SUPOR: Precise and Scalable Sensitive User Input Detection for Mobile Apps
Jianjun Huang - Purdue University
Sep 02, 2015Size: 88.3MB
Download: MP4 Video
Watch in your Browser Watch on YouTube
AbstractWhile smartphones and mobile apps have been an essential part of our lives, privacy is a serious concern. Previous mobile privacy related research efforts have largely focused on predefined known sources managed by smartphones. Sensitive user inputs through UI (User Interface), another information source that may contain a lot of sensitive information, have been mostly neglected.
This talk examines the possibility of scalably detecting sensitive user inputs from mobile apps. In particular, SUPOR, a novel static analysis tool that automatically examines the UIs to identify sensitive user inputs containing critical user data, such as user credentials, finance, and medical data, is designed and implemented. SUPOR enables existing privacy analysis approaches to be applied on sensitive user inputs as well. To demonstrate the usefulness of SUPOR, we build a system that detects privacy disclosures of sensitive user inputs by combining SUPOR with off-the-shelf static taint analysis. We apply the system to 16,000 popular Android apps, and conduct a measurement study on the privacy disclosures. SUPOR achieves an average precision of 97.3% and an average recall of 97.3% for sensitive user input identification. SUPOR finds 355 apps with privacy disclosures and the false positive rate is 8.7%. We discover interesting cases related to national ID, username/password, credit card and health information.
About the SpeakerJianjun Huang is a PhD student in the Department of Computer Science at Purdue University, supervised by Prof. Xiangyu Zhang. Jianjun Huang is interested at leveraging program analysis techniques to detect malicious behaviors and flaw in mobiles apps. In particular, his research combines static program analysis, text and GUI analysis.
More details may be found at https://www.cs.purdue.edu/homes/huang427/.
The views, opinions and assumptions expressed in these videos are those of the presenter and do not necessarily reflect the official policy or position of CERIAS or Purdue University. All content included in these videos, are the property of Purdue University, the presenter and/or the presenter’s organization, and protected by U.S. and international copyright laws. The collection, arrangement and assembly of all content in these videos and on the hosting website exclusive property of Purdue University. You may not copy, reproduce, distribute, publish, display, perform, modify, create derivative works, transmit, or in any other way exploit any part of copyrighted material without permission from CERIAS, Purdue University.