Visible to the public UiRef: Analysis of Sensitive User Inputs in Android ApplicationsConflict Detection Enabled

TitleUiRef: Analysis of Sensitive User Inputs in Android Applications
Publication TypeConference Paper
Year of Publication2017
AuthorsBenjamin Andow, Akhil Acharya, Dengfeng Li, University of Illinois at Urbana-Champaign, William Enck, Kapil Singh, Tao Xie, University of Illinois at Urbana-Champaign
Conference Name10th ACM Conference on Security and Privacy in Wireless and Mobile Networks (WiSec 2017)
PublisherAssociation for Computing Machinery
Conference LocationBoston, MA
KeywordsScience of Human Circumvention of Security, science of security, UIUC
Abstract

Mobile applications frequently request sensitive data. While prior work has focused on analyzing sensitive-data uses originating from well-dened API calls in the system, the security and privacy implications of inputs requested via application user interfaces have been widely unexplored. In this paper, our goal is to understand the broad implications of such requests in terms of the type of sensitive data being requested by applications.

To this end, we propose UiRef (User Input REsolution Framework), an automated approach for resolving the semantics of user inputs requested by mobile applications. UiRef's design includes a number of novel techniques for extracting and resolving user interface labels and addressing ambiguity in semantics, resulting in signicant improvements over prior work.We apply UiRef to 50,162 Android applications from Google Play and use outlier analysis to triage applications with questionable input requests. We identify concerning developer practices, including insecure exposure of account passwords and non-consensual input disclosures to third parties. These ndings demonstrate the importance of user-input semantics when protecting end users.

Citation Keynode-36590

Other available formats:

UiRef: Analysis of Sensitive User Inputs in Android Applications