Abstract
In a world of interconnected devices, app-based ecosystems enable a seamless user experience across devices. Although convenient for users, this expanded ecosystem also exacerbates security and privacy threats by exposing users’ sensitive data to a broader context. This research looks into multi-platform apps and addresses the question of whether information flows can be detected across different app platforms and how to do it efficiently.
To answer this question, we first instantiate the problem in the wearable ecosystem by analysing platform-specific abstractions and modes of interaction. We identify limitations of current approaches to detect sensitive data transmitted across Mobile-Wear channels and develop a custom static analysis framework that augments the capabilities of taint tracking, enabling inter-device analysis of applications. Our framework enables the detection of information flows that otherwise would remain undetected. Second, we study information flows in the Android TV ecosystem and identify the differences with the mobile ecosystem. In particular, we analyse the behaviour of TV apps in terms of sensitive data collection and communication with other devices using a pipeline of static and dynamic analysis experiments
Analysing these two platforms provided us with valuable lessons for thinking about arbitrary ecosystems. One common task for any platform is generating taint specifications for information flow analysis. Therefore, we propose a framework that models the semantics of API methods using Natural Language Processing techniques and software documentation instead of a code base approach. Our framework allows security analysts to detect security-sensitive methods automatically and is robust against software evolution. Thus, our framework is an excellent option for generating taint specifications for arbitrary app platforms.
This investigation contributes to the community by studying two overlooked ecosystems and provides the means to analyse arbitrary app ecosystems. Our methodology is based on a dual-channel perspective: Program Analysis and Natural Language Processing. We use these complementary techniques to better understand security and privacy risks across Android platforms, taking one step further towards safer app ecosystems.
To answer this question, we first instantiate the problem in the wearable ecosystem by analysing platform-specific abstractions and modes of interaction. We identify limitations of current approaches to detect sensitive data transmitted across Mobile-Wear channels and develop a custom static analysis framework that augments the capabilities of taint tracking, enabling inter-device analysis of applications. Our framework enables the detection of information flows that otherwise would remain undetected. Second, we study information flows in the Android TV ecosystem and identify the differences with the mobile ecosystem. In particular, we analyse the behaviour of TV apps in terms of sensitive data collection and communication with other devices using a pipeline of static and dynamic analysis experiments
Analysing these two platforms provided us with valuable lessons for thinking about arbitrary ecosystems. One common task for any platform is generating taint specifications for information flow analysis. Therefore, we propose a framework that models the semantics of API methods using Natural Language Processing techniques and software documentation instead of a code base approach. Our framework allows security analysts to detect security-sensitive methods automatically and is robust against software evolution. Thus, our framework is an excellent option for generating taint specifications for arbitrary app platforms.
This investigation contributes to the community by studying two overlooked ecosystems and provides the means to analyse arbitrary app ecosystems. Our methodology is based on a dual-channel perspective: Program Analysis and Natural Language Processing. We use these complementary techniques to better understand security and privacy risks across Android platforms, taking one step further towards safer app ecosystems.
| Original language | English |
|---|---|
| Qualification | Ph.D. |
| Awarding Institution |
|
| Supervisors/Advisors |
|
| Thesis sponsors | |
| Publication status | Unpublished - 2023 |
Keywords
- information flow
- interconnected devices
- Android
- sensitive data
- software documentation
- taint specifications