Android app collusion research by
Dr. Amiangshu gets worldwide attention
Imagine two employees at a large bank: an analyst who handles sensitive financial information and a courier who makes deliveries outside the company. As they go about their day, they look like they’re doing what they’re supposed to do. The analyst is analyzing; the delivery person is delivering. But they’re actually up to something nefarious. In the break room, the analyst quietly passes some of the secret financials to the courier, who whisks it away to a competing bank.
Now, imagine that the bank is your Android smartphone. The employees are apps, and the sensitive information is your precise GPS location.
Like the two employees, pairs of Android apps installed on the same smartphone have ways of colluding to extract information about the phone’s user, which can be difficult to detect. Security researchers don’t have much trouble figuring out if a single app is gathering sensitive data and secretly sending it off to a server somewhere. But when two apps team up, neither may show definitive signs of thievery alone. And because of an enormous number of possible app combinations, testing for app collusions is a herculean task.
A recent study lead by Dr. Amiangshu Bosu, an assistant professor from Southern Illinois University, developed a new way to tackle this problem—and found more than 20,000 app pairings that leak data. Dr. Bosu collaborated with three more researchers at Virginia Tech to create a system that delves into the architecture of Android apps to understand how they exchange information with other apps on the same phone. Their system—DIALDroid—then couples apps to simulate how they’d interact, and whether they could potentially work together to leak sensitive information.
The study, funded by the Defense Advanced Research Projects Agency as part of its Automated Program Analysis for Cybersecurity initiative, took 6,340 hours using the newly developed DIALDroid software, a task that would have been considerably longer without it. Amiangshu Bosu, an assistant professor at Southern Illinois University, spearheaded the software development effort and the push to release the code to the wider research community.
The study received worldwide news attention with reports published in the MSN, the Daily Mail, ACM Technews, the Independent, New Scientist, Phys.org, Business Insider, International Business Times, and the Sun.
A list of news articles on DIALDroid can be found here.