UiRef: Analysis of sensitive user inputs in Android applications

Benjamin Andow, Akhil Acharya, Dengfeng Li, William Enck, Kapil Singh, Tao Xie

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Abstract

Mobile applications frequently request sensitive data. While prior work has focused on analyzing sensitive-data uses originating from well-defined API calls in the system, the security and privacy implications of inputs requested via application user interfaces have been widely unexplored. In this paper, our goal is to understand the broad implications of such requests in terms of the type of sensitive data being requested by applications. To this end, we propose UiRef (User Input REsolution Framework), an automated approach for resolving the semantics of user inputs requested by mobile applications. UiRef s design includes a number of novel techniques for extracting and resolving user interface labels and addressing ambiguity in semantics, resulting in significant improvements over prior work. We apply UiRef to 50,162 Android applications from Google Play and use outlier analysis to triage applications with questionable input requests. We identify concerning developer practices, including insecure exposure of account passwords and non-consensual input disclosures to third parties. These findings demonstrate the importance of user-input semantics when protecting end users.

Original languageEnglish (US)
Title of host publicationProceedings of the 10th ACM Conference on Security and Privacy in Wireless and Mobile Networks, WiSec 2017
PublisherAssociation for Computing Machinery, Inc
Pages23-34
Number of pages12
ISBN (Electronic)9781450350846
DOIs
StatePublished - Jul 18 2017
Event10th ACM Conference on Security and Privacy in Wireless and Mobile Networks, WiSec 2017 - Boston, United States
Duration: Jul 18 2017Jul 20 2017

Publication series

NameProceedings of the 10th ACM Conference on Security and Privacy in Wireless and Mobile Networks, WiSec 2017

Other

Other10th ACM Conference on Security and Privacy in Wireless and Mobile Networks, WiSec 2017
CountryUnited States
CityBoston
Period7/18/177/20/17

ASJC Scopus subject areas

  • Computer Networks and Communications
  • Safety, Risk, Reliability and Quality

Fingerprint Dive into the research topics of 'UiRef: Analysis of sensitive user inputs in Android applications'. Together they form a unique fingerprint.

Cite this