SoK: Privacy on Mobile Devices – It’s Complicated

Open access

Abstract

Modern mobile devices place a wide variety of sensors and services within the personal space of their users. As a result, these devices are capable of transparently monitoring many sensitive aspects of these users’ lives (e.g., location, health, or correspondences). Users typically trade access to this data for convenient applications and features, in many cases without a full appreciation of the nature and extent of the information that they are exposing to a variety of third parties. Nevertheless, studies show that users remain concerned about their privacy and vendors have similarly been increasing their utilization of privacy-preserving technologies in these devices. Still, despite significant efforts, these technologies continue to fail in fundamental ways, leaving users’ private data exposed.

In this work, we survey the numerous components of mobile devices, giving particular attention to those that collect, process, or protect users’ private data. Whereas the individual components have been generally well studied and understood, examining the entire mobile device ecosystem provides significant insights into its overwhelming complexity. The numerous components of this complex ecosystem are frequently built and controlled by different parties with varying interests and incentives. Moreover, most of these parties are unknown to the typical user. The technologies that are employed to protect the users’ privacy typically only do so within a small slice of this ecosystem, abstracting away the greater complexity of the system. Our analysis suggests that this abstracted complexity is the major cause of many privacy-related vulnerabilities, and that a fundamentally new, holistic, approach to privacy is needed going forward. We thus highlight various existing technology gaps and propose several promising research directions for addressing and reducing this complexity.

[1] I. Leontiadis, C. Efstratiou, M. Picone, and C. Mascolo, “Don’t kill my ads!: balancing privacy in an ad-supported mobile application market,” in MobiSys 2012.

[2] B. Ur, P. G. Leon, L. F. Cranor, R. Shay, and Y. Wang, “Smart, useful, scary, creepy: perceptions of online behavioral advertising,” in SOUPS 2012.

[3] Z. Xu, K. Bai, and S. Zhu, “Taplogger: Inferring user inputs on smartphone touchscreens using on-board motion sensors,” in WiSec 2012.

[4] L. Cai and H. Chen, “Touchlogger: Inferring keystrokes on touch screen from smartphone motion.” in HotSec 2011.

[5] P. Marquardt, A. Verma, H. Carter, and P. Traynor, “(sp)iphone: decoding vibrations from nearby keyboards using mobile phone accelerometers,” in CCS 2011.

[6] J. Krumm and E. Horvitz, “LOCADIO: Inferring motion and location from Wi-Fi signal strengths,” in MobiQuitous 2004.

[7] J. Han, E. Owusu, L. T. Nguyen, A. Perrig, and J. Zhang, “Accomplice: Location inference using accelerometers on smartphones,” in COMSNETS 2012.

[8] Y. Michalevsky, G. Nakibly, A. Schulman, and D. Boneh, “PowerSpy: Location tracking using mobile device power analysis,” in USENIX Sec. Symp. USENIX Association, 2015.

[9] M. Azizyan, I. Constandache, and R. Roy Choudhury, “Surroundsense: mobile phone localization via ambience fingerprinting,” in MobiCom 2009.

[10] Y. Michalevsky, D. Boneh, and G. Nakibly, “Gyrophone: Recognizing speech from gyroscope signals,” in USENIX Sec. Symp. USENIX Association, 2014.

[11] L. Sun, D. Zhang, B. Li, B. Guo, and S. Li, “Activity recognition on an accelerometer embedded mobile phone with varying positions and orientations,” in Ubiquitous intelligence and computing. Springer, 2010, pp. 548-562.

[12] Qualcomm, “Haven sec. platform,” https://www.qualcomm.com/products/snapdragon/security.

[13] TrustKernel Team, Shanghai Pingbo Info Tech Co., Ltd., “Trustkernel,” https://www.trustkernel.com/.

[14] J. Bennett, “Devices with trustonic tee,” https://www.trustonic.com/news-events/blog/devices-trustonic-tee, 08 2015.

[15] S. Demetriou, W. Merrill, W. Yang, A. Zhang, and C. A. Gunter, “Free for all! assessing user data exposure to advertising libraries on android,” in NDSS 2016.

[16] I. Polakis, G. Argyros, T. Petsios, S. Sivakorn, and A. D. Keromytis, “Where’s wally?: Precise user discovery attacks in location proximity services,” in CCS 2015.

[17] C. Patsakis, A. Zigomitros, and A. Solanas, “Analysis of privacy and security exposure in mobile dating applications,” in MSPN 2015.

[18] R. McCormick, “Hack leaks hundreds of nude celebrity photos,” http://www.theverge.com/2014/9/1/6092089/nude-celebrity-hack, Sep. 2014.

[19] B. Krebs, “The target breach, by the numbers,” Krebs on Security, vol. 6, 2014.

[20] “Newly disclosed N.S.A. files detail partnerships with AT&T and Verizon,” The New York Times, 2015.

[21] K. M. Sullivan, “But doctor, I still have both feet! Remedial problems faced by victims of medical identity theft,” American Journal of Law & Medicine, vol. 35, no. 4, 2009.

[22] C. Apgar, G. Apple, L. Ayers, M. Berntsen, R. Busch, J. Childress, E. Curtis, N. Davis, M. Dawson, B. Hjort et al., “Mitigating medical identity theft,” Journal of American Health Information Management Association, vol. 79, no. 7, p. 63, 2008.

[23] C. J. Hoofnagle and J. M. Urban, “Alan Westin’s privacy homo economicus,” Wake Forest Law Review, 2014.

[24] M. Madden and L. Rainie, “Americans’ attitudes about privacy, sec. and surveillance,” http://www.pewinternet.org/2015/05/20/americans-attitudes-about-privacy-securityand-surveillance/, May 2015.

[25] J. L. Boyles, A. Smith, and M. Madden, “Apps and privacy: More than half of app users have uninstalled or decided to not install an app due to concerns about their personal information,” http://www.pewinternet.org/2012/09/05/main-findings-7/, Sep. 2015.

[26] Apple, “We’ve given you tools to manage your privacy,” http://www.apple.com/privacy/manage-your-privacy/, Retrieved Nov. 2015.

[27] J. Han, Q. Yan, D. Gao, J. Zhou, and R. Deng, “Comparing mobile privacy protection through cross-platform applications,” in NDSS 2013.

[28] A. Shaik, R. Borgaonkar, N. Asokan, V. Niemi, and J.-P. Seifert, “Practical attacks against privacy and availability in 4G/LTE mobile communication systems,” in NDSS 2016.

[29] A. P. Felt, E. Ha, S. Egelman, A. Haney, E. Chin, and D. Wagner, “Android permissions: User attention, comprehension, and behavior,” in SOUPS 2012.

[30] C. Xenakis and C. Ntantogian, “Attacking the baseband modem of mobile phones to breach the users’ privacy and network security,” in CyCon 2015.

[31] Y. Zhou and X. Jiang, “Dissecting android malware: Characterization and evolution,” in Proc. 2012 Symp. on Sec. and Privacy. IEEE, 2012.

[32] L. Li, A. Bartel, T. F. D. A. Bissyande, J. Klein, Y. Le Traon, S. Arzt, S. Rasthofer, E. Bodden, D. Octeau, and P. McDaniel, “IccTA: Detecting inter-component privacy leaks in android apps,” in ICSE 2015.

[33] M. C. Grace, W. Zhou, X. Jiang, and A.-R. Sadeghi, “Unsafe exposure analysis of mobile in-app advertisements,” in WiSec 2012.

[34] P. McDaniel, “Bloatware comes to the smartphone,” IEEE Sec. & Privacy 2012.

[35] W. Park, “Mobile phone addiction,” Mobile Communications, 2005.

[36] C. Amrutkar, P. Traynor, and P. C. van Oorschot, “An empirical evaluation of security indicators in mobile web browsers,” Transactions on Mobile Comp., vol. 14, no. 5, 2015.

[37] I. Paul, “Google’s new, highly targeted app ads react to how you use android apps,” http://www.pcworld.com/article/2147001/google-starts-using-your-android-appbehavior-to-deliver-highly-targeted-app-ads.html, 2015.

[38] Motorola, “X8 mobile computing system,” http://www.motorola.com/us/X8-Mobile-Computing-System/x8-mobile-computing-system.html.

[39] Apple, “iPhone 6s Technology,” http://www.apple.com/iphone-6s/technology/.

[40] R. Krten, “Google android - IPC at the lowest levels,” http://www.embedded.com/print/4083262, June 2008.

[41] W. Rankl and W. Effing, “Smart card security,” Smart Card Handbook, 4th Edition, pp. 667-734, 2010.

[42] K. Koscher and E. Butler, “simhacks,” http://simhacks.github.io/.

[43] ETSI, “Smart Cards; Card Application Toolket (Release 13),” March 2015.

[44] Apple, “iOS Security: iOS 9.0 or later,” https://www.apple.com/business/docs/iOS_Security_Guide.pdf, 2015.

[45] Google, “Google history,” https://history.google.com/.

[46] C. Matyszczyk, “TMI? Some fitbit users’ sex stats on Google search,” http://www.cnet.com/news/tmi-somefitbit-users-sex-stats-on-google-search/, Retrieved Nov. 2015.

[47] S. Son, D. Kim, and V. Shmatikov, “What mobile ads know about mobile users,” NDSS 2016.

[48] Gemalto, “Gemalto presents the findings of its investigations into the alleged hacking of sim card encryption keys by britain’s government communications headquarters and the U.S. National Security Agency,” 2 2015.

[49] J. Zhang, F. Yuan, and Q. Xu, “DeTrust: Defeating hardware trust verification with stealthy implicitly-triggered hardware trojans,” in CCS 2014.

[50] S. Wei and M. Potkonjak, “The undetectable and unprovable hardware trojan horse,” in DAC 2013.

[51] T. Bray, “Exercising our remote application removal feature,” http://android-developers.blogspot.com/2010/06/exercising-our-remote-application.html, June 2010.

[52] C. Beaumont, “Apple’s Jobs confirms iPhone ‘kill switch’,” http://www.telegraph.co.uk/technology/3358134/Apples-Jobs-confirms-iPhone-kill-switch.html, Aug. 2008.

[53] Google, “What data does Google collect?” https://privacy.google.com/data-we-collect.html.

[54] Trustonic, “Trustonic,” https://www.trustonic.com/.

[55] Samsung, “Samsung knox,” http://www.samsungknox.com/, Nov. 2015.

[56] R. Welton, “Remote code execution as system user on samsung phones,” https://www.nowsecure.com/blog/2015/06/16/remote-code-execution-as-system-user-onsamsung-phones/, June 2015.

[57] ETSI, “3G security; Lawful Interception; Stage 2 (3GPP TS 43.033 version 12.0.0 Release 12),” Oct. 2014.

[58] S. Gemplus, Oberthur, “Over-the-air (OTA) technology,” ftp://www.3gpp.org/tsg_sa/WG3_Security/TSGS3_30_Povoa/Docs/PDF/S3-030534.pdf, Oct. 2010.

[59] J. Zang, K. Dummit, J. Graves, P. Lisker, and L. Sweeney, “Who knows what about me? A survey of behind the scenes personal data sharing to third parties by mobile apps,” http://techscience.org/a/2015103001/, 2015.

[60] V. Woods and R. van der Meulen, “Gartner says emerging markets drove worldwide smartphone sales to 15.5 percent growth in third quarter of 2015,” http://www.gartner.com/newsroom/id/3169417, 2015.

[61] J.-E. Ekberg, K. Kostiainen, and N. Asokan, “Trusted execution environments on mobile devices,” in CCS 2013.

[62] ARM, “ARM Sec. Technology: Building a Secure System using TrustZone Technology,” 2009.

[63] H. Lockheimer, “Hi, I’m Hiroshi Lockheimer, here at Google with the team that build Nexus 5X & 6P...Ask Us Anything!” https://www.reddit.com/r/IAmA/comments/3mzrl9/hi_im_hiroshi_lockheimer_here_at_google_with_the/cvjj167, Oct. 2015.

[64] “Full disk encryption,” https://source.android.com/security/encryption/, 2015.

[65] M. Broz, “dm-crypt: Linux kernel device-mapper crypto target,” https://gitlab.com/cryptsetup/cryptsetup/wikis/DMCrypt, 2015.

[66] J. Bonneau, “A technical perspective on the apple iphone case,” https://www.eff.org/deeplinks/2016/02/technicalperspective-apple-iphone-case, 2 2016.

[67] Statistica, “Number of apps available in leading app stores as of july 2015,” http://www.statista.com/statistics/276623/number-of-apps-available-in-leading-app-stores/, July 2015.

[68] A. P. Felt, M. Finifter, E. Chin, S. Hanna, and D. Wagner, “A survey of mobile malware in the wild,” in SPSM 2011.

[69] Y. Zhou, Z. Wang, W. Zhou, and X. Jiang, “Hey, you, get off of my market: Detecting malicious apps in official and alternative android markets.” in NDSS 2012.

[70] “Mobile Phone Spy Software,” http://www.mobistealth.com/mobile-phone-spy-software, 2015.

[71] M. Lindorfer, M. Neugschwandtner, L. Weichselbaum, Y. Fratantonio, V. van der Veen, and C. Platzer, “ANDRUBIS-1,000,000 apps later: A view on current android malware behaviors,” in BADGERS 2014.

[72] Claud Xiao, “YiSpecter: First iOS Malware That Attacks Non-jailbroken Apple iOS Devices by Abusing Private APIs,” http://researchcenter.paloaltonetworks.com/2015/10/yispecter, 2015.

[73] Google, “Google play,” https://play.google.com/.

[74] Amazon, “Amazon appstore,” http://www.amazon.com/mobile-apps/b?node=2350149011.

[75] F. Cai, H. Chen, Y. Wu, and Y. Zhang, “Appcracker: Widespread vulnerabilities in user and session authentication in mobile apps,” in MoST 2015.

[76] Google, “Google play developer program policies,” https://play.google.com/about/developer-content-policy.html, 2015.

[77] Kim, Eunice, “Creating better user experiences on google play,” http://android-developers.blogspot.ro/2015/03/creating-better-user-experiences-on.html, 2015.

[78] Google, “Android security 2014 year in review,” https://static.googleusercontent.com/media/source.android.com/en//security/reports/Google_Android_Security_2014_Report_Final.pdf, 2014.

[79] Cluley, Graham, “The Hacking Team Android malware app that waltzed past Google Play’s security checks,” https://heatsoftware.com/security-blog/10368/the-hackingteam-android-malware-app-that-waltzed-past-\googleplays-security-checks/, 2015.

[80] J. Han, S. M. Kywe, Q. Yan, F. Bao, R. Deng, D. Gao, Y. Li, and J. Zhou, “Launching Generic Attacks on iOS with Approved Third-Party Appl.” in Applied Cryptography and Network Sec. Springer, 2013, pp. 272-289.

[81] T. Wang, K. Lu, L. Lu, S. Chung, and W. Lee, “Jekyll on ios: When benign apps become evil,” in USENIX Sec. Symp. USENIX Association, 2013

[82] M. Bucicoiu, L. Davi, R. Deaconescu, and A.-R. Sadeghi, “XiOS: Extended application sandboxing on iOS,” in ASIACCS 2015.

[83] Z. Deng, B. Saltaformaggio, X. Zhang, and D. Xu, “iRiS: Vetting private API abuse in iOS applications,” in CCS 2015.

[84] “System and kernel security,” https://source.android.com/devices/tech/security/overview/kernel-security.html, 2015.

[85] “Security-Enhanced Linux in Android,” https://source.android.com/security/selinux/, 2015.

[86] D. Blazakis, “The apple sandbox,” in Black Hat DC, 2011.

[87] D. A. Dai Zovi, “Apple iOS 4 security evaluation,” https:// www.trailofbits.com/resources/ios4_security_evaluation_paper.pdf.

[88] S. Esser, “iOS8 Containers, Sandboxes and Entitlements,” in Ruxcon, 2014.

[89] R. N. M. Watson, “New approaches to operating system security extensibility,” University of Cambridge, Computer Laboratory, Tech. Rep. UCAM-CL-TR-818, Apr. 2012.

[90] A. P. Felt, E. Chin, S. Hanna, D. Song, and D. Wagner, “Android permissions demystified,” in CCS 2011.

[91] P. G. Kelley, S. Consolvo, L. F. Cranor, J. Jung, N. Sadeh, and D. Wetherall, “A conundrum of permissions: installing applications on an android smartphone,” in Proc. Financial Cryptography and Data Sec. Springer, 2012, pp. 68-79.

[92] J. Lin, S. Amini, J. I. Hong, N. Sadeh, J. Lindqvist, and J. Zhang, “Expectation and purpose: understanding users’ mental models of mobile app privacy through crowdsourcing,” in Ubicomp 2012.

[93] “Android 6.0 marshmallow,” https://www.android.com/versions/marshmallow-6-0/, 2015.

[94] Apple Inc., “About privacy and Location Services for iOS 8 and iOS 9,” https://support.apple.com/en-us/HT203033, 2015.

[95] --, “Entitlement Key Reference,” https://developer.apple.com/library/ios/documentation/Miscellaneous/Reference/EntitlementKeyReference/Chapters/AboutEntitlements.html, 2014.

[96] “Using networking securely,” https://developer.apple.com/library/prerelease/ios/documentation/NetworkingInternetWeb/Conceptual/NetworkingOverview/SecureNetworking/SecureNetworking.html, 2015.

[97] “Security with https and ssl,” http://developer.android.com/training/articles/security-ssl.html, 2015.

[98] “Security enhancements in android 5.0,” https://source.android.com/security/enhancements/enhancements50.html, 2015.

[99] “What’s new in iOS: iOS 9.0,” https://developer.apple.com/library/prerelease/ios/releasenotes/General/WhatsNewIniOS/Articles/iOS9.html#//apple_ref/doc/uid/TP40016198-DontLinkElementID_13/, 2015.

[100] “App Store Review Guidelines,” https://developer.apple.com/app-store/review/guidelines/, 2015.

[101] “Google Play Developer Distribution Agreement,” https://play.google.com/about/developer-distribution-agreement.html, 2015.

[102] L. Jia, J. Aljuraidan, E. Fragkaki, L. Bauer, M. Stroucken, K. Fukushima, S. Kiyomoto, and Y. Miyake, “Run-time enforcement of information-flow properties on android,” in Computer Security - ESORICS 2013. Springer, 2013, pp. 775-792.

[103] W. Enck, P. Gilbert, S. Han, V. Tendulkar, B.-G. Chun, L. P. Cox, J. Jung, P. McDaniel, and A. N. Sheth, “Taintdroid: an information-flow tracking system for realtime privacy monitoring on smartphones,” TOCS 2014.

[104] T. Müller and M. Spreitzenbarth, “Frost,” in Applied Cryptography and Network Security. Springer, 2013, pp. 373-388.

[105] J. Zdziarski, “Identifying back doors, attack points, and surveillance mechanisms in iOS devices,” Digital Investigation, vol. 11, no. 1, pp. 3-19, 2014.

[106] U. D. of Justice, “Pakistani man indicted for selling stealthgenie spyware app,” https://www.fbi.gov/washingtondc/press-releases/2014/pakistani-man-indictedfor-selling-stealthgenie-spyware-app, Sep. 2014.

[107] P. Coogan, “Android rats branch out with dendroid,” http://www.symantec.com/connect/blogs/android-rats-branchout-dendroid, March 2014.

[108] T. Chen, I. Ullah, M. A. Kaafar, and R. Boreli, “Information leakage through mobile analytics services,” in HotMobile 2014.

[109] D. F. Kune, J. Koelndorfer, N. Hopper, and Y. Kim, “Location leaks on the GSM air interface,” in NDSS 2012, 2012.

[110] D. Richardson, “XcodeGhost iOS malware: The list of affected apps and what you should do,” http://blog.lookout.com/blog/2015/09/21/xcodeghost-apps/, Sep. 2015.

[111] M. Zheng, H. Xue, Y. Zhang, T. Wei, and J. C. Lui, “Enpublic apps: Security threats using iOS enterprise and developer certificates,” in ASIACCS 2015.

[112] P. Paganini, “Snooping Samsung S6 calls with bogus base stations,” http://securityaffairs.co/wordpress/41923/hacking/snooping-samsung-s6.html, Nov. 2015.

[113] R.-P. Weinmann, “Baseband attacks: Remote exploitation of memory corruptions in cellular protocol stacks.” in WOOT. USENIX Association, 2012.

[114] G. Qin, C. Patsakis, and M. Bouroche, “Playing hide and seek with mobile dating applications,” in ICT Sys. Sec. and Privacy Protection. Springer, 2014, pp. 185-196.

[115] C. Miller, D. Blazakis, D. DaiZovi, S. Esser, V. Iozzo, and R.-P. Weinmann, iOS Hacker’s Handbook. John Wiley & Sons, 2012.

[116] D. Rosenberg, “Reflections on trusting trustzone,” in Blackhat, 2014.

[117] D. Shen, “Attacking your trusted core: Exploiting trustzone on android,” in Blackhat, 2015.

[118] laginimaineb, “Full trustzone exploit for msm8974,” http://bits-please.blogspot.com/2015/08/full-trustzone-exploitfor-msm8974.html, 2015.

[119] K. Nohl, “Rooting Sim Cards,” in BlackHat Briefings, Las Vegas NV, July 2013.

[120] J. R. Rao, P. Rohatgi, H. Scherzer, and S. Tinguely, “Partitioning attacks: or how to rapidly clone some GSM cards,” in Symp. on Sec. and Privacy. IEEE, 2002.

[121] J. Hubbard, K. Weimer, and Y. Chen, “A study of SSL proxy attacks on Android and iOS mobile applications,” in CCNC 2014.

[122] S. Fahl, M. Harbach, T. Muders, L. Baumgärtner, B. Freisleben, and M. Smith, “Why eve and mallory love android: An analysis of android SSL (in)security,” in CCS

[123] S. Narain, A. Sanatinia, and G. Noubir, “Single-stroke language-agnostic keylogging using stereo-microphones and domain specific machine learning,” in WiSec 2014.

[124] R. Raguram, A. M. White, D. Goswami, F. Monrose, and J.-M. Frahm, “iSpy: automatic reconstruction of typed input from compromising reflections,” in CCS 2011.

[125] Y. Xu, J. Heinly, A. M. White, F. Monrose, and J.-M. Frahm, “Seeing double: Reconstructing obscured typed input from repeated compromising reflections,” in CCS 2013.

[126] R.-P. Weinmann, “New challenges in baseband exploitation: The hexagon architecture,” CODEGATE 2014.

[127] iPhone DevTeam, “Evolution of the iPhone Baseband and Unlocks,” http://old.sebug.net/paper/Meeting-Documents/hitbsecconf2012ams/D1T2%20-%20MuscleNerd%20-%20Evolution%20of%20iPhone%20Baseband%20and%20Unlocks.pdf, May 2012.

[128] O. Dunkelman, N. Keller, and A. Shamir, “A practical-time attack on the A5/3 cryptosystem used in third generation GSM telephony,” IACR Cryptology ePrint Archive, vol. 2010, p. 13, 2010.

[129] S. Beaupre, “Trustnone,” http://theroot.ninja/disclosures/TRUSTNONE_1.0-11282015.pdf, 2015.

[130] Y. Gilad, A. Herzberg, and A. Trachtenberg, “Securing smartphones: A μtcb approach,” Pervasive Comp., vol. 13, no. 4, pp. 72-79, 2014.

[131] H. Chen, Y. Mao, X. Wang, D. Zhou, N. Zeldovich, and M. F. Kaashoek, “Linux kernel vulnerabilities: State-of-theart defenses and open problems,” in APSys 2011.

[132] C. Spensky and H. Hu, “LL-SmartCard,” https://github.com/mit-ll/LL-Smartcard.

[133] G. Wilkinson, “Digital terrestrial tracking: The future of surveillance,” 2014.

[134] Eckhart, Trevor, “Carrier IQ part 2,” https://www.youtube.com/watch?v=T17XQI_AYNo, 2011.

[135] N. Lee, “Smartphones and privacy,” in Facebook Nation. Springer, 2014, pp. 71-84.

[136] “CVE-2014-8346.” Available from MITRE, CVE-ID CVE-2014-8346., Oct. 10 2014.

[137] G. Data, “G data mobile malware report: Threat report q2/2015,” https://public.gdatasoftware.com/Presse/Publikationen/Malware_Reports/G_DATA_MobileMWR_Q2_2015_EN.pdf, 2015.

[138] D. Gilbert, “Amazon selling 40 dollar android tablets that come with pre-installed malware,” http://www.ibtimes.com/amazon-selling-40-android-tablets-come-pre-installedmalware-2181424, 2015.

[139] P. Kocialkowski, “Samsung galaxy back-door,” http://redmine.replicant.us/projects/replicant/wiki/SamsungGalaxyBackdoor, Februrary 2014.

[140] D. R. Thomas, A. R. Beresford, and A. Rice, “Security metrics for the android ecosystem,” in SPSM 2015.

[141] “System permissions,” http://developer.android.com/guide/topics/security/permissions.html, 2015.

[142] SourceDNA, “iOS apps caught using private APIs,” https://sourcedna.com/blog/20151018/ios-apps-using-privateapis. html, 2015.

[143] Z. Chen, A. Mettler, P. Gilbert, and Y. Kang, “iBackDoor: High-Risk Code Hits iOS Apps,” https://www.fireeye.com/blog/threat-research/2015/11/ibackdoor_high-risk.html, 2015.

[144] C. Xiao, “WIRELURKER: A new era in iOS and OS X malware,” https://www.paloaltonetworks.com/content/dam/paloaltonetworks-com/en_US/assets/pdf/reports/Unit_42/unit42-wirelurker.pdf, 2015.

[145] J. Stewart, A. Trachtenberg, and A. Yerukhimovich, “Look ma, no permissions! accessing private data on android,” In Submission, 2016.

[146] A. M. White, A. R. Matthews, K. Z. Snow, and F. Monrose, “Phonotactic reconstruction of encrypted VoIP conversations: Hookt on fon-iks,” in Proc. Symp. on Sec. and Privacy. IEEE, 2011.

[147] C. V. Wright, L. Ballard, F. Monrose, and G. M. Masson, “Language identification of encrypted VoIP traffic: Alejandra y roberto or alice and bob?” in USENIX Sec. Symp. USENIX Association, 2007.

[148] C. V. Wright, L. Ballard, S. E. Coull, F. Monrose, and G. M. Masson, “Uncovering spoken phrases in encrypted voice over IP conversations,” TISSEC 2010.

[149] K. P. Dyer, S. E. Coull, T. Ristenpart, and T. Shrimpton, “Peek-a-boo, i still see you: Why efficient traffic analysis countermeasures fail,” in Symp. on Sec. and Privacy.IEEE, 2012.

[150] R. Stevens, J. Ganz, V. Filkov, P. Devanbu, and H. Chen, “Asking for (and about) permissions used by android apps,” in MSR 2013.

[151] X. Wei, L. Gomez, I. Neamtiu, and M. Faloutsos, “Permission evolution in the android ecosystem,” in ACSAC 2012.

[152] T. Book, A. Pridgen, and D. S. Wallach, “Longitudinal analysis of android ad library permissions,” in MoST 2013.

[153] M. Egele, C. Kruegel, E. Kirda, and G. Vigna, “PiOS: Detecting privacy leaks in iOS applications,” in NDSS 2011.

[154] C. Carmony, “dm_dump,” https://github.com/c1fe/dm_dump/, 2014.

[155] D. Sounthiraraj, J. Sahs, G. Greenwood, Z. Lin, and L. Khan, “SMV-Hunter: Large scale, automated detection of SSL/TLS man-in-the-middle vulnerabilities in android apps,” in NDSS 2014.

[156] M. Egele, D. Brumley, Y. Fratantonio, and C. Kruegel, “An empirical study of cryptographic misuse in android applications,” in CCS 2013, New York, NY, USA.

[157] Y. Li, Y. Zhang, J. Li, and D. Gu, “iCryptoTracer: Dynamic analysis on misuse of cryptography functions in iOS Applications,” in Network and System Sec. Springer, 2014, pp. 349-362.

[158] S. Fahl, M. Harbach, H. Perl, M. Koetter, and M. Smith, “Rethinking SSL development in an appified world,” in CCS 2013.

[159] M. Georgiev, S. Iyengar, S. Jana, R. Anubhai, D. Boneh, and V. Shmatikov, “The most dangerous code in the world: validating SSL certificates in non-browser software,” in CCS 2012.

[160] L. Onwuzurike and E. De Cristofaro, “Danger is my middle name: experimenting with SSL vulnerabilities in android apps,” in WiSec 2015.

[161] N. Vallina-Rodriguez, J. Amann, C. Kreibich, N. Weaver, and V. Paxson, “A tangled mass: The android root certificate stores,” in CoNEXT 2014.

[162] B. Reaves, N. Scaife, A. Bates, P. Traynor, and K. R. Butler, “Mo(bile) money, mo(bile) problems: analysis of branchless banking applications in the developing world,” in USENIX Sec. Symp. USENIX Association, 2015.

[163] M. Oltrogge, Y. Acar, S. Dechand, M. Smith, and S. Fahl, “To pin or not to pin? Helping app developers bullet proof their TLS connections,” in USENIX Sec. Symp. USENIX Association, 2015.

[164] “Mallodroid,” https://github.com/sfahl/mallodroid, 2015.

[165] “Smv-hunter,” https://github.com/utds3lab/SMVHunter, 2015.

[166] J. P. Kincaid, R. P. Fishburne Jr, R. L. Rogers, and B. S. Chissom, “Derivation of new readability formulas (automated readability index, fog count and flesch reading ease formula) for navy enlisted personnel,” Naval Technical Training Command, Tech. Rep., 1975.

[167] C. Gentry, “Fully homomorphic encryption using ideal lattices,” in STOC 2009.

[168] A. C. Yao, “Protocols for secure computations (extended abstract),” in FOCS 1982.

[169] M. Ben-Or, S. Goldwasser, and A. Wigderson, “Completeness theorems for non-cryptographic fault-tolerant distributed computation (extended abstract),” in STOC 1988.

[170] D. Boneh, A. Sahai, and B. Waters, “Functional encryption: Definitions and challenges,” in TCC 2011.

[171] D. W. Archer, D. Bogdanov, B. Pinkas, and P. Pullonen, “Maturity and performance of programmable secure computation,” IACR Cryptology ePrint Archive, vol. 2015, p. 1039, 2015.

[172] S. Yakoubov, V. Gadepally, N. Schear, E. Shen, and A. Yerukhimovich, “A survey of cryptographic approaches to securing big-data analytics in the cloud,” in HPEC 2014.

[173] J. Yang, K. Yessenov, and A. Solar-Lezama, “A language for automatically enforcing privacy policies,” in SIGPLAN Notices, vol. 47, no. 1. ACM, 2012, pp. 85-96.

[174] A. Ruef and C. Rohlf, “Programming language theoretic sec. in the real world: A mirage or the future?” in Cyber Warfare. Springer, 2015, pp. 307-321.

[175] H. K. Harton, M. Sitaraman, and J. Krone, “Formal program verification,” Wiley Encyclopedia of Comp. Science and Engineering, 2008.

[176] A. A. de Amorim, N. Collins, A. DeHon, D. Demange, C. Hritcu, D. Pichardie, B. C. Pierce, R. Pollack, and A. Tolmach, “A verified information-flow architecture,” in POPL 2014.

[177] H. Wang, J. Hong, and Y. Guo, “Using text mining to infer the purpose of permission use in mobile apps,” in UbiComp 2015.

[178] Y. Agarwal and M. Hall, “ProtectMyPrivacy: detecting and mitigating privacy leaks on iOS devices using crowdsourcing,” in MobiSys 2013.

[179] P. Pearce, A. P. Felt, G. Nunez, and D. Wagner, in ASIACCS 2012.

[180] S. Shekhar, M. Dietz, and D. S. Wallach, “Adsplit: Separating smartphone advertising from applications,” in USENIX Sec. Symp. USENIX Association, 2012.

[181] X. Zhang, A. Ahlawat, and W. Du, “Aframe: isolating advertisements from mobile applications in android,” in ACSAC 2013.

[182] H. Kawabata, T. Isohara, K. Takemori, A. Kubota, J.-i. Kani, H. Agematsu, and M. Nishigaki, “Sanadbox: Sandboxing third party advertising libraries in a mobile application,” in ICC 2013.

[183] S. Nakamoto, “Bitcoin: A peer-to-peer electronic cash system,” https://bitcoin.org/bitcoin.pdf, 2011.

[184] R. Kumaresan, T. Moran, and I. Bentov, “How to use bitcoin to play decentralized poker,” in CCS 2015.

Journal Information

Metrics

All Time Past Year Past 30 Days
Abstract Views 0 0 0
Full Text Views 167 167 113
PDF Downloads 44 44 27