Detecting sensitive data disclosure via bi-directional text correlation analysis

@article{Huang2016DetectingSD,
  title={Detecting sensitive data disclosure via bi-directional text correlation analysis},
  author={Jianjun Huang and X. Zhang and Lin Tan},
  journal={Proceedings of the 2016 24th ACM SIGSOFT International Symposium on Foundations of Software Engineering},
  year={2016}
}
  • Jianjun Huang, X. Zhang, Lin Tan
  • Published 1 November 2016
  • Business, Computer Science
  • Proceedings of the 2016 24th ACM SIGSOFT International Symposium on Foundations of Software Engineering
Traditional sensitive data disclosure analysis faces two challenges: to identify sensitive data that is not generated by specific API calls, and to report the potential disclosures when the disclosed data is recognized as sensitive only after the sink operations. We address these issues by developing BidText, a novel static technique to detect sensitive data disclosures. BidText formulates the problem as a type system, in which variables are typed with the text labels that they encounter (e.g… 
Finding Clues for Your Secrets: Semantics-Driven, Learning-Based Privacy Discovery in Mobile Apps
TLDR
This work utilizes natural language processing (NLP) to automatically locate the program elements (variables, methods, etc.) of interest, and then performs a learning-based program structure analysis to accurately identify those indeed carrying sensitive content.
Detecting information flow by mutating input data
TLDR
In its evaluation, the MUTAFLOW prototype for Android programs showed that mutation-based flow analysis is a lightweight yet effective complement to existing tools, and compared to the popular FlowDroid static analysis tool, MutaFlow requires less than 10% of source code lines but has similar accuracy.
GUILeak: Tracing Privacy Policy Claims on User Input Data for Android Applications
TLDR
This paper proposes a novel approach that automatically detects privacy leaks of user-entered data for a given Android app and determines whether such leakage may violate the app's privacy policy claims.
GUILeak : Identifying Privacy Practices on GUI-Based Data
TLDR
A novel approach is proposed that automatically detects privacy leakage on user input data for a given Android app, and determines whether such leakage may violate privacy policies coming with the Android app.
Android Malware Detection Using Complex-Flows
TLDR
A new technique to detect mobile malware based on information flow analysis that accurately captures the complex behavior exhibited by both recent malware and benign applications is proposed.
Android Malware Detection Using Complex-Flows
TLDR
A new technique to detect mobile malware based on information flow analysis that accurately captures the complex behavior exhibited by both recent malware and benign applications is proposed.
AceDroid: Normalizing Diverse Android Access Control Checks for Inconsistency Detection
TLDR
A new analysis framework AceDroid is developed that models Android access control in a path-sensitive manner and normalizes diverse checks to a canonical form and proves to be quite effective, enabling to detect a significant number of inconsistencies introduced by various vendors and to suppress substantial false alarms.
DeepIntent: Deep Icon-Behavior Learning for Detecting Intention-Behavior Discrepancy in Mobile Apps
TLDR
This work focuses on the UI widgets that respond to user interactions and examines whether the intentions reflected by their UIs justify their permission uses, and presents DeepIntent, a framework that uses novel deep icon- behavior learning to learn an icon-behavior model from a large number of popular apps and detect intention-behavior discrepancies.
...
1
2
3
...

References

SHOWING 1-10 OF 47 REFERENCES
Checking More and Alerting Less: Detecting Privacy Leakages via Enhanced Data-flow Analysis and Peer Voting
TLDR
An automated system that detects privacy leaks (i.e., truly suspicious privacy disclosures) in Android apps that employs a new approach called peer voting to filter out most of the legitimate privacy disclosures from the results, purifying the detection results for automatic and easy interpretation.
SUPOR: Precise and Scalable Sensitive User Input Detection for Android Apps
TLDR
This paper designs and implements SUPOR, a novel static analysis tool that automatically examines the UIs to identify sensitive user inputs containing critical user data, such as user credentials, finance, and medical data, and builds a system that detects privacy disclosures ofsensitive user inputs by combining SUPOR with off-the-shelf static taint analysis.
UIPicker: User-Input Privacy Identification in Mobile Applications
TLDR
UIPicker, an adaptable framework for automatic identification of sensitive user inputs, designed to detect the semantic information within the application layout resources and program code, and further analyze it for the locations where security-critical information may show up, can support a variety of existing security analysis on mobile apps.
TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones
TLDR
TaintDroid is an efficient, system-wide dynamic taint tracking and analysis system capable of simultaneously tracking multiple sources of sensitive data and enabling realtime analysis by leveraging Android’s virtualized execution environment.
Collaborative Verification of Information Flow for a High-Assurance App Store
TLDR
A verification model for use in high-integrity app stores to guarantee that the apps are free of malicious information flows, in which the software vendor and the app store auditor collaborate -- each does tasks that are easy for her/him, reducing overall verification cost.
AndroidLeaks: Automatically Detecting Potential Privacy Leaks in Android Applications on a Large Scale
TLDR
This work presents AndroidLeaks, a static analysis framework for automatically finding potential leaks of sensitive information in Android applications on a massive scale and indicates that it is capable of scaling to the increasingly large set of available applications.
FlowDroid: precise context, flow, field, object-sensitive and lifecycle-aware taint analysis for Android apps
TLDR
FlowDroid is presented, a novel and highly precise static taint analysis for Android applications that successfully finds leaks in a subset of 500 apps from Google Play and about 1,000 malware apps from the VirusShare project.
A Machine-learning Approach for Classifying and Categorizing Android Sources and Sinks
TLDR
SUSI, a novel machine-learning guided approach for identifying sources and sinks directly from the code of any Android API, is proposed and shown that SUSI can reliably classify sources and sink even in new, previously unseen Android versions and components like Google Glass or the Chromecast API.
Mosaic: quantifying privacy leakage in mobile networks
TLDR
A reconstructed profile, dubbed as "mosaic," associates personal information such as political views, browsing habits, and favorite apps to the users by applying Tessellation on traffic from a cellular service provider (CSP), which shows that up to 50% of the traffic can be attributed to the names of users.
WHYPER: Towards Automating Risk Assessment of Mobile Applications
TLDR
WHYPER, a framework using Natural Language Processing (NLP) techniques to identify sentences that describe the need for a given permission in an application description, demonstrates great promise in using NLP techniques to bridge the semantic gap between user expectations and application functionality, further aiding the risk assessment of mobile applications.
...
1
2
3
4
5
...