A Deep Dive into Privacy Dashboard of Top Android Vendors

Presented at Black Hat Europe 2021, Nov. 11, 2021, 10:20 a.m. (40 minutes)

Most android vendors designed privacy dashboards before Android 12 to allow users to monitor sensitive behaviors of their installed apps, such as clipboard access, location collection, file operation, etc. However, we conducted comprehensive research about them and found that it is not accurate and complete for most privacy dashboards. Many design or development flaws allow malicious apps to bypass their monitor or report a false alarm for a benign App.

Our research dive deep into the implementation of the privacy protection mechanism includes five top vendors and explains the difference of design in the aspect of sensitivity level, operation frequency, and behavior status, etc. We will discuss the flaws of these vendor's coarse-grained behavior control and how a malicious app performs sensitive operations without invoking the dashboard. For example, collecting your location leaving no trace, deleting your album silently, etc. Besides, we also found some vendor's over-designed monitoring strategies will generate a false positive report or alarm under some extreme conditions.

Finally, we will present our method of how to extract sensitive APIs from custom android ROMs and our test process to verify the privacy dashboard report. By our presentation, we want to improve the privacy protection mechanism of vendors and better protect billions of users' privacy.


Presenters:

  • Xiangxing Qian - Security Researcher, IES Red Team of ByteDance
    Xiangxing Qian is a security researcher in IES Red Team of ByteDance. His research focuses on Android security, static analysis and automation testing. His GUI Android testing paper EHBDroid was accepted by ASE 2017.
  • Wei Wen - Security Researcher, IES Red Team of ByteDance
    Wei Wen is a security researcher in ByteDance. His research focuses on Android Security and Web security. In his research work, he has found security vulnerabilities in many financial systems and cloud platforms. He has received more than 10 CVEs since 2018.
  • Zhenyu Zhu - Security Researcher, IES Red Team of ByteDance
    Zhenyu Zhu is a security researcher in IES Red Team of Bytedance. His research focuses on system security and application security, especially on mobile platforms. For the last three years, he has participated in personal privacy information protection and compliance assessment on mobile.
  • Bin Ma - Security Researcher, IES Red Team of ByteDance
    Bin Ma is a security researcher in IES Red Team of ByteDance. His research focuses on system security and application security, especially on mobile platforms. Some of his research has been accepted by conferences including RAID and IEEE S&P. He has spoken at Black Hat USA and Asia.

Links:

Similar Presentations: