AccessiLeaks: Investigating Privacy Leaks Exposed by the Android Accessibility Service

Naseri, Mohammad; Borges Jr., Nataniel P.; Zeller, Andreas; Rouvoy, Romain

Type de document :

Communication dans un congrès avec actes

Titre :

AccessiLeaks: Investigating Privacy Leaks Exposed by the Android Accessibility Service

Auteur(s) :

Naseri, Mohammad [Auteur]

Borges Jr., Nataniel P. [Auteur]
Center for It-Security, Privacy & Accountability [CISPA]
Zeller, Andreas [Auteur]
Center for It-Security, Privacy & Accountability [CISPA]
Rouvoy, Romain [Auteur]

Self-adaptation for distributed services and large software systems [SPIRALS]
Institut universitaire de France [IUF]

Titre de la manifestation scientifique :

PETS 2019 - The 19th Privacy Enhancing Technologies Symposium

Ville :

Stockholm

Pays :

Suède

Date de début de la manifestation scientifique :

2019-07-16

Mot(s)-clé(s) en anglais :

Accessibility service
Android
privacy

Discipline(s) HAL :

Informatique [cs]/Système d'exploitation [cs.OS]
Informatique [cs]/Web
Informatique [cs]/Informatique mobile
Informatique [cs]/Informatique ubiquitaire
Informatique [cs]/Génie logiciel [cs.SE]
Informatique [cs]/Cryptographie et sécurité [cs.CR]

Résumé en anglais : [en]

To support users with disabilities, Android provides the accessibility services, which implement means of navigating through an app. According to the Android developer's guide: "Accessibility services should only be used ...
Lire la suite >To support users with disabilities, Android provides the accessibility services, which implement means of navigating through an app. According to the Android developer's guide: "Accessibility services should only be used to assist users with disabilities in using Android devices and apps". However, developers are free to use this service without any restrictions, giving them critical privileges such as monitoring user input or screen content to capture sensitive information. In this paper, we show that simply enabling the accessibility service leaves 72 % of the top finance and 80 % of the top social media apps vulnerable to eavesdropping attacks, leaking sensitive information such as lo-gins and passwords. A combination of several tools and recommendations could mitigate the privacy risks: We introduce an analysis technique that detects most of these issues automatically, e.g. in an app store. We also found that these issues can be automatically fixed in almost all cases; our fixes have been accepted by 70 % of the surveyed developers. Finally, we designed a notification mechanism which would warn users against possible misuses of the accessibility services; 50 % of users would follow these notifications.Lire moins >

Langue :

Anglais

Comité de lecture :

Oui

Audience :

Internationale

Vulgarisation :

Non

Projet ANR :

Comprendre et diagnostiquer les dégradations des communications de bout en bout dans l'Internet

Collections :