Mobile applications are intended to be safe for use, protecting users’ privacy. However, many of them are poorly designed, accessing unnecessary data and receiving superfluous permissions. In fact, this is done not only by malicious apps but by an astonishingly large portion of all applications.
According to research conducted by Check Point of more than 1.5M different apps, up to 43% of iOS and 46% of Android apps leak data. Leaking data can end up in malicious hands, even if the app developers did not intend it.
To counter this disturbing phenomenon, researchers from the Check Point Institute for Information Security at Tel Aviv University, headed by Dr. Eran Tromer, have developed a new technology.
This technology called “DroidDisintegrator” aims to add a layer of protection and supervision to Android apps. According to the researchers, the need for this king of protection arisen since the Google Bouncer, which filters apps published on Google Play, only searches for malware, rather than poorly designed and potentially dangerous apps.
Furthermore, many users download apps from 3rd party app stores and do not enjoy even the Bouncer’s limited protection. As an example for a legitimate app that might compromise users, the researchers elaborate on the Smart Voice Recorder application:
“Smart Voice Recorder records audio at the user’s request. It also requests internet access to display ads. There is no reason why the information from the internet should flow into the Record Audio API (e.g., invoke recording of audio by the app’s web server), but there is no way to enforce the prevention of this flow. This is an integrity issue. There is also no reason why recordings should flow to the internet. This is a privacy issue.”
The new technological mechanism introduced by the researchers could help in ensuring applications access only the needed information and do not exceed the needed permissions. This mechanism conducts a dynamic analysis of the applications, identifies their different functionalities and components and designs a secure policy within they can operate safely.
DroidDisintegrator goes even further, providing an enforcement mechanism which will keep every application in check.
One of the most interesting features of DroidDisintegrator, which differentiates it from other solutions suggested in the past, is its fail-safe approach. Even if the mechanism fails to analyze correctly all of the app’s information flows, the user will stay protected. If the designated policy set by it is too harsh, the app might fail to execute, but the user will stay safe.
To the contrary, if the policy set is too loose the user is still protected by the general restrictions set by the policy. DroidDisintegrator can be implemented in several different models, either by the developers themselves or by a curator of the apps in the distribution chain.
In both cases, the policy set by DroidDisintegrator will allow app reviewers with visibility to all of their functionalities and policy restrictions and limit the apps from stepping over them. Users will also be notified as to exactly which policies are imposed on an app they are about to install.
The researchers tested their mechanism on current popular apps, with encouraging results. Before the apps were processed by DroidDisintegrator, they requested on average 15.2 different permissions each.
After the process, the apps used on average only 4.2 permissions per app, less than a third of the original amount. Meanwhile, the apps’ execution remained unharmed by the process. Clearly, the apps did not require such extensive permissions.
This groundbreaking research further emphasizes the dangers in using even innocent looking apps. The Android ecosystem is not a safe one for its users. Even if developers have good intentions, lack of enforcement can be easily abused by malicious factors, as we see on a daily basis. Hopefully, DroidDisintegrator and other such developments will help to turn Android and iOS into safer spaces for users.