Meng, M. H., Zhang, Q., Xia, G., Zheng, Y., Zhang, Y., Bai, G., Liu, Z., Teo, S. G., & Dong, J. S. (2023). Post-GDPR Threat Hunting on Android Phones: Dissecting OS-level Safeguards of User-unresettable Identifiers. Proceedings 2023 Network and Distributed System Security Symposium. https://doi.org/10.14722/ndss.2023.23176
Abstract:
Ever since its genesis, Android has enabled apps to
access data and services on mobile devices. This however involves
a wide variety of user-unresettable identifiers (UUIs), e.g., the
MAC address, which are associated with a device permanently.
Given their privacy sensitivity, Android has tightened its UUI
access policy since its version 10, in response to the increasingly
strict privacy protection regulations around the world. Non-
system apps are restricted from accessing them and are required
to use user-resettable alternatives such as advertising IDs.
In this work, we conduct a systematic study on the effective-
ness of the UUI safeguards on Android phones including both
Android Open Source Project (AOSP) and Original Equipment
Manufacturer (OEM) phones. To facilitate our large-scale study,
we propose a set of analysis techniques that discover and assess
UUI access channels. Our approach features a hybrid analysis
that consists of static program analysis of Android Framework
and forensic analysis of OS images to uncover access channels.
These channels are then tested with differential analysis to
identify weaknesses that open any attacking opportunity. We have
conducted a vulnerability assessment on 13 popular phones of 9
major manufacturers, most of which are top-selling and installed
with the recent Android versions. Our study reveals that UUI mis-
handling pervasively exists, evidenced by 51 unique vulnerabilities
found (8 listed by CVE). Our work unveils the status quo of the
UUI protection in Android phones, complementing the existing
studies that mainly focus on apps’ UUI harvesting behaviors. Our
findings should raise an alert to phone manufacturers and would
encourage policymakers to further extend the scope of regulations
with device-level data protection.
License type:
Publisher Copyright
Funding Info:
There was no specific funding for the research done