50 Ways to Leak Your Data: An Exploration of Apps' Circumvention of the Android Permissions System

Joel REARDON - Associate Professor
Digital Security

Date: -
Location: Eurecom

Abstract: Mobile platforms use permission systems to protect sensitive information such as location from being accessed arbitrarily. Apps thus need to request a permission before they can access the data protected by that permission. Despite that, side channels and covert channels may exist---flaws in the reference monitor---which can allow access to data without the corresponding permission. In this work we use test data from running hundreds of thousands of Android apps to find cases where data was sent off the device in network traffic by apps that did not have the requisite permissions to access that data. We then reverse engineer the app to determine exactly how they do this. Through these methods we uncover a number of side and covert channels that were actively being exploited by Android apps, including popular ones such as the CNN app. This work received a distinguished paper award at USENIX Security as well as the 2021 CNIL-Inria Privacy Prize and the 2022 Emilio Aced Research and Personal Data Protection Award Short bio: Joel Reardon is an associate professor at the University of Calgary who researches mobile security and privacy issues and data collection done through those devices. He has also co-founded the privacy analytics company AppCensus. He received his Bachelors and Master's at the University of Waterloo and his Doctor of Sciences at the ETH Zurich. His research has been covered by the CBC, the BBC, the Washington Post, and the Wall Street Journal, among other places. His research has received the Emilio Aced Research and Personal Data Protection Award, the CNIL - Inria Data Protection Award, and the Caspar Bowden Award for Outstanding Research in Privacy Enhancing Technologies. He likes bicycling and snowboarding and is currently trying to improve his French. He is on sabbatical leave at EURECOM for six months.