These Aren’t the Droids You’re Looking For”: Retroffiting Android to Protect Data from Imperious Applications

In order to install an Android application, users are commonly required to grant these application both the permission to access information on the device, some of which users may consider private, as well as access the network, which could be used to leak this information. We present two privacy controls to empower users to protect their data from exfiltration by permission-hungry applications:

1. Covertly substituting shadow data in place of data that the user wants to keep private, and
2. Blocking network transmissions that contain data the user made available to the application for on-device use only.

We retrofit the Android operating system to implement these two controls for use with unmodified applications. A key challenge of imposing shadowing and exfiltration blocking on existing applications is that these controls could cause side effects that interfere with user-desired functionality. To measure the impact of side effects we develop an automated testing methodology that records the visual output of application executions both with and without privacy controls, then automatically highlights the visual differences between the different executions. We evaluate our privacy controls on 50 applications from the Android marketplace, selected from those that were both popular and permission-hungry. We find that our privacy controls can successfully reduce the effective permissions of the application without causing side effects for 66% of the tested applications. The remaining 34% of applications implemented user-desired functionality that required violating the privacy requirements our controls were designed to enforce; there was an unavoidable choice between privacy and user-desired functionality.