AccessiLeaks: Investigating Privacy Leaks Exposed by the Android Accessibility Service

Open access

Abstract

To support users with disabilities, Android provides the accessibility services, which implement means of navigating through an app. According to the Android developer’s guide: “Accessibility services should only be used to assist users with disabilities in using Android devices and apps”. However, developers are free to use this service without any restrictions, giving them critical privileges such as monitoring user input or screen content to capture sensitive information. In this paper, we show that simply enabling the accessibility service leaves 72 % of the top finance a nd 80 % of the top social media apps vulnerable to eavesdropping attacks, leaking sensitive information such as logins and passwords. A combination of several tools and recommendations could mitigate the privacy risks: We introduce an analysis technique that detects most of these issues automatically, e.g. in an app store. We also found that these issues can be automatically fixed in almost all cases; our fixes have b een accepted by 70 % of the surveyed developers. Finally, we designed a notification mechanism which would warn users against possible misuses of the accessibility services; 50 % of users would follow these notifications.

If the inline PDF is not rendering correctly, you can download the PDF file here.

  • [1] Y. Acar M. Backes S. Fahl D. Kim M. L. Mazurek and C. Stransky. 2016. You Get Where You’re Looking for: The Impact of Information Sources on Code Security. In 2016 IEEE Symposium on Security and Privacy (SP). IEEE San Jose CA USA 289–305. https://doi.org/10.1109/SP.2016.25

  • [2] Efthimios Alepis and Constantinos Patsakis. 2017. Hey Doc Is This Normal?: Exploring Android Permissions in the Post Marshmallow Era. In Security Privacy and Applied Cryptography Engineering Sk Subidh Ali Jean-Luc Danger and Thomas Eisenbarth (Eds.). Springer International Publishing Cham 53–73.

  • [3] Kevin Allix Tegawendé F. Bissyandé Jacques Klein and Yves Le Traon. 2016. AndroZoo: Collecting Millions of Android Apps for the Research Community. In Proceedings of the 13th International Conference on Mining Software Repositories (MSR ’16). 468–471. https://doi.org/10.1145/2901739.2903508

  • [4] Vitalii Avdiienko Konstantin Kuznetsov Alessandra Gorla Andreas Zeller Steven Arzt Siegfried Rasthofer and Eric Bodden. 2015. Mining Apps for Abnormal Usage of Sensitive Data. In 37th IEEE/ACM International Conference on Software Engineering ICSE 2015 Florence Italy May 16-24 2015 Volume 1. IEEE Computer Society Florence Italy 426–436. https://doi.org/10.1109/ICSE.2015.61

  • [5] Bram Bonné Sai Teja Peddinti Igor Bilogrevic and Nina Taft. 2017. Exploring decision making with Android’s run-time permission dialogs using in-context surveys. In Thirteenth Symposium on Usable Privacy and Security (SOUPS 2017). USENIX Association 195–210.

  • [6] Dimitrios Damopoulos Georgios Kambourakis and Stefanos Gritzalis. 2013. From keyloggers to touchloggers: Take the rough with the smooth. Computers & security 32 (2013) 102–114.

  • [7] Anthony Desnos. 2011. Androguard. URL: https://github.com/androguard/androguard (2011).

  • [8] Adrienne Porter Felt Erika Chin Steve Hanna Dawn Song and David Wagner. 2011. Android Permissions Demystified. In Proceedings of the 18th ACM Conference on Computer and Communications Security (CCS ’11). New York NY USA 627–638. https://doi.org/10.1145/2046707.2046779

  • [9] Adrienne Porter Felt Elizabeth Ha Serge Egelman Ariel Haney Erika Chin and David Wagner. 2012. Android Permissions: User Attention Comprehension and Behavior. In Proceedings of the Eighth Symposium on Usable Privacy and Security (SOUPS ’12). ACM New York NY USA Article 3 14 pages. https://doi.org/10.1145/2335356.2335360

  • [10] Y. Fratantonio C. Qian S. P. Chung and W. Lee. 2017. Cloak and Dagger: From Two Permissions to Complete Control of the UI Feedback Loop. In 2017 IEEE Symposium on Security and Privacy (SP). 1041–1057. https://doi.org/10.1109/SP.2017.39

  • [11] Alessandra Gorla Ilaria Tavecchia Florian Gross and Andreas Zeller. 2014. Checking app behavior against app descriptions. In 36th International Conference on Software Engineering ICSE ’14 Hyderabad India - May 31 - June 07 2014. ACM 1025–1035. https://doi.org/10.1145/2568225.2568276

  • [12] Nicolas Haderer Romain Rouvoy and Lionel Seinturier. 2013. Dynamic Deployment of Sensing Experiments in the Wild Using Smartphones. In Distributed Applications and Interoperable Systems - 13th IFIP WG 6.1 International Conference DAIS 2013 Held as Part of the 8th International Federated Conference on Distributed Computing Techniques DisCoTec 2013 Florence Italy June 3-5 2013. Proceedings (Lecture Notes in Computer Science) Jim Dowling and François Taïani (Eds.) Vol. 7891. Springer 43–56. https://doi.org/10.1007/978-3-642-38541-4_4

  • [13] Blake Ives Kenneth R Walsh and Helmut Schneider. 2004. The domino effect of password reuse. Commun. ACM 47 4 (2004) 75–78.

  • [14] Yeongjin Jang Chengyu Song Simon P. Chung Tielei Wang and Wenke Lee. 2014. A11Y Attacks: Exploiting Accessibility in Operating Systems. In Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security (CCS ’14). Scottsdale Arizona USA 103–115. https://doi.org/10.1145/2660267.2660295

  • [15] L. Jeter and S. Mishra. 2013. Identifying and quantifying the android device users’ security risk exposure. In 2013 International Conference on Computing Networking and Communications (ICNC). 11–17. https://doi.org/10.1109/ICCNC.2013.6504045

  • [16] Jaeyeon Jung Seungyeop Han and David Wetherall. 2012. Short paper: enhancing mobile application permissions with runtime feedback and constraints. In Proceedings of the second ACM workshop on Security and privacy in smartphones and mobile devices. ACM 45–50.

  • [17] Joshua Kraunelis Yinjie Chen Zhen Ling Xinwen Fu and Wei Zhao. 2014. On Malware Leveraging the Android Accessibility Framework. Springer International Publishing Cham 512–523. https://doi.org/10.1007/978-3-319-11569-6_40

  • [18] Umme Ayda Mannan Iftekhar Ahmed Rana Abdullah M. Almurshed Danny Dig and Carlos Jensen. 2016. Understanding Code Smells in Android Applications. In Proceedings of the International Conference on Mobile Software Engineering and Systems (MOBILESoft ’16). 225–234. https://doi.org/10.1145/2897073.2897094

  • [19] Maia Naftali and Leah Findlater. 2014. Accessibility in Context: Understanding the Truly Mobile Experience of Smartphone Users with Motor Impairments. In Proceedings of the 16th International ACM SIGACCESS Conference on Computers & Accessibility (ASSETS ’14). ACM New York NY USA 209–216. https://doi.org/10.1145/2661334.2661372

  • [20] Duc Cuong Nguyen Dominik Wermke Yasemin Acar Michael Backes Charles Weir and Sascha Fahl. 2017. A Stitch in Time: Supporting Android Developers in WritingSecure Code. In Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security. ACM 1065–1077.

  • [21] F. Palomba D. Di Nucci A. Panichella A. Zaidman and A. De Lucia. 2017. Lightweight detection of Android-specific code smells: The aDoctor project. In 2017 IEEE 24th International Conference on Software Analysis Evolution and Reengineering (SANER) Vol. 00. 487–491. https://doi.org/10.1109/SANER.2017.7884659

  • [22] Renaud Pawlak Martin Monperrus Nicolas Petitprez Carlos Noguera and Lionel Seinturier. 2015. Spoon: A Library for Implementing Analyses and Transformations of Java Source Code. Software: Practice and Experience 46 (2015) 1155–1179. https://doi.org/10.1002/spe.2346

  • [23] André Rodrigues Kyle Montague Hugo Nicolau and Tiago Guerreiro. 2015. Getting Smartphones to Talk-back: Understanding the Smartphone Adoption Process of Blind Users. In Proceedings of the 17th International ACM SIGACCESS Conference on Computers & Accessibility (ASSETS ’15). ACM New York NY USA 23–32. https://doi.org/10.1145/2700648.2809842

  • [24] Elizabeth Stobert and Robert Biddle. 2014. The password life cycle: user behaviour in managing passwords. In Proceedings of the Tenth Symposium on Usable Privacy and Security (SOUPS ’14). Menlo Park CA.

  • [25] Christopher Thompson Maritza Johnson Serge Egelman David Wagner and Jennifer King. 2013. When It’s Better to Ask Forgiveness Than Get Permission: Attribution Mechanisms for Smartphone Resources. In Proceedings of the Ninth Symposium on Usable Privacy and Security (SOUPS ’13). Newcastle United Kingdom Article 1 14 pages. https://doi.org/10.1145/2501604.2501605

Search
Journal information
Metrics
All Time Past Year Past 30 Days
Abstract Views 0 0 0
Full Text Views 215 215 35
PDF Downloads 176 176 27