Are your Sensitive Inputs Secure in Android Applications?


Trishla Shah, Raghav Sampangi and Angela Siegel, Dalhousie University, Canada


Android applications may request for users’ sensitive information through the GUI. Developer guidelines for designing applications mandate that information must be masked/encrypted before storing or leaving the system. However not all applications adhere to the guidelines. As a prerequisite to tracking sensitive input data, it is essential to identify the widgets that request it. Previous research has focused on identifying the sensitive input widgets, but the extraction of all layouts, including images and unused layouts, is fundamental. In this paper, we propose an automated framework that finds sensitive user input widgets from Android application layouts and validates the masking of these inputs. Our design includes novel techniques for resolving the user semantics, extraction of resources, identification of potential data leaks and helping users to prioritize the sharing of sensitive information, resulting in significant improvement over prior work. We also train track the obtained sensitive input widgets and check for unencrypted transmission or storage of sensitive data. Based on a preliminary evaluation of our framework with some applications from the Google Play store, we observe notable improvement over prior work in this domain.


Android applications, sensitive, secure, GUI, layouts, framework.

Full Text  Volume 12, Number 12