App2SecApp: privacy protection from Android applications

Abstract

In this paper, we develop a wrapper that is capable of detecting the flow of sensitive data outside the application s sandbox. The wrapper acts as an extension to the apps. A single entry point in an Android app does not exist, therefore it is challenging to analyze the flow of information just through static analysis. Our approach detects possible leaks through a safe real-time monitoring of the application, with the advantage that it neither requires any access to the app s code, nor does it require an apk analysis. We transform the app by placing a wrapper around the app, called App2SecApp, to ensures safe executional monitoring in terms of: (1) behavioral invariance of the app, and (2) monitoring of sensitive API calls and prompting the user, if there is a possible leakage from the app s sandbox through any of the API calls. Using such a structure the transformed app will protect privacy under the notions of consent to use by the user and used only for the purpose for which information is given. Our evaluation for performance on a number of apps, shows that our solution requires only 0.11% modification to the original apps. Our user-experience evaluation through a survey shows that none of the participants felt any interference from the UI and were pleased due to assurance of app s security.