• DocumentCode
    737121
  • Title

    Labyrinth: Visually Configurable Data-Leakage Detection in Mobile Applications

  • Author

    Pistoia, Marco ; Tripp, Omer ; Centonze, Paolina ; Ligman, Joseph W.

  • Volume
    1
  • fYear
    2015
  • fDate
    15-18 June 2015
  • Firstpage
    279
  • Lastpage
    286
  • Abstract
    Mobile devices have revolutionized many aspects of our lives. We use smartphones and tablets as portable computers and, often without realizing it, we run various types of security-sensitive programs on them, such as personal and enterprise email and instant-messaging applications, as well as social, banking, insurance and retail programs. These applications access and transmit over the network numerous pieces of private information, including our geographical location, device ID, contacts, calendar events, passwords, and health records, as well as credit-card, social-security, and bank-account numbers. Guaranteeing that no private information is exposed to unauthorized observers is very challenging given the level of complexity that these applications have reached. Furthermore, using program-analysis tools with out-of-the-box configurations in order to detect confidentiality violations may not yield the desired results because only a few pieces of private data, such as the device´s ID and geographical location, are obtained from standard sources. The majority of confidentiality sources (such as credit-card and bank-account numbers) are application-specific and require careful configuration. This paper presents Labyrinth, a run-time privacy enforcement system that automatically detects leakage of private data originating from standard as well as application-specific sources. Labyrinth features several novel contributions: (i) it allows for visually configuring, directly atop the application´s User Interface (UI), the fields that constitute custom sources of private data, (ii) it does not require operating-system instrumentation, but relies only an application-level instrumentation and on a proxy that intercepts the communication between the mobile device and the back-end servers, and (iii) it performs an enhanced form of value-similarity analysis to detect data leakage even when sensitive data (such as a password) has been encoded or hashed. Labyrinth supports bo- h Android and iOS. We have evaluated Labyrinth experimentally, and in this paper we report results on production-level applications.
  • Keywords
    Androids; Humanoid robots; Instruments; Security; Servers; Standards; Visualization; Android; Dynamic Analysis; Mobile; Privacy; Security; Usable Security; iOS;
  • fLanguage
    English
  • Publisher
    ieee
  • Conference_Titel
    Mobile Data Management (MDM), 2015 16th IEEE International Conference on
  • Conference_Location
    Pittsburgh, PA, USA
  • Print_ISBN
    978-1-4799-9971-2
  • Type

    conf

  • DOI
    10.1109/MDM.2015.69
  • Filename
    7264333