensitive sources in mobile apps. None of them are permission protected E.g., user id/password, credit card number,Insensitive,Sensitive,8/14/15,Example User Inputs Disclosures,EditText txtCN = findViewById(R.id.cardnum); String cnum = txtCN.get
4、Text().toString(); ,EditText txtCM = findViewById(Rment); String comment = txtCM.getText().toString(); ,Web Server,HTTP,HTTP,USENIX Security 2015,4,8/14/15,Research Problems,How to systematically discover the input fields from an apps UI?How to identify which input fields are sensitive?How to associ
5、ate the sensitive input fields to the corresponding variables in the apps that store their values?,USENIX Security 2015,5,8/14/15,Intuition,From the users perspective, if we can mimic how a user looks at the UIs, we can determine which input fields can contain sensitive data within the UI context.,U
6、SENIX Security 2015,6,8/14/15,Feasibility,Render the statically defined UI layouts,USENIX Security 2015,7,Associate labels to input fields based on physical locations,8/14/15,USENIX Security 2015,8,SUPOR: Sensitive User inPut detectOR,8/14/15,Background - UI,USENIX Security 2015,9,Text Label,Input F
7、ield,Input Hint,Widget,8/14/15,Background Layout File,A piece in an Android layout example.,USENIX Security 2015,10,Identifier,Interesting Attribute,8/14/15,Overview of SUPOR,USENIX Security 2015,11,Layout Analysis,Layout Parsing,UI Rendering,UI Sensitiveness Analysis,Privacy Analysis,Disclosure,Key
8、words,Variable Binding,SUPOR,Vulnerability,App,8/14/15,Parsing Layout,USENIX Security 2015,12,We need to know which layout files contain input fields.,Is Sensitive User Input Detection Needed?,Layout file,layout contains input fields,layout doesnt contain input fields,8/14/15,Rendering UI,USENIX Sec
9、urity 2015,13,Layout file A,Layout file B,Statically render layout files to UIs as users look at on smartphones via tools like ADT in Android.,8/14/15,Extracting Information,USENIX Security 2015,14,Collect information,Text Label Text: Card Number Coordinates: 16, 231, 109, 249 Input Field Hint: 15 o
10、r 16 digit Coordinates: 16, 249, 464, 297,8/14/15,UI Sensitiveness Analysis,USENIX Security 2015,15,Sensitive Attributes in Layout Files,The Input Field is Sensitive,Yes,Sensitive Input Hint,Yes,Sensitive Text Label,The Input Field is Insensitive,No,No,15 or 16 digit MM - YYYY,No,Yes,Card number Exp
11、iration date,Challenge: How to precisely associate the correlated text label to a given input field?,Enter Password,Comment,8/14/15,Associating Labels (1),Intuition: labels at different positions relative to the input field have different probabilities to be correlated.,USENIX Security 2015,16,Input
12、 Field,Label,Input Field,Label,Input Field,Label,Input Field,Label,8/14/15,Associating Labels (2),Assign position-based weights based on empirical observations The smaller the weight, the closer the correlation,USENIX Security 2015,17,Input Field,0.8,2,4,8,8,9,9,10,8/14/15,Associating Labels (3),Geo
13、metry-based correlation score computation,USENIX Security 2015,18,Label,Input Field (I),(x1, y1),(x2, y2),For each pixel (x,y) in a text label distance(I, x, y) * posWeight(I, x, y),Average the correlation score for the text label,8/14/15,Associating Labels (4),Find out the label with the smallest c
14、orrelation score among all potential labels for a given input field,USENIX Security 2015,19,Correlation scores,8/14/15,Determining Sensitiveness (1),USENIX Security 2015,20,Sensitive Keywords Dataset,Card number,Expiration date,Comment,Matches?,Sensitive,Insensitive,Keyword matching approach,8/14/15
15、,Yes,No,Determining Sensitiveness (2),Why is keyword matching approach effective?,USENIX Security 2015,21,We only analyze the most relevant text label,Small screen and short phrases or sentences,8/14/15,Binding Variables (1),USENIX Security 2015,22,Widget txtCN = findViewById(X); Data cnum = txtCN.g
16、etText(); / use of “cnum”,Identifier: X,8/14/15,Binding Variables (2),Challenge: different widgets within one apps have the same identifier,USENIX Security 2015,23,txtInput1 = this.findViewById(input1);,txtInput2 = this.findViewById(input1);,8/14/15,Binding Variables (3),USENIX Security 2015,24,txtI
17、nput1 = this.findViewById(input1);, layout: billing_information.xml, layout: search.xml,txtInput2 = this.findViewById(input1);,id/input1,Sensitive,Insensitive,this.setContentView(billing_information);,this.setContentView(search);,Sensitive,Insensitive,8/14/15,Implementation & Evaluation,Implemented
18、for Android apps and built on DalysisCHEX CCS12, IBM WALA and ADT.Only input fields of type EditText are analyzed, i.e. other user inputs like checkbox are ignored.Implemented a sensitive user inputs disclosure detection system by combining SUPOR and static taint analysis16,000 apps were evaluated,U
19、SENIX Security 2015,25,8/14/15,Evaluating UI Sensitiveness Analysis (1),9,653 apps (60.33%) contains input fields Performance: Average analysis time is 5.7 seconds for one app,USENIX Security 2015,26,8/14/15,Evaluating UI Sensitiveness Analysis (2),9,653 apps (60.33%) contains input fields Accuracy
20、Manually examined 40 apps . 115 layouts are rendered and 485 input fields are analyzed. TP: sensitive user inputs are identified as sensitive FP: insensitive user inputs are identified as sensitive FN: sensitive user inputs are identified as insensitive,USENIX Security 2015,27,8/14/15,Causes for FN
21、and FP,USENIX Security 2015,28,Insufficient context to identify sensitive keywords. False negative: “Answer” vs “Security Answer” False Positive: “Height” of an image file and for a human being,Inaccurate text label association False positive: e.g. the long sentence (with keyword “email”) is associa
22、ted with the “Delivery Instructions” field,Input Field,Input Field,Text Label,8/14/15,Evaluating Disclosure Analysis,For all 16,000 apps,USENIX Security 2015,29,Manually examined 104 apps False positive rate is 8.7% Limitations of underlying taint analysis framework E.g. lack of accurate modeling of
23、 arrays,Throughput: 11.1 apps/minute A cluster of 8 servers 3 apps are analyzed on each server in parallel,8/14/15,Case Studies (1),USENIX Security 2015,30,com.canofsleep.wwdiary3 input fields associated with labels “Weight”, “Height” and “Age” are identified sensitive.,com.nitrogen.androidThe 3 mar
24、ked inputs fields are identified sensitive and their data are disclosed.,8/14/15,Case Studies (2),USENIX Security 2015,31,txtWeight = this.findViewById(R.id.edt_weight);,valWeight = txtWeight.getText().toString();,Log.i(“weight”, valWeight);,Source,Sink,Disclosure analysis based on SUPOR,Disclosure
25、analysis based on existing approach which directly define certain APIs as sensitive sources.,Detected,Undetected,8/14/15,Conclusion,We study the possibility of detecting sensitive user inputs, an important yet mostly neglected sensitive source in mobile apps.,USENIX Security 2015,32,We propose SUPOR
26、, among the first known approaches to detect sensitive user inputs with high recall and precision. Mimics from the users perspective by statically and scalably rendering the layout files. Leverages a geometry-based approach to precisely associated text labels to input fields. Utilizes textual analys
27、is to determine the sensitiveness of the texts in labels.,We perform a sensitive user inputs disclosure analysis, with FP rate of 8.7%, to demonstrate the usefulness of SUPOR.,8/14/15,USENIX Security 2015,33,Thank You!Q & A,8/14/15,Related work,A lot of work focus on privacy disclosure problems on p
28、redefined sensitive data sources in the phone.FlowDroid PLDI14, PiOS NDSS11, AAPL NDSS15,USENIX Security 2015,34,FlowDroid employs a limited form of sensitive input fieldspassword fields.PLDI14,AsDroid checks checks UI text to detect the contradiction between the expected behaviors and program behav
29、iors.ICSE14,UIPicker uses supervised learning to collect sensitive keywords and corresponding layouts. It also uses the sibling elements in layout files as the description text for a widget.USENIX Security15,8/14/15,Keyword dataset construction,Crawl texts from apps resource filesAdapt NLP technique
30、s to extract nouns and noun phrases from the top 5,000 frequent text lines.Manually inspect top frequent nouns and noun phrases to identify sensitive keywords.,8/14/15,USENIX Security 2015,35,Why not use XML structure to compute correlation scores?,Many developers defines relative positions of the w
31、idgets, which are not what users perceive XML structure in this case does not guarantee that sibling widgets are physically close.,USENIX Security 2015,36,8/14/15,Why not use XML structure to compute correlation scores?,Some cases in real Android apps.,USENIX Security 2015,37,Input 1,Label 1,Input 2,Label 2,8/14/15,