ORBilu: Detailled Reference

Paper published in a book (Scientific congresses, symposiums and conference proceedings)

Sensitive and Personal Data: What Exactly Are You Talking About?

Kober, Maria; Samhi, Jordan; Arzt, Steven et al.

2023 • In 10th International Conference on Mobile Software Engineering and Systems 2023

Peer reviewed

Permalink
https://hdl.handle.net/10993/54761

Files (1)Send to Details Statistics Bibliography Similar publications

Files

Full Text

sensitive_data.pdf

Author preprint (161.87 kB)

All documents in ORBilu are protected by a user license.

Send to

RIS BibTex APA Chicago Permalink X Linkedin

Details

Keywords :

Sensitive data; Android

Abstract :

[en] Mobile devices are pervasively used for a variety of tasks, including the processing of sensitive data in mobile apps. While in most cases access to this data is legitimate, malware often targets sensitive data and even benign apps collect more data than necessary for their task. Therefore, researchers have proposed several frameworks to detect and track the use of sensitive data in apps, so as to disclose and prevent unauthorized access and data leakage. Unfortunately, a review of the literature reveals a lack of consensus on what sensitive data is in the context of technical frameworks like Android. Authors either provide an intuitive definition or an ad-hoc definition, derive their definition from the Android permission model, or rely on previous research papers which do or do not give a definition of sensitive data. In this paper, we provide an overview of existing definitions of sensitive data in literature and legal frameworks. We further provide a sound definition of sensitive data derived from the definition of personal data of several legal frameworks. To help the scientific community further advance in this field, we publicly provide a list of sensitive sources from the Android framework, thus starting a community project leading to a complete list of sensitive API methods across different frameworks and programming languages.

Research center :

- Interdisciplinary Centre for Security, Reliability and Trust (SnT) > TruX - Trustworthy Software Engineering

Disciplines :

Computer science

Author, co-author :

Kober, Maria

Samhi, Jordan ; University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT) > TruX

Arzt, Steven

Bissyande, Tegawendé François D Assise ; University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT) > TruX

Klein, Jacques ; University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT) > TruX

External co-authors :

yes

Language :

English

Title :

Sensitive and Personal Data: What Exactly Are You Talking About?

Publication date :

May 2023

Event name :

10th International Conference on Mobile Software Engineering and Systems 2023

Event place :

Melbourne, Australia

Event date :

From 15/05/2023 to 16/05/2023

Audience :

International

Main work title :

10th International Conference on Mobile Software Engineering and Systems 2023

Peer reviewed :

Peer reviewed

Focus Area :

Security, Reliability and Trust

FnR Project :

FNR14596679 - Dissecting Android Applications Using Static Analysis, 2020 (01/03/2020-31/10/2023) - Jordan Samhi

Funders :

FNR - Fonds National de la Recherche [LU]

Available on ORBilu :

since 04 April 2023

Statistics

Number of views

57 (1 by Unilu)

Number of downloads

210 (3 by Unilu)

More statistics

Scopus citations^®

0

Scopus citations^®
without self-citations

0

Bibliography

IDC. (2022) Smartphone market share, https://www. idc. com/promo/smartphone-market-share/os. Accessed May 2022.
Google. (2022) Permissions on android, https://developer. android. com/guide/topics/permissions/overview. Accessed May 2022.
K. W. Y. Au, Y. F. Zhou, Z. Huang, and D. Lie, "Pscout: Analyzing the android permission specification, " in Proceedings of the 2012 ACM Conference on Computer and Communications Security, ser. CCS '12. New York, NY, USA: Association for Computing Machinery, 2012, p. 217-228.
A. P. Felt, E. Ha, S. Egelman, A. Haney, E. Chin, and D. Wagner, "Android permissions: User attention, comprehension, and behavior, " in Proceedings of the Eighth Symposium on Usable Privacy and Security, ser. SOUPS '12. New York, NY, USA: Association for Computing Machinery, 2012.
S. Arzt, S. Rasthofer, C. Fritz, E. Bodden, A. Bartel, J. Klein, Y. Le Traon, D. Octeau, and P. McDaniel, "Flowdroid: Precise context, flow, field, object-sensitive and lifecycle-aware taint analysis for android apps, " SIGPLAN Not., vol. 49, no. 6, p. 259-269, Jun. 2014.
L. Li, A. Bartel, T. F. Bissyandé, J. Klein, Y. Le Traon, S. Arzt, S. Rasthofer, E. Bodden, D. Octeau, and P. McDaniel, "Iccta: Detecting inter-component privacy leaks in android apps, " in 2015 IEEE/ACM 37th IEEE International Conference on Software Engineering, vol. 1, 2015, pp. 280-291.
J. Samhi, A. Bartel, T. F. Bissyandé, and J. Klein, "Raicc: Revealing atypical inter-component communication in android apps, " in 2021 IEEE/ACM 43rd International Conference on Software Engineering (ICSE), 2021, pp. 1398-1409.
W. Enck, P. Gilbert, S. Han, V. Tendulkar, B.-G. Chun, L. P. Cox, J. Jung, P. McDaniel, and A. N. Sheth, "Taintdroid: An information-flow tracking system for realtime privacy monitoring on smartphones, " ACM Trans. Comput. Syst., vol. 32, no. 2, jun 2014.
M. I. Gordon, D. Kim, J. H. Perkins, L. Gilham, N. Nguyen, and M. C. Rinard, "Information flow analysis of android applications in droidsafe. " in NDSS, vol. 15, no. 201, 2015, p. 110.
F. Wei, S. Roy, X. Ou, and Robby, "Amandroid: A precise and general inter-component data flow analysis framework for security vetting of android apps, " ACM Trans. Priv. Secur., vol. 21, no. 3, apr 2018.
W. Wang, J. Wei, S. Zhang, and X. Luo, "Lscdroid: Malware detection based on local sensitive api invocation sequences, " IEEE Transactions on Reliability, vol. 69, no. 1, pp. 174-187, 2020.
M. Junaid, D. Liu, and D. Kung, "Dexteroid: Detecting malicious behaviors in android apps using reverse-engineered life cycle models, " Computers & Security, vol. 59, pp. 92-117, 2016.
L. Luo, E. Bodden, and J. Späth, "A qualitative analysis of android taintanalysis results, " in 2019 34th IEEE/ACM International Conference on Automated Software Engineering (ASE), 2019, pp. 102-114.
European Parliament and Council of the European Union, "Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), " Official Journal of the European Union, vol. 119, pp. 1-88, 2016.
S. Stummer, "Issues of verifying anonymity: An overview, " in INFORMATIK 2022, D. Demmler, D. Krupka, and H. Federrath, Eds. Gesellschaft für Informatik, Bonn, 2022, pp. 179-194.
C. Gibler, J. Crussell, J. Erickson, and H. Chen, "Androidleaks: Automatically detecting potential privacy leaks in android applications on a large scale, " in Trust and Trustworthy Computing, S. Katzenbeisser, E. Weippl, L. J. Camp, M. Volkamer, M. Reiter, and X. Zhang, Eds. Berlin, Heidelberg: Springer Berlin Heidelberg, 2012, pp. 291-307.
X. Cui, D. Yu, P. Chan, L. C. K. Hui, S. M. Yiu, and S. Qing, "Cochecker: Detecting capability and sensitive data leaks from component chains in android, " in Information Security and Privacy, W. Susilo and Y. Mu, Eds. Cham: Springer International Publishing, 2014, pp. 446-453.
S. Y. Y. W. Y. Yao and H. W. Y. F. Y. X. Xiao, "Describectx: Contextaware description synthesis for sensitive behaviors in mobile apps, " in International Conference on Software Engineering (ICSE'22), 2022.
A. Gorla, I. Tavecchia, F. Gross, and A. Zeller, "Checking app behavior against app descriptions, " in Proceedings of the 36th International Conference on Software Engineering, ser. ICSE 2014. New York, NY, USA: Association for Computing Machinery, 2014, p. 1025-1035.
L. Luo, F. Pauck, G. Piskachev, M. Benz, I. Pashchenko, M. Mory, E. Bodden, B. Hermann, and F. Massacci, "Taintbench: Automatic real-world malware benchmarking of android taint analyses, " Empirical Software Engineering, vol. 27, no. 1, p. 16, Oct 2021.
D. Zhu, H. Jin, Y. Yang, D. Wu, andW. Chen, "Deepflow: Deep learningbased malware detection by mining android application for abnormal usage of sensitive data, " in 2017 IEEE Symposium on Computers and Communications (ISCC), 2017, pp. 438-443.
S. Lou, S. Cheng, J. Huang, and F. Jiang, "Tfdroid: Android malware detection by topics and sensitive data flows using machine learning techniques, " in 2019 IEEE 2nd International Conference on Information and Computer Technologies (ICICT), 2019, pp. 30-36.
Z. Meng, Y. Xiong, W. Huang, L. Qin, X. Jin, and H. Yan, "Appscalpel: Combining static analysis and outlier detection to identify and prune undesirable usage of sensitive data in android applications, " Neurocomputing, vol. 341, pp. 10-25, 2019.
G. Russello, B. Crispo, E. Fernandes, and Y. Zhauniarovich, "Yaase: Yet another android security extension, " in 2011 IEEE Third International Conference on Privacy, Security, Risk and Trust and 2011 IEEE Third International Conference on Social Computing, 2011, pp. 1033-1040.
M. Backes, S. Bugiel, E. Derr, S. Weisgerber, P. McDaniel, and D. Octeau, "Poster: On demystifying the android application framework: Re-visiting android permission specification analysis. "
A. P. Felt, E. Chin, S. Hanna, D. Song, and D. Wagner, "Android permissions demystified, " in Proceedings of the 18th ACM Conference on Computer and Communications Security, ser. CCS '11. New York, NY, USA: Association for Computing Machinery, 2011, p. 627-638.
S. Arzt, S. Rasthofer, and E. Bodden, "Susi: A tool for the fully automated classification and categorization of android sources and sinks, " University of Darmstadt, Tech. Rep. TUDCS-2013-0114, 2013.
L. H. Tuan, N. T. Cam, and V.-H. Pham, "Enhancing the accuracy of static analysis for detecting sensitive data leakage in android by using dynamic analysis, " Cluster Computing, vol. 22, no. 1, pp. 1079-1085, 2019.
V. Avdiienko, K. Kuznetsov, A. Gorla, A. Zeller, S. Arzt, S. Rasthofer, and E. Bodden, "Mining apps for abnormal usage of sensitive data, " in 2015 IEEE/ACM 37th IEEE International Conference on Software Engineering, vol. 1, 2015, pp. 426-436.
Z. Yang, M. Yang, Y. Zhang, G. Gu, P. Ning, and X. S. Wang, "Appintent: Analyzing sensitive data transmission in android for privacy leakage detection, " in Proceedings of the 2013 ACM SIGSAC Conference on Computer & Communications Security, ser. CCS '13. New York, NY, USA: Association for Computing Machinery, 2013, p. 1043-1054.
W. Klieber, L. Flynn, A. Bhosale, L. Jia, and L. Bauer, "Android taint flow analysis for app sets, " in Proceedings of the 3rd ACM SIGPLAN International Workshop on the State of the Art in Java Program Analysis, ser. SOAP '14. New York, NY, USA: Association for Computing Machinery, 2014, p. 1-6.
B. Soewito and A. Suwandaru, "Android sensitive data leakage prevention with rooting detection using java function hooking, " Journal of King Saud University-Computer and Information Sciences, vol. 34, no. 5, pp. 1950-1957, 2022.
X. Pan, X. Wang, Y. Duan, X. Wang, and H. Yin, "Dark hazard: Learning-based, large-scale discovery of hidden sensitive operations in android apps. " in NDSS, 2017.
B. Andow, A. Acharya, D. Li, W. Enck, K. Singh, and T. Xie, "Uiref: Analysis of sensitive user inputs in android applications, " in Proceedings of the 10th ACM Conference on Security and Privacy in Wireless and Mobile Networks, ser. WiSec '17. New York, NY, USA: Association for Computing Machinery, 2017, p. 23-34.
J. Samhi, L. Li, T. F. Bissyande, and J. Klein, "Difuzer: Uncovering suspicious hidden sensitive operations in android apps, " in 2022 IEEE/ACM 44th International Conference on Software Engineering (ICSE). Association for Computing Machinery, may 2022.
P. Lam, E. Bodden, O. Lhoták, and L. Hendren, "The Soot framework for Java program analysis: A retrospective, " in Cetus Users and Compiler Infastructure Workshop (CETUS 2011), vol. 15, 2011.
R. Vallee-Rai and L. J. Hendren, "Jimple: Simplifying java bytecode for analyses and transformations, " 1998.

Similar publications