2012 04 Analysis Techniques for Mobile OS Security


Published on

2012 04 Analysis Techniques for Mobile OS Security by Dr. William Enck, Assistant Professor, NCS

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

2012 04 Analysis Techniques for Mobile OS Security

  1. 1. Analysis Techniques for Mobile Operating System Security Prof. William Enck Raleigh ISSA April 5, 2012NC State - Prof. William Enck Page 1
  2. 2. A cautionary tale ...NC State - Prof. William Enck Page 2
  3. 3. Traditional computing vs. smartphones • Smartphones: logical conclusion of access consolidation, service decentralization, and commoditization of computing • Usage model is very different ‣ Multi-user single machine to single-user multiple machines ‣ Always on, always computing social instrument ‣ Enterprise: separate action from geography • Changing Risk ‣ Necessarily contains secrets (often high value) ‣ Collects sensitive data as a matter of operation ‣ Drifts seamlessly between “unknown” networks ‣ Highly malleable development practices, largely unknown developersNC State - Prof. William Enck Page 3
  4. 4. Rethinking (host) Security security == permissions security 6= users • Permissions define capabilities. • Application markets deliver functionality (free or paid) via packaged applications. • Users make permission decisions. • Applications are run within sandboxes provided by the OS. • Note: App markets don’t (and can’t) provide security for everything.NC State - Prof. William Enck Page 4
  5. 5. Research Questions • Questions: ‣ What permissions do applications ask for? ‣ What do applications do with the permissions? ‣ What can applications do with the permissions?NC State - Prof. William Enck Page 5
  6. 6. Example: Android Security • Permissions granted to applications and never changed ‣ Permissions are enforced when an application accesses a component, API, etc ‣ Runtime decisions look for assigned permissions (access is granted IFF app A assigned perm X at install) Application 1 Application 2 Permission A: ... B: l1 Permission Labels X Labels Inherit l1,... C: l2 ... Permissions • Example permissions: location, phone IDs, microphone, camera, address book, SMS, application “interfaces”NC State - Prof. William Enck Page 6
  7. 7. Q1: what do applications ask for? • Kirin certifies applications by vetting policies at install-time (relies on runtime enforcement) • Insight: app config and security policy is an upper bound on runtime behavior. • Kirin is a modified application installer ‣ Apps with unsafe policies are rejected New Kirin Optional Extension Kirin Application Security Security Service Rules (1) Attempt Display risk ratings Installation Pass/ to the user and (2) (3) Fail prompt for override. (4) Android Application InstallerNC State - Prof. William Enck Page 7
  8. 8. Kirin Security Policy • Kirin enforces security invariants at install-time • Local evaluation of two manifest artifacts ‣ The collection of requested permissions (uses-permission) ‣ The types of registered Intent message listeners • Example: ‣ Do not allow an application with Location and Internet permissions and receives the “booted” event restrict  permission  [ACCESS_FINE_LOCATION,  INTERNET]            and  receive        [BOOT_COMPLETE]NC State - Prof. William Enck Page 8
  9. 9. hird-party “restrict”. sets of “receive” restrictions. Then, create of all The remainder of the rule is the conjunction Policy Evaluation also han- of permissions andit in R. strings received. Each set is den and place action The set R directly corresponds toher action either “permission”be formed in time respectively. size rules and can or “receive”, linear to the sem We now define the set (proof by inspection). C ⇥ R ⌅ {true, false 5.2nowKSL thewe define of configurationrules. Let fpackag Semanticsa set of configuration failsailKSL restrict  permission  [ACCESS_FINE_LOCATION,  INTERNET]   Next a          and  receive        [BOOT_COMPLETE] based on a We define Let C be the set of all application t and r be: a r tents. semantics KSL possible configurations C⇥R We⌅ {true, false} be a logic to to test if anaapplication now define a simple function represent set of rules i a package manifest. We need only capture the se to • Policy evaluationusedset satisfiability expressible At )KSL. (P encodeKSL. Let R KSL by ofLet ctrules of and the taction strings configuration fails a bethe in labels is rule. all be the configurationin target L the application (P , for invariants = ct ,n applica- set oftivities, Services, O(n) Broadcastail(ctail(·)as:set of tp application t and ri be apermissionwe define f A be ithe the possible rule. Then, labelsClearly, f , r ) operates ‣ Invariant violations found in and w.r.t. policy size and Receivers. Note Section 4 (PtWet ) = cdefine,Activities, Services,Ai ⇤ Broadcast R action strings useddoesthe)semanticsactionprovide At rules. time , manifest, (Pi Ai = ri , Pi ⇤ canset and constant dyn A now t by not specify ofPt strings used by Let a of KSL ted Model: C ⇥ R ⌅ {true, false} be a function R :test tuple appl • by to receive Intents. Then, each rule ri Let F is C ⌅ R be a an to a advantag ⇥ R to ourif an (2 P Receivers; however, we to the input, as a hash table t of KSL rules.ail(·)notation in time (P , A ) to ⇧ 2R for a specific s Let operates Clearly, f the f ail : r = linear use this facthis section use in Section 7).iaWe defineLet RtTable 1: Applications ‣ We rules are tuples: KSL configuration fails KSL rule. iconfiguration whichCan appi c refer to c ⇥ as fo be the configuration aon to can provide constant time set membership checks. test if an application s. ‣ permission labelsbe isnotationstrings (Pthe set rto allail(ctPai=a application tthe ri tuple:rule. = forwe define where , r sp Configuration policy a Let FR A for We targetandfunction returning t ,rule) of, refer tot ) ) action ct Then, use and a beApplication ADescription in ⇥ a i f rules i the configurationC ⌅ R : t FR (c Ai 2R 2 .which an A )labels (P , A ) = rstrings used A ⇤ targ Rf⇧ ⇥ t , ri ) as: t , applicationand action i , PiWalkie-Talkie styl define ail(c for permission = ct ,Walki i Talkie fails: Pt by a At ‣ if (P t configuration i ⇤ i Let R where correspond toAt set2A .KSL rules. We cons R Pt ⇥ 2P and a ⇥ of Then, we say the configur Certified KSLf(ct ) = operates in to ail(ctR (c)} = input,Pthathas if {ri |riPush For linear t ) ⇧ R, f Talk , r rule let ‣t from theAt FRrules as follows. time each ito the⌃., Noteas beFR A Clearly, ail(·) i notation. i ⇤ i a th ⇤P F i ates com-all sets3of “permission” restrictions,R. Finally, theif po of as a hash tablethe standard notation 2 represent Shazam ct andUtility to identify can provide constant time set membershipand let ARbe th Then, we say the configuration ct passes a given KSL rule-set ithe We use X checks. set o the input, Let FRthat F (c ) set a function returning indicateofof r : C is the be of allin time linear to theset which installer to the ⇤. all ⌅ R operates subsets includingsize jouruld notR (call = ⌃.X, which R t Inauguration Then, create r = ( be F of t ) sets Note NC State - Prof. William Enck of “receive” restrictions. Collaborative Page 9
  10. 10. Studying the (early) Market • Evaluate 300+ popular Market apps (Jan 2009) ‣ 5 had both dangerous configuration and functionality (1.6%) ‣ 5 had dangerous configuration but not functionality (1.6%) (1) An application must not have the SET_DEBUG_APP permission (2) An application must not have the READ_PHONE_STATE, RECORD_AUDIO, and INTERNET permissions (3) An application must not have the PROCESS_OUTGOING_CALL, RECORD_AUDIO, and INTERNET permissions (4) An application must not have the ACCESS_FINE_LOCATION, INTERNET, and RECEIVE_BOOT_COMPLETE permissions (5) An application must not have the ACCESS_COARSE_LOCATION, INTERNET, and RECEIVE_BOOT_COMPLETE permissions (6) An application must not have the RECEIVE_SMS and WRITE_SMS permissions (7) An application must not have the SEND_SMS and WRITE_SMS permissions (8) An application must not have the INSTALL_SHORTCUT and UNINSTALL_SHORTCUT permissions (9) An application must not have the SET_PREFERRED_APPLICATION permission and receive Intents for the CALL action stringNC State - Prof. William Enck Page 10
  11. 11. Q2: What do the applications do? • TaintDroid is a system-wide integration of taint tracking into the Android platform ‣ VM Layer: variable tracking throughout Dalvik VM ‣ Native Layer: patches state after native method invocation ‣ Binder IPC Layer: extends tracking between applications ‣ Storage Layer: persistent tracking on files Message-level tracking Application Code Msg Application Code Virtual Virtual Variable-level Machine Machine tracking Native System Libraries Method-level tracking File-level Network Interface Secondary Storage tracking • TaintDroid is a firmware modification, not an appNC State - Prof. William Enck Page 11
  12. 12. Dynamic Taint Analysis • Dynamic taint analysis is a technique that tracks information dependencies from an origin • Conceptual idea: c = taint_source() ‣ Taint source ... ‣ Taint propagation a = b + c ‣ Taint sink ... network_send(a) • Limitations: performance and granularity is a trade-offNC State - Prof. William Enck Page 12
  13. 13. Performance CaffeineMark 3.0 benchmark • Memory overhead: 4.4% (higher is better) 2000 Android • IPC overhead: 27% 1800 TaintDroid 1600 1400 • Macro-benchmark: 14% overhead 1200 1000 ‣ App load: 3% (2ms) 800 ‣ Address book: (< 20 ms) 600 400 5.5% create, 18% read 200 0 ‣ Phone call: 10% (10ms) sieve loop logic string float method total ‣ Take picture: 29% (0.5s) CaffeineMark score roughly corresponds to the number of Java instructions per second.NC State - Prof. William Enck Page 13
  14. 14. Application Study • Selected 30 applications with bias on popularity and access to Internet, location, microphone, and camera applications # permissions The Weather Channel, Cetos, Solitarie, Movies, Babble, Manga Browser 6 Bump, Wertago, Antivirus, ABC --- Animals, Traffic Jam, Hearts, Blackjack, Horoscope, 3001 Wisdom Quotes Lite, Yellow Pages, Datelefonbuch, Astrid, BBC News Live 14 Stream, Ringtones Layer, Knocking, Coupons, Trapster, Spongebot Slide, ProBasketBall 6 MySpace, Barcode Scanner, ixMAT 3 Evernote 1 • Of 105 flagged connections, only 37 clearly legitimateNC State - Prof. William Enck Page 14
  15. 15. Findings • 15 of the 30 applications shared physical location with an ad server (admob.com, ad.qwapi.com, ads.mobclix.com, data.flurry.com) ‣ Most traffic was plaintext (e.g., AdMob HTTP GET): ...&s=a14a4a93f1e4c68&..&t=062A1CB1D476DE85 B717D9195A6722A9&d%5Bcoord%5D=47.6612278900 00006%2C-122.31589477&... • 7 applications sent device (IMEI) and 2 apps sent phone info (Ph. #, IMSI *, ICC-ID) to a remote server without informing the user.NC State - Prof. William Enck Page 15
  16. 16. Q3: What can the applications do? • Static analysis: look at the possible paths and interaction of data ‣ Very, very hard (often undecidable), but community has learned that we can do a lot with small analyses. • Step 1: ded decompiler for Android applications • Step 2: static source code analysis for both dangerous functionality and vulnerabilities ‣ What data could be exfiltrated from the application? ‣ Are developers safely using interfaces?NC State - Prof. William Enck Page 16
  17. 17. ded Decompiler Retargeting Process • Android applications are written CFG in Java, but compiled for the (1) DEX Parsing Construction optimized Dalvik VM language Type Inference Processing Missing Type Inference Constant Identification ‣ Non-trivial to retarget back to Java: (2) Java .class Conversion Constant Pool Conversion register vs. stack architecture, Constant Pool Translation Method Code Retargeting constant pools, ambiguous scalar types, Bytecode Reorganization null references, etc. (3) Java .class Optimization Instruction Set Translation • ded recovers source code from application package ‣ Retargeting: type inference, instruction translation, etc ‣ Optimization: use Soot to re-optimize for Java bytecode ‣ Decompilation: standard Java decompilation (Soot) • Decompiled top 1,100 free apps from Android market: over 21 million lines of source codeNC State - Prof. William Enck Page 17
  18. 18. Studying Application Security • Queried for security properties using program analysis, followed by manual inspection to understand purpose • Used several types of analysis to design security properties specific to Android using the Fortify SCA framework Analysis for Dangerous Behavior Analysis for Vulnerabilities Misuse of Phone Identifiers Data flow analysis Leaking Information to Logs Data flow analysis Exposure of Physical Location Data flow analysis Leaking Information to IPC Control flow analysis Abuse of Telephony Services Semantic analysis Unprotected Broadcast Receivers Control flow analysis Eavesdropping on Video Control flow analysis Intent Injection Vulnerabilities Control flow analysis Eavesdropping on Audio Structural analysis (+CG) Delegation Vulnerabilities Control flow analysis Botnet Characteristics (Sockets) Structural analysis Null Checks on IPC Input Control flow analysis Havesting Installed Applications Structural analysis Password Management* Data flow analysis Cryptography Misuse* Structural analysis Also studied inclusion of advertisement and Injection Vulnerabilities* Data flow analysis analytics libraries and associated properties * included with analysis frameworkNC State - Prof. William Enck Page 18
  19. 19. Phone Identifiers • We’ve seen phone identifiers (Ph.#, IMEI, IMSI, etc) sent to network servers, but how are they used? ‣ Program analysis pin-pointed 33 apps leaking Phone IDs • Finding 2 - device fingerprints • Finding 3 - tracking actions • Finding 4 - along with registration and loginNC State - Prof. William Enck Page 19
  20. 20. Device Fingerprints (1) com.eoeandroid.eWallpapers.cartoon - SyncDeviceInfosService.getDevice_info() r1.append((new StringBuilder("device_id=")).append(tm.getDeviceId()).toString()).append((new StringBuilder("&device_software_version=")).append(tm.getDeviceSoftwareVersion()).toString()); r1.append((new StringBuilder("&build_board=")).append(Build.BOARD).toString()).append((new StringBuilder("&build_brand=")).append(Build.BRAND).toString()).append((new StringBuilder("&build_device=")).append(Build.DEVICE).toString()).append((new StringBuilder("&build_display=")).append(Build.DISPLAY).toString()).append((new StringBuilder("&build_fingerprint=")).append(Build.FINGERPRINT).toString()).append((new StringBuilder("&build_model=")).append(Build.MODEL).toString()).append((new StringBuilder("&build_product=")).append(Build.PRODUCT).toString()).append((new StringBuilder("&build_tags=")).append(Build.TAGS).toString()).append((new StringBuilder("&build_time=")).append(Build.TIME).toString()).append((new StringBuilder("&build_user=")).append(Build.USER).toString()).append((new StringBuilder("&build_type=")).append(Build.TYPE).toString()).append((new StringBuilder("&build_id=")).append(Build.ID).toString()).append((new StringBuilder("&build_host=")).append(Build.HOST).toString()).append((new StringBuilder("&build_version_release=")).append(Build$VERSION.RELEASE).toString()).append((new StringBuilder("&build_version_sdk_int=")).append(Build $VERSION.SDK).toString()).append((new StringBuilder("&build_version_incremental=")).append(Build$VERSION.INCREMENTAL).toString()); r5 = mContext.getApplicationContext().getResources().getDisplayMetrics(); r1.append((new StringBuilder("&density=")).append(r5.density).toString()).append((new StringBuilder("&height_pixels=")).append(r5.heightPixels).toString()).append((new StringBuilder("&scaled_density=")).append(r5.scaledDensity).toString()).append((new StringBuilder("&width_pixels=")).append(r5.widthPixels).toString()).append((new StringBuilder("&xdpi=")).append(r5.xdpi).toString()).append((new StringBuilder("&ydpi=")).append(r5.ydpi).toString()); r1.append((new StringBuilder("&line1_number=")).append(tm.getLine1Number()).toString()).append((new StringBuilder("&network_country_iso=")).append(tm.getNetworkCountryIso()).toString()).append((new StringBuilder("&network_operator=")).append(tm.getNetworkOperator()).toString()).append((new StringBuilder("&network_operator_name=")).append(tm.getNetworkOperatorName()).toString()).append((new StringBuilder("&network_type=")).append(tm.getNetworkType()).toString()).append((new StringBuilder("&phone_type=")).append(tm.getPhoneType()).toString()).append((new StringBuilder("&sim_country_iso=")).append(tm.getSimCountryIso()).toString()).append((new StringBuilder("&sim_operator=")).append(tm.getSimOperator()).toString()).append((new StringBuilder("&sim_operator_name=")).append(tm.getSimOperatorName()).toString()).append((new StringBuilder("&sim_serial_number=")).append(tm.getSimSerialNumber()).toString()).append((new StringBuilder("&sim_state=")).append(tm.getSimState()).toString()).append((new StringBuilder("&subscriber_id=")).append(tm.getSubscriberId()).toString()).append((new StringBuilder("&voice_mail_number=")).append(tm.getVoiceMailNumber()).toString()); i0 = mContext.getResources().getConfiguration().mcc; i1 = mContext.getResources().getConfiguration().mnc; r1.append((new StringBuilder("&imsi_mcc=")).append(i0).toString()).append((new StringBuilder("&imsi_mnc=")).append(i1).toString()); r254 = (ActivityManager) mContext.getSystemService("activity"); $r255 = new ActivityManager$MemoryInfo(); r254.getMemoryInfo($r255); r1.append((new StringBuilder("&total_mem=")).append($r255.availMem).toString());NC State - Prof. William Enck Page 20
  21. 21. Device Fingerprints (2) com.avantar.wny - com/avantar/wny/PhoneStats.java public String toUrlFormatedString() { StringBuilder $r4; if (mURLFormatedParameters == null) IMEI { $r4 = new StringBuilder(); $r4.append((new StringBuilder("&uuid=")).append(URLEncoder.encode(mUuid)).toString()); $r4.append((new StringBuilder("&device=")).append(URLEncoder.encode(mModel)).toString()); $r4.append((new StringBuilder("&platform=")).append(URLEncoder.encode(mOSVersion)).toString()); $r4.append((new StringBuilder("&ver=")).append(mAppVersion).toString()); $r4.append((new StringBuilder("&app=")).append(this.getAppName()).toString()); $r4.append("&returnfmt=json"); mURLFormatedParameters = $r4.toString(); } return mURLFormatedParameters; }NC State - Prof. William Enck Page 21
  22. 22. Tracking com.froogloid.kring.google.zxing.client.android - Activity_Router.java (Main Activity) public void onCreate(Bundle r1) { http://kror.keyringapp.com/service.php ... IMEI = ((TelephonyManager) this.getSystemService("phone")).getDeviceId(); retailerLookupCmd = (new StringBuilder(String.valueOf(constants.server))).append("identifier=").append(Encode URL.KREncodeURL(IMEI)).append("&command=retailerlookup&retailername=").toString(); ... } com.Qunar - net/NetworkTask.java public void run() { http://client.qunar.com:80/QSearch ... r24 = (TelephonyManager) r21.getSystemService("phone"); url = (new StringBuilder(String.valueOf(url))).append("&vid=60001001&pid=10010&cid=C1000&uid=").appe nd(r24.getDeviceId()).append("&gid=").append(QConfiguration.mGid).append("&msg=").append( QConfiguration.getInstance().mPCStat.toMsgString()).toString(); ... }NC State - Prof. William Enck Page 22
  23. 23. Registration and Login com.statefarm.pocketagent - activity/LogInActivity$1.java (Button callback) public void onClick(View r1) IMEI { ... r7 = Host.getDeviceId(this$0.getApplicationContext()); LogInActivity.access$1(this$0).setUniqueDeviceID(r7); this$0.loginTask = new LogInActivity$LoginTask(this$0, null); this$0.showProgressDialog(r2, 2131361798, this$0.loginTask); r57 = this$0.loginTask; r58 = new LoginTO[1]; r58[0] = LogInActivity.access$1(this$0); r57.execute(r58); ... } Is this necessarily bad?NC State - Prof. William Enck Page 23
  24. 24. Location • Found 13 apps with geographic location data flows to the network ‣ Many were legitimate: weather, classifieds, points of interest, and social networking services • Several instances sent to advertisers (same as TaintDroid). More on this shortly. • Code recovery error in AdMob library.NC State - Prof. William Enck Page 24
  25. 25. Phone Misuse • No evidence of abuse in our sample set ‣ Hard-coded numbers for SMS/voice (premium-rate) ‣ Background audio/video recording ‣ Socket API use (not HTTP wrappers) ‣ Harvesting list of installed applicationsNC State - Prof. William Enck Page 25
  26. 26. Ad/Analytics Libraries Library Path # Apps Obtains • 51% of the apps included an ad or com/admob/android/ads 320 L analytics library (many also included com/google/ads 206 - com/flurry/android 98 - custom functionality) com/qwapi/adclient/android 74 L, P, E com/google/android/apps/analytics 67 - • A few libraries were used most frequently com/adwhirl 60 L com/mobclix/android/sdk 58 L, E • Use of phone identifiers and location com/mellennialmedia/android 52 - sometimes configurable by developer com/zestadz/android 10 - com/admarvel/android/ads 8 - 1000 com/estsoft/adlocal 8 L 367 com/adfonic/android 5 - Number of libraries com/vdroid/ads 5 L, E 91 100 com/greystripe/android/sdk 4 E 32 37 1 app has com/medialets 4 L 15 8 10 8 libraries! com/wooboo/adlib_android 4 L, P, I 10 com/adserver/adview 3 L com/tapjoy 3 - com/inmobi/androidsdk 2 E 1 com/apegroup/ad 1 - 1 com/casee/adsdk 1 S 1 2 3 4 5 6 7 8 com/webtrents/mobile 1 L, E, S, I Total Unique Apps 561 Number of apps L = Location; P = Ph#; E = IMEI; S = IMSI; I = ICC-IDNC State - Prof. William Enck Page 26
  27. 27. Probing for Permissions (1) com/webtrends/mobile/analytics/android/WebtrendsAndroidValueFetcher.java public static String getDeviceId(Object r0) { Context r4; String r7; r4 = (Context) r0; try { r7 = ((TelephonyManager) r4.getSystemService("phone")).getDeviceId(); if (r7 == null) { r7 = ""; Catches SecurityException } } catch (Exception $r8) { WebtrendsDataCollector.getInstance().getLog().d("Exception fetching TelephonyManager.getDeviceId value. ", $r8); r7 = null; } return r7; }NC State - Prof. William Enck Page 27
  28. 28. Probing for Permissions (2) com/casee/adsdk/AdFetcher.java public static String getDeviceId(Context r0) { String r1; r1 = ""; label_19: { if (deviceId != null) { if (r1.equals(deviceId) == false) { break label_19; Checks before accessing } } if (r0.checkCallingOrSelfPermission("android.permission.READ_PHONE_STATE") == 0) { deviceId = ((TelephonyManager) r0.getSystemService("phone")).getSubscriberId(); } } //end label_19: ... }NC State - Prof. William Enck Page 28
  29. 29. Developer Toolkits • We found identically implemented dangerous functionality in the form of developer toolkits. ‣ Probing for permissions (e.g., Android API, catch SecurityException) ‣ Well-known brands sometimes commission developers that include dangerous functionality. • “USA Today” and “FOX News” both developed by Mercury Intermedia (com/mercuryintermedia), which grabs IMEI on startupNC State - Prof. William Enck Page 29
  30. 30. Custom Exceptions v00032.com.wordplayer - CustomExceptionHandler.java void init() { URLConnection r3; ... r3 = (new URL("http://www.word-player.com/HttpHandler/init.sample")).openConnection(); ... try { $r27 = this.mkStr(((TelephonyManager) _context.getSystemService("phone")).getLine1Number()); } catch (Exception $r81) { break label_5; } ... Phone Number!? }NC State - Prof. William Enck Page 30
  31. 31. Intent Vulnerabilities • Similar analysis rules as independently identified by Chin et al. [Mobisys 2011] • Leaking information to IPC - unprotected intent broadcasts are common, occasionally contain info • Unprotected broadcast receivers - a few apps receive custom action strings w/out protection (lots of “protected bcasts”) • Intent injection attacks - 16 apps had potential vulnerabilities • Delegating control - pending intents are tricky to analyze (notification, alarm, and widget APIs) --- no vulns found • Null checks on IPC input - 3925 potential null dereferences in 591 apps (53%) --- most were in activity componentsNC State - Prof. William Enck Page 31
  32. 32. Study Limitations • The sample set • Code recovery failures • Android IPC data flows • Fortify SCA language • ObfuscationNC State - Prof. William Enck Page 32
  33. 33. Summary • What permissions do applications ask for? ‣ Kirin demonstrated how permission combinations can be effectively used to certify applications at install-time. • What do applications do with the permissions? ‣ TaintDroid “looks inside” of applications to understand how privacy sensitive information is being used. • What can applications do with the permissions? ‣ We used program analysis and manual inspection to characterize implemented application behaviorNC State - Prof. William Enck Page 33
  34. 34. Thank you! William Enck Assistant Professor Department of Computer Science NC State University enck@cs.ncsu.edu http://www.enck.orgNC State - Prof. William Enck Page 34