Android smartphone data spies exposed like bank robbers
The researchers will present their app for the first time at the Cebit computer fair in Hannover from March 14 to 18 (Hall 6, Stand D 28).
Android is the most widely used operating system for smartphones in the world, despite the fact that Android users are virtually blackmailed when installing new applications. Either they accept that the program will gain access to certain information, such as their personal contacts or Internet access details, or else they cannot use the app. The latest version of Android meanwhile allows users to reject some of these access requests during installation, but even so this gives a somewhat false sense of security.
"Even if an app tells me which data it would like to use, I still have no idea what it intends to do with the data," says Oliver Schranz, who completed his PhD at the Saarbrücken Graduate School of Computer Science at Saarland University. His assessment is confirmed, for instance, by a recent study conducted by the US security firm Appthority. According to their research, more than 88 percent of Android apps developed for industry use are secretly spying on user data in some way or another. At the Center for IT Security, Privacy and Accountability (CISPA), Schranz, together with Philipp von Styp-Rekowsky and Sebastian Weisgerber, developed an app that will help individual users and companies to track what is going on in suspicious apps.
The CISPA app is based on the "Taint Tracking" method, which can be compared to the colorful dye explosion triggered in a bundle of banknotes, a technique often used to track bank robbers. Hence the researchers named their app "TaintArtist". Whenever an app accesses sensitive or privacy-relevant information, the data in question is highlighted with a kind of marker. Even if the data is altered in the process, say when new calculations are performed, the marker will remain attached even to the new results. "This lets us track the flow of information from the monitored app in more precise ways," Schranz says. Whenever the data is passed on to functions, which might then send the data out from the smartphone or display other suspicious behavior as defined in a preset corpus of rules, the pertinent markers are checked. And if the CISPA app does discover data abuse, it will set off an alarm. All that users have to do is to install the tracking app and then choose which other apps they want monitored, and what exactly should be allowed or prohibited in each of them.
Until now, this kind of information flow analysis would have made system modifications necessary, in ways that are hardly feasible for laymen. To make the same service available for all users with just a few simple steps, the Saarbruecken researchers made use of a novelty in the two most recent Android versions: In the newer versions, Android no longer executes the intermediate representation of the program code directly, but translates it into executable machine language on the device first. This allows Schranz and his team to edit the code that is needed for the markers while the translation is taking place. The code of the examined app would not have to be changed, but it would work at a slightly slower pace, according to the researchers. "Given the fact that smartphones today can handle virtually all processes within milliseconds, the increases in runtime will be hardly noticeable to users," says Schranz. This is why he is convinced that the app is also useful for businesses. "If employees use their own devices at work, with our app the company can make sure that certain data never leaves these devices," says Schranz. Whether their app will be embedded into a commercial product or will be available free of charge in future, is still open.
Background: IT Security at Saarland University
IT security is one of the focus topics of the computer science institutes on Saarland University campus. Recent examples undermining their success include the "Consolidator Grant" of the European Research Council (ERC) obtained by researchers Derek Dreyer, Max Planck Institute for Software Systems, and Bernd Finkbeiner, professor of computer science, and the Collaborative Research Center on "Methods and Tools for Understanding and Controlling Privacy", which the German Research Foundation DFG is currently supporting with a budget of 8.4 million Euros over the course of four years. The German Federal Ministry of Education and Research already provided 17 million Euros for the founding of three IT security competence centers in 2011. One of these is the Center for IT Security, Privacy and Accountability, CISPA, at the Saarland University. Meanwhile CISPA has developed into an established research center with international appeal. The center accommodates 33 working groups with a total of 210 researchers. Their greatest success so far: CISPA, together with the Max Planck Institute for Informatics and the Max Planck Institute for Software Systems, was awarded the "ERC Synergy Grant ", worth around ten million Euros, allowing the researchers to explore how Internet users can be protected against fraud and surveillance, and how malicious online activities can be exposed, without having to restrict commerce, freedom of expression, or accessibility of information on the Internet.
Press photos can be found here: http://www.uni-saarland.de/pressefotos
Caption: CISPA researcher Oliver Schranz tracks problematic information flows in smartphone apps.
Center for IT Security, Privacy and Accountability (CISPA)
Phone: +49 681 302- 57368
E-Mail: [email protected]
Competence Center Computer Science Saarland
Phone: +49 681 302-70741
E-Mail: [email protected]