How is my private data treated by a mobile application?

Motivation

Most android applications nowadays require many privileges to sensitive data such as contacts, location or calendar entries, without actually needing them for their indented working process. Investigations have shown that many applications forward these data to third parties without the users’ knowledge. 

Goals

In the “AndProtect” project aims to inform users of mobile applications about internal processes and the data usage of their apps, giving them detailed

quality statements about possible privacy breaching behaviors of their applications. With the help of data flow analysis the internal information flow of apps are examined and their risk level assessed. Users can have their applications analyzed so that they can decide whether to keep or uninstall them.

Approach

A special feature of the project is the combination of static and dynamic analysis. While the static analysis identifies data flows – within the application logic as well as to external entities – without its actual execution, the dynamic analysis examines the data flow at runtime within an controlled testbed. Both approaches run separately with their results being combined later on. These intensive dataflow analysis ensure that the information flow is extensively examined so that the actual application behavior is the revealed in the end. Following this, the user receives a privacy report of the examined application.

Our contribution as TU Berlin to this project is implementing the static analysis and revealing the main privacy leaks of the examined Android application. The Results of the static analysis are used as input for the dynamic analysis, which is managed and performed by our partner secuvera GmbH. Our other partner TU Chemnitz is responsible for user-centric composition of GUIs and information.

Partners
Overview
Project Acronym:
AndProtect
Project Title:
AndProtect - Selbstdatenschutz durch statische und dynamische Analyse zur Validierung v Android-Apps
Duration:
11/01/2015 ⇢ 10/31/2017
Contact person:
Karsten Bsufka
Competence Centers:
Sponsors:
BMBF_Logo_eng