Revisiting Stealthy Sensitive Information Collection from Android Apps

In recent years, most countries and territories have put in place strict regulations for user privacy protection. Checking and monitoring the privacy policy compliance of mobile applications thus has become essential for users, app developers and device manufacturers. Nonetheless, this is a challenging task, as modern mobile operating systems like Android contain multiple channels through which third-party apps can obtain sensitive information. Besides the official APIs that are regulated by its permission system, the apps can exploit other channels such as native calls, Java reflection, Binder services, Webview and even vulnerabilities. Existing techniques based on static and dynamic analysis often fail to cover all possible channels. Network traffic analysis is also ineffective when the sensitive data are set over after encryption.In this session, we will address this challenging task using a low-level detection method. Our work is inspired by the fact that almost all sensitive information is encoded into a String before it is passed to application level. We thus hook the String constructor at the native level, where our approach is able to monitor and check all strings constructed on the mobile device. This strategy seems straightforward yet comprehensive, as any string that is constructed from sensitive information can be monitored regardless of the methods malicious apps obtained them. We implement this approach into a tool and use it to analyze pre-installed apps in some Android devices. Our tool finds that many of them collect user information in many scenarios, such as clipboard and wifi information. Some apps even use previously unknown channels to obtain sensitive user information. Our investigation finds that these channels are caused by OEM manufacturers' improper control over the permissions of their customized APIs. We have submitted these issues to relevant manufacturers, who have acknowledged our findings.