Lei Xue

AutoPPG: Towards Automatic Generation of Privacy Policy for Android Applications

A privacy policy is a statement informing users how their information will be collected, used, and disclosed. Failing to provide a correct privacy policy may result in a fine. However, writing privacy policy is tedious and error-prone, because the author may not well understand the source code, which could be written by others (e.g., outsourcing), or does not know the internals of third-party libraries without source codes. In this paper, we propose and develop a novel system named AutoPPG to automatically construct correct and readable descriptions to facilitate the generation of privacy policy for Android applications (i.e., apps). Given an app, AutoPPG first conducts various static code analyses to characterize its behaviors related to users private information and then applies natural language processing techniques to generating correct and accessible sentences for describing these behaviors. The experimental results using real apps and crowdsourcing indicate that: (1) AutoPPG creates correct and easy-to-understand descriptions for privacy policies; and (2) the privacy policies constructed by AutoPPG usually reveal more operations related to users private information than existing privacy policies.

Adaptive unpacking of Android apps

More and more app developers use the packing services (or packers) to prevent attackers from reverse engineering and modifying the executable (or Dex files) of their apps. At the same time, malware authors also use the packers to hide the malicious component and evade the signature-based detection. Although there are a few recent studies on unpacking Android apps, it has been shown that the evolving packers can easily circumvent them because they are not adaptive to the changes of packers. In this paper, we propose a novel adaptive approach and develop a new system, named PackerGrind, to unpack Android apps. We also evaluate PackerGrind with real packed apps, and the results show that PackerGrind can successfully reveal the packers protection mechanisms and recover the Dex files with low overhead, showing that our approach can effectively handle the evolution of packers.

Characterizing mobile *-box applications

With the increasing use of multiple electronic devices including tablets, PCs, and mobile devices, Personal Cloud Storage (PCS) services, such as Dropbox and Box, have gained huge popularity. Recent research has used the PC clients of a few PCS services to study the network architectures and performance of these services. The mobile clients deserve a further study because the study of PC clients does not necessarily represent the system and network demand with mobile clients. In this paper, we conduct the first systematic investigation on six popular PCS services to reveal their internals and measure their performance. By dissecting their protocols and conducting cross-layer examinations, we obtain interesting observations, identify design issues, and suggest solutions to remedy these issues. Moreover, we propose an efficient method to measure the response latency of PCS servers by exploiting their open APIs.

AndroidPerf: A cross-layer profiling system for Android applications

Profiling Android applications (or simply apps) is an important way to discover and locate various problems in apps, such as performance bottleneck, security loopholes, etc. Although many dynamic profiling systems for apps have been proposed, they are limited in dealing with the multiple-layer nature of Android and thus cannot reveal issues due to the underlying platform or poor interactions between different layers. Note that since apps usually run in Dalvik virtual machine (DVM) and each DVM is a process in Androids customized Linux kernel, a simple operation in DVM will lead to many function calls in different layers. In this paper, we propose AndroidPerf, a cross-layer profiling system, including the DVM layer, the system layer, and the kernel layer, for Android apps. It consists of one sub-system that performs cross-layer dynamic taint analysis to collect control flow and data flow information, and another subsystem that conducts instrumentation on all layers for collecting performance information. We have implemented AndroidPerf in 9,125 lines of C/C++ and 1,016 lines of Python scripts along with some modifications to Androids framework. Besides evaluating its functionality and overhead, we have applied AndroidPerf to reveal real performance issues through case studies.

kTRxer: A portable toolkit for reliable internet probing

Being one of the primitives of Internet measurement and security scanning, active probing has numerous applications. While the majority of existing probing tools were designed for PCs/servers, the wide adoption of mobile devices and embedded systems bring new requirements and challenges to active probing, for example, the limited resources in those devices may affect active probings accuracy and efficiency. However, few research studies examine such impact. In this paper, we fill the gap by investigating the effect of resource-limited devices on common packet sending/receiving techniques used by probing tools and proposing kTRxer, a toolkit that can be run in many devices to help probing tools achieve better accuracy and efficiency. kTRxer mitigates the negative effect from devices by keeping away from noise sources and achieves portability by avoiding modifying specific device drivers. We have implemented kTRxer with 5489 lines of C codes and conducted extensive evaluation on three platforms, including PC, broadband router, and smartphone. The experimental results show that kTRxer can achieve up to 10 times transmission rate and introduce much less delay noise than existing approaches.

Toward Automatically Generating Privacy Policy for Android Apps

A privacy policy is a statement informing users how their information will be collected, used, and disclosed. Failing to provide a correct privacy policy may result in a fine. However, writing privacy policy is tedious and error-prone, because the author may not understand the source code well as it could have been written by others (e.g., outsourcing), or the author does not know the internal working of third-party libraries used. In this paper, we propose and develop a novel system named AutoPPG to automatically construct correct and readable descriptions to facilitate the generation of privacy policy for Android applications (i.e., apps). Given an app, AutoPPG first conducts static code analysis to characterize its behaviors related to users’ personal information, and then applies natural language processing techniques to generating correct and accessible sentences for describing these behaviors. The experimental results using real apps and crowdsourcing indicate that: 1) AutoPPG creates correct and easy-to-understand descriptions for privacy policies; 2) the privacy policies constructed by AutoPPG usually reveal more operations related to users’ personal information than existing privacy policies; and 3) most developers, who reply us, would like to use AutoPPG to facilitate them.

On Measuring One-Way Path Metrics from a Web Server

Measuring one-way path metrics can facilitate adaptive online services (e.g., Video streaming and CDN) tuning to improve quality of experience (QoE) of their clients. However, existing server-side measurement systems suffer from (i) measuring only few one-way path metrics, (ii) limited client-side support, and (iii) heavy overheads. In this paper, we propose and implement OWPScope, a novel system that can be deployed to any web server to measure four important one-way path metrics-packet loss, packet reordering, jitter, and capacity-without requiring software or plug in installation at their web clients. Moreover, OWPScope performs representative measurement by correlating only information gleaned from standard features in HTML5 (e.g., Navigation timing, resource timing), HTTP, and TCP. Our extensive evaluations in both a test bed and the Internet show that OWPScope can effectively measure one-way path metrics with low overhead.

Is what you measure what you expect? Factors affecting smartphone-based mobile network measurement

Many apps have been developed to measure the performance of mobile networks. Unfortunately, their measurement results may not be what users expect, because the results could be biased by various factors and the apps descriptions may confuse users. Although a few recent studies pointed out several factors, they missed other important factors and lacked of finegrained analysis on the factors and measurement apps. Moreover, none has studied whether or not the descriptions of such apps will mislead users. In this paper, we conduct the first systematic study of the factors that could bias the result from measurement apps and their descriptions. We identify new factors, revisit known factors, and propose a novel approach with new tools to discover these factors in proprietary apps. We also develop a new measurement app named MobiScope for demonstrating how to mitigate the negative effects of these factors. Furthermore, we construct enhanced descriptions for measurement apps to provide users more information about what is measured. The extensive experimental results illustrate the negative effects of various factors, the improvement in performance measurement brought by MobiScope, and the clarity of the enhanced descriptions.