You shouldn't collect my secrets: thwarting sensitive keystroke leakage in mobile IME apps
作者: Binyu Zang , Haibo Chen , Zhiqiang Lin , Haibing Guan , Erick Bauman
DOI:
关键词:
摘要: IME (input method editor) apps are the primary means of interaction on mobile touch screen devices and thus usually granted with access to a wealth private user input. In order understand (in)security apps, this paper first performs systematic study uncovers that many may (intentionally or unintentionally) leak users' sensitive data outside world (mainly due incentives improving user's experience). To thwart threat information leakage while retaining benefits an improved experience, then proposes I-BOX, app-transparent oblivious sandbox minimizes input by confining untrusted predefined security policies. Several key challenges have be addressed proprietary closed-source nature most fact app can arbitrarily store transform before sending it out. By designing system-level transactional execution, I-BOX works seamlessly transparently apps. Specifically, checkpoints app's state keystroke input, monitors analyzes rolls back checkpoint if detects potential danger leaked. A proof concept prototype has been built for Android tested set popular Experimental results show is able incurring very small runtime overhead little impact experience.
sjtu.edu.cn
acm.org 参考文章(45)
Eric A. Brewer, David Wagner, Ian Goldberg, Randi Thomas, A secure environment for untrusted helper applications confining the Wily Hacker usenix security symposium. pp. 1- 1 ,(1996)
Yajin Zhou, Xinwen Zhang, Xuxian Jiang, Vincent W. Freeh, Taming information-stealing smartphone applications (on Android) trust and trustworthy computing. pp. 93- 107 ,(2011) , 10.1007/978-3-642-21599-5_7
Eric Vander Weele, Kevin Borders, Atul Prakash, Billy Lau, Protecting confidential data on personal computers with storage capsules usenix security symposium. pp. 367- 382 ,(2009)
Clint Gibler, Jonathan Crussell, Jeremy Erickson, Hao Chen, AndroidLeaks: automatically detecting potential privacy leaks in android applications on a large scale trust and trustworthy computing. pp. 291- 307 ,(2012) , 10.1007/978-3-642-30921-2_17
Ross Anderson, Hassen Saïdi, Rubin Xu, Aurasium: practical policy enforcement for Android applications usenix security symposium. pp. 27- 27 ,(2012)
Oren Laadan, Jason Nieh, Transparent checkpoint-restart of multiple processes on commodity operating systems usenix annual technical conference. pp. 25- ,(2007)
Manuel Egele, Christopher Kruegel, Engin Kirda, Giovanni Vigna, PiOS : Detecting privacy leaks in iOS applications network and distributed system security symposium. ,(2011)
Vitaly Shmatikov, Mike Dahlin, Edmund L. Wong, Deepak Goel, Sangmin Lee, πBox: a platform for privacy-preserving apps networked systems design and implementation. pp. 501- 514 ,(2013)
William Enck, Patrick McDaniel, Jaeyeon Jung, Byung-Gon Chun, Peter Gilbert, Anmol N. Sheth, Landon P. Cox, TaintDroid: an information-flow tracking system for realtime privacy monitoring on smartphones operating systems design and implementation. pp. 393- 407 ,(2010) , 10.5555/1924943.1924971
Wu Zhou, Yajin Zhou, Xuxian Jiang, Peng Ning, Detecting repackaged smartphone applications in third-party android marketplaces Proceedings of the second ACM conference on Data and Application Security and Privacy - CODASKY '12. pp. 317- 326 ,(2012) , 10.1145/2133601.2133640