This document discusses runtime information gathering (RIG) attacks on Android and proposes an app-level protection called AppGuardian. It describes challenges in protecting against RIG attacks due to vague Android permissions and information leaked via /proc files. AppGuardian monitors app behavior and permissions to detect suspicious RIG attacks like phone call recording. It kills suspicious apps and restricts their actions until the user confirms them. Evaluation shows AppGuardian defeats known RIG attacks with minimal overhead on CPU, memory, and battery usage. The document concludes RIG is a serious threat and AppGuardian provides effective app-level protection.

1. Leave me alone: App-level Protection
Against Runtime Information Gathering
on Android
석사 29기 박준영

2. Contents
• View Point
• Challenges
• RIG(Runtime Information Gathering)
attacks
• /proc?
• Attacking NetCam (Video)
• AppGuardian Architecture
• Audio Recording Attack (Video)
• Detection Methods
• Evaluation & Analysis
• Discussion / Conclusion
• Protection NetCam (Video)
• Future Works

3. View Point
• RIG (Runtime Information Gathering)
• Protection against RIG
• Implementation and Evaluation

4. Challenges
• Increasing Malwares
• Enhancing access control causes compatibility issues
• OS-level solution is painful (in Android OS ecosystem)

5. RIG Attacks
• Android Permission은 그 범위가 너무 모호함.
• /proc 내의 공유된 runtime 정보를 주기적으로 읽
어 의미있는 데이터를 얻어내는것이 가능.

6. RIG Attacks
• Android Permission은 그 범위가 너무 모호함.
• /proc 내의 공유된 runtime 정보를 주기적으로 읽
어 의미있는 데이터를 얻어내는것이 가능.

7. Android Permission Issues
• Voice Recorder can tape any phone conversation.
• Game app with Bluetooth permission can also
download patient data from a Bluetooth glucose meter.

8. /proc/stat
• cpuN (6*n + 7 stats)
• user: normal processes executing in user mode
• nice: niced processes executing in user mode
• system: processes executing in kernel mode
• idle: twiddling thumbs
• iowait: waiting for I/O to complete
• irq: servicing interrupts
• intr : counts of interrupts serviced since boot time.
• ctxt : total number of context switches across all CPUs.
• btime : line gives the time at which the system booted, in seconds
since the Unix epoch.
• processes : the number of processes and threads created.
• procs_running : the number of processes currently running on CPUs.
• procs_blocked : the number of processes currently blocked, waiting
for I/O to complete.
• softirq: servicing softirqs

9. /proc/[pid]/stat
total 44 stats
pid : process ID
comm
state : state of process (running, sleeping, zombie .. )
ppid / pgrp / session / tty_nr / tpgid
flags / minflt / cminflt / majflt / cmajflt
utime : Amount of time that this process has been scheduled in
user mode
stime : Amount of time that this process has been scheduled in
kernel mode
cutime / cstime / priority / nice / num_threads / itrealvalue
starttime : The time the process started after system boot.
vsize : Virtual memory size in bytes.
rss / rsslim / startcode / endcode / startstack
kstkesp / kstkeip / signal / blocked / sigignore
sigcatch / wchan / nswap / cnswap / exit_signal / processor
rt_priority / policy / delayacct_blkio_ticks / guest_time / cguest_time

10. /proc/uid_stat/<uid>/tcp_rcv
uid 1013’s tcp received packets

11. Playing with stats information
• identify the web page user visits, by browser’s memory footprint.
• detect twitter account by monitoring tcp_snd / tcp_rcv
• driving route could be determined by looking speaker’s status (on / off)
does not require any Permissions!

12. App Guardian arch.
• Information Gathering
- Permissions, side-channels
• Install / Run time features
• Report suspicious apps
• kill suspicious app
• Principal finished,
resume suspicious app

13. App Guardian arch.
KILL_BACKGROUND_PROCESS
SYSTEM_ALERT_WINDOW
INTERNET
GET_TASK
BIND_NOTIFICATION_LISTENER_SERVICE

14. Monitoring
package names, permissions..
action.PACKAGE_ADDED
proc files, recording thread …

15. Entering the ward
KILL_BACKGROUND_PROCESSES
WARD MODE
BACKGROUND APPS

16. Entering the ward
oom_adj score (-17 ~ 15)
(typically) 9 2

17. Exiting the ward
WARD MODE
BACKGROUND APPS HOME - WAIT - KILL

18. Restart vs Switch
무조건적인 Ward mode는 성능저하를 일으킬 수 있다.

19. Detecting RIG attacks
• Phone conversation recorder
- RECORD_AUDIO permission
- READ_PHONE_STATE permission
- MediaRecorder object
- AudioIn X
• Observed from /proc/<pid>/task/<tid>/status
• Side-channel attacks
- look how frequently does app uses the CPU resources
- SR(Scheduling Rate) score

20. Detection Avoid
• Behavior Change
- keeps low profile before the principal show up / act aggressively
afterwards.
- use Pearson correlation coefficient (r)
• Collusion
- multiple apps do their own play.
(mal A : RECORD_AUDIO, mal B : READ_PHONE_STATE)
- grouping apps signed with the same certificate
- detect link-installed apps
- detect PACKAGE_ADDED and ask user.

21. Evaluation and analysis
• Effectiveness
- Defeat all 12 RIG Attacks

22. Evaluation and analysis
• Utility Impacts and Performance
- 475 Apps from 27 categories
on PlayStore

23. Evaluation and analysis
• Overhead
- on two Nexus 5
- 5% CPU Resource
- 40MB Memory
- 0.75% ~ 1.05% battery

24. Discussion
• Detection and Separation
• Background process protection
• Sanitization

25. Conclusion
• Evidence for the seriousness of RIG threat on Android.
• Application level protection method.
• Works effectively against all known attacks at a minimal performance.

26. Future Works
• Possible side-channel attack
on iOS / WatchOS