Identity theft, social security numbers, and the Web
Communications of the ACM
Statistical Identification of Encrypted Web Browsing Traffic
SP '02 Proceedings of the 2002 IEEE Symposium on Security and Privacy
Privacy and identity management for everyone
Proceedings of the 2005 workshop on Digital identity management
Hey, you, get off of my cloud: exploring information leakage in third-party compute clouds
Proceedings of the 16th ACM conference on Computer and communications security
On lightweight mobile phone application certification
Proceedings of the 16th ACM conference on Computer and communications security
Side-Channel Leaks in Web Applications: A Reality Today, a Challenge Tomorrow
SP '10 Proceedings of the 2010 IEEE Symposium on Security and Privacy
Uncovering Spoken Phrases in Encrypted Voice over IP Conversations
ACM Transactions on Information and System Security (TISSEC)
TaintDroid: an information-flow tracking system for realtime privacy monitoring on smartphones
OSDI'10 Proceedings of the 9th USENIX conference on Operating systems design and implementation
TouchLogger: inferring keystrokes on touch screen from smartphone motion
HotSec'11 Proceedings of the 6th USENIX conference on Hot topics in security
A study of android application security
SEC'11 Proceedings of the 20th USENIX conference on Security
Quire: lightweight provenance for smart phone operating systems
SEC'11 Proceedings of the 20th USENIX conference on Security
Android permissions demystified
Proceedings of the 18th ACM conference on Computer and communications security
Proceedings of the 18th ACM conference on Computer and communications security
ACCessory: password inference using accelerometers on smartphones
Proceedings of the Twelfth Workshop on Mobile Computing Systems & Applications
MockDroid: trading privacy for application functionality on smartphones
Proceedings of the 12th Workshop on Mobile Computing Systems and Applications
Memento: Learning Secrets from Process Footprints
SP '12 Proceedings of the 2012 IEEE Symposium on Security and Privacy
On the practicality of motion based keystroke inference attack
TRUST'12 Proceedings of the 5th international conference on Trust and Trustworthy Computing
Cross-VM side channels and their use to extract private keys
Proceedings of the 2012 ACM conference on Computer and communications security
Hi-index | 0.00 |
The design of Android is based on a set of unprotected shared resources, including those inherited from Linux (e.g., Linux public directories). However, the dramatic development in Android applications (app for short) makes available a large amount of public background information (e.g., social networks, public online services), which can potentially turn such originally harmless resource sharing into serious privacy breaches. In this paper, we report our work on this important yet understudied problem. We discovered three unexpected channels of information leaks on Android: per-app data-usage statistics, ARP information, and speaker status (on or off). By monitoring these channels, an app without any permission may acquire sensitive information such as smartphone user's identity, the disease condition she is interested in, her geo-locations and her driving route, from top-of-the-line Android apps. Furthermore, we show that using existing and new techniques, this zero-permission app can both determine when its target (a particular application) is running and send out collected data stealthily to a remote adversary. These findings call into question the soundness of the design assumptions on shared resources, and demand effective solutions. To this end, we present a mitigation mechanism for achieving a delicate balance between utility and privacy of such resources.