research-article

SemaDroid: A Privacy-Aware Sensor Management Framework for Smartphones

Authors:

Sencun ZhuAuthors Info & Claims

CODASPY '15: Proceedings of the 5th ACM Conference on Data and Application Security and Privacy

Pages 61 - 72

https://doi.org/10.1145/2699026.2699114

Published: 02 March 2015 Publication History

Abstract

While mobile sensing applications are booming, the sensor management mechanisms in current smartphone operating systems are left behind -- they are incomprehensive and coarse-grained, exposing a huge attack surface for malicious or aggressive third party apps to steal user's private information through mobile sensors.

In this paper, we propose a privacy-aware sensor management framework, called SemaDroid, which extends the existing sensor management framework on Android to provide comprehensive and fine-grained access control over onboard sensors. SemaDroid allows the user to monitor the sensor usage of installed apps, and to control the disclosure of sensing information while not affecting the app's usability. Furthermore, SemaDroid supports context-aware and quality-of-sensing based access control policies. The enforcement and update of the policies are in real-time. Detailed design and implementation of SemaDroid on Android are presented to show that SemaDroid works compatible with the existing Android security framework. Demonstrations are also given to show the capability of SemaDroid on sensor management and on defeating emerging sensor-based attacks. Finally, we show the high efficiency and security of SemaDroid.

References

[1]

Apple pay. https://www.apple.com/iphone-6/apple-pay/.

[2]

Apple watch. http://www.apple.com/watch/.

[3]

Awareness! the headphone app. http://www.essency.co.uk/awareness-the-headphone-app/.

[4]

Samsung fingerprint sdk. http://developer.samsung.com/develop.

[5]

Samsung gear vr. http://www.samsung.com/global/ microsite/gearvr/gearvr_features.html.

[6]

A. Acquisti and J. Grossklags. Privacy attitudes and privacy behavior: Losses, gains, and hyperbolic discounting. Jean Camp and Stephen Lewis (Eds.) "The Economics of Information Security", pages 165--178, 2004.

[7]

X. Bao and R. Roy Choudhury. Movi: mobile phone based video highlights via collaborative sensing. In Proc. of the 8th international conference on Mobile systems, applications, and services, MobiSys '10, pages 357--370, New York, NY, USA, 2010. ACM.

Digital Library

[8]

A. Beresford, A. Rice, N. Skehin, and R. Sohan. Mockdroid: Trading privacy for application functionality on smartphones. In Proc. of the 12th Workshop on Mobile Computing Systems and Applications (HotMobile), 2011.

Digital Library

[9]

Brut.alll. Android-apktool: A tool for reverse engineering android apk files. https://code.google.com/p/android-apktool/.

[10]

S. Bugiel, L. Davi, A. Dmitrienko, S. Heuser, A.-R. Sadeghi, and B. Shastry. Practical and lightweight domain isolation on android. In Proc. of the 1st ACM workshop on Security and privacy in smartphones and mobile devices, SPSM '11, pages 51--62, New York, NY, USA, 2011. ACM.

Digital Library

[11]

L. Cai and H. Chen. Touchlogger: Inferring keystrokes on touch screen from smartphone motion. In Proc. of HotSec'11, 2011.

Digital Library

[12]

R. K. Chellappa and R. Sin. Personalization versus privacy: An empirical examination of the online consumer's dilemma. In 2002 Informs Meeting, 2002.

[13]

D. Chu, N. D. Lane, T. T.-T. Lai, C. Pang, X. Meng, Q. Guo, F. Li, and F. Zhao. Balancing energy, latency and accuracy for mobile sensor data classification. In Proc. of the 9th ACM Conference on Embedded Networked Sensor Systems, SenSys '11, pages 54--67, New York, NY, USA, 2011. ACM.

Digital Library

[14]

M. J. Culnan. "how did they get my name?": An exploratory investigation of consumer attitudes toward secondary information use. MIS Quarterly, 17(3):pp. 341--363, 1993.

Digital Library

[15]

Electronic Arts. Need for speed shift on iphone. http://itunes.apple.com/us/app/ need-for-speed-shift/id337641298?mt=8.

[16]

W. Enck, D. Octeau, P. McDaniel, and S. Chaudhuri. A study of android application security. In Proc. of Usenix Security'11, 2011.

Digital Library

[17]

M. Faulkner, M. Olson, R. Chandy, J. Krause, K. M. Chandy, and A. Krause. The next big one: Detecting earthquakes and other rare events from community-based sensors. In Proc. ACM/IEEE International Conference on Information Processing in Sensor Networks (IPSN), 2011.

[18]

A. P. Felt, E. Chin, S. Hanna, D. Song, and D. Wagner. Android permissions demystified. In Proc. of the 18th ACM conference on Computer and communications security, CCS '11, pages 627--638, New York, NY, USA, 2011. ACM.

Digital Library

[19]

P. Golle and K. Partridge. On the anonymity of home/work location pairs. In Proc. of the 7th International Conference on Pervasive Computing, Pervasive '09, pages 390--397, Berlin, Heidelberg, 2009. Springer-Verlag.

Digital Library

[20]

Google. Android 4.0.3 platform. http://developer. android.com/sdk/android-4.0.3.html.

[21]

M. Glotz and S. Nath. Privacy-aware personalization for mobile advertising. Technical report, MSR, 2011.

[22]

J. Han, E. Owusu, T.-L. Nguyen, A. Perrig, and J. Zhang. ACComplice: Location Inference using Accelerometers on Smartphones. In Proc. of COMSNETS'12, 2012.

[23]

I.-H. Hann, K. L. Hui, S.-Y. T. Lee, and I. P. L. Png. Online information privacy: Measuring the cost-benefit trade-off. In F. Miralles and J. Valor, editors, ICIS, page 1. Association for Information Systems, 2002.

[24]

M. Hilty, A. Pretschner, D. Basin, C. Schaefer, and T. Walter. A policy language for distributed usage control. In Proc. of ESORICS'07, 2007.

Digital Library

[25]

P. Hornyack, S. Han, J. Jung, S. Schechter, and D. Wetherall. These aren't the droids you're looking for: retrofitting android to protect data from imperious applications. In Proc. of the 18th ACM conference on Computer and communications security, CCS '11, pages 639--652, New York, NY, USA, 2011. ACM.

Digital Library

[26]

P. Hornyack, S. Han, J. Jung, S. Schechter, and D. Wetherall. Sthese aren't the droids you're looking for T: Retrofitting android to protect data from imperious applications. In Proc. of the 18th ACM Conference on Computer and Communications Security (ACM CCS), 2011.

Digital Library

[27]

S. Jana, A. Narayanan, and V. Shmatikov. A scanner darkly: Protecting user privacy from perceptual applications. In Proc. of the 2013 IEEE Symposium on Security and Privacy, SP '13, pages 349--363, Washington, DC, USA, 2013. IEEE Computer Society.

Digital Library

[28]

J. Jung and M. Philipose. Courteous glass. In Proc. of the 2014 ACM International Joint Conference on Pervasive and Ubiquitous Computing: Adjunct Publication, UbiComp '14 Adjunct, pages 1307--1312, New York, NY, USA, 2014. ACM.

Digital Library

[29]

J. Krumm. Inference attacks on location tracks. In Proc. of the 5th international conference on Pervasive computing, PERVASIVE'07,pages 127--143, Berlin, Heidelberg, 2007. Springer-Verlag.

Digital Library

[30]

N. D. Lane, T. Choudhury, A. Campbell, M. Mohammod, M. Lin, X. Yang, A. Doryab, H. Lu, S. Ali, and E. Berke. Bewell: A smartphone application to monitor, model and promote wellbeing. In Proc. of 5th International ICST Conference on Pervasive Computing Technologies for Healthcare, 2011.

[31]

N. D. Lane, E. Miluzzo, H. Lu, D. Peebles, T. Choudhury, and A. T. Campbell. A survey of mobile phone sensing. Comm. Mag., 48(9):140--150, Sept. 2010.

Digital Library

[32]

N. D. Lane, Y. Xu, H. Lu, S. Hu, T. Choudhury, A. T. Campbell, and F. Zhao. Enabling large-scale human activity inference on smartphones using community similarity networks ( csn ). Pattern Recognition, pages 355--364, 2011.

[33]

H. Lu, A. B. Brush, B. Priyantha, A. Karlson, and J. Liu. Speakersense: Energy efficient unobtrusive speaker identification on mobile phones. In Proc. of the 9th International Conference on Pervasive Computing (Pervasive'11), 2011.

Digital Library

[34]

H. Lu, W. Pan, N. D. Lane, T. Choudhury, and A. T. Campbell. Soundsense: Scalable sound sensing for people-centric sensing applications on mobile phones. In Proc. of the 7th ACM Conference on Mobile Systems, Applications, and Services (MobiSys '09), 2009.

Digital Library

[35]

P. Marquardt, A. Verma, H. Carter, and P. Traynor. (sp)iphone: decoding vibrations from nearby keyboards using mobile phone accelerometers. In Proc. of the 18th ACM conference on Computer and communications security, CCS '11, pages 551--562. ACM, 2011.

Digital Library

[36]

Motorola. Writing fingerprint-enabled apps. http://developer.motorola.com/docs/writing-fingerprint-enabled-apps/.

[37]

M. Mun, S. Hao, N. Mishra, K. Shilton, J. Burke, D. Estrin, M. Hansen, and R. Govindan. Personal data vaults: A locus of control for personal data streams. In Proc. of ACM CoNEXT 2010, 2010.

Digital Library

[38]

M. Nauman, S. Khan, and X. Zhang. Apex: extending android permission model and enforcement with user-defined runtime constraints. In Proc. of ASIACCS '10 Proc. of the 5th ACM Symposium on Information, Computer and Communications Securit, 2010.

Digital Library

[39]

M. Ongtang, S. McLaughlin, W. Enck, and P. McDaniel. Semantically rich application-centric security in android. In Proc. Annual Computer Security Applications Conf. ACSAC '09, pages 340--349, 2009.

Digital Library

[40]

E. Owusu, J. Han, S. Das, A. Perrig, and J. Zhang. ACCessory: Keystroke Inference using Accelerometers on Smartphones. In Proc. of Workshop on Mobile Computing Systems and Applications (HotMobile), 2012.

Digital Library

[41]

R. Pandita, X. Xiao, W. Yang, W. Enck, and T. Xie. Whyper: Towards automating risk assessment of mobile applications. In Proc. of the 22Nd USENIX Conference on Security. USENIX Association, 2013.

Digital Library

[42]

R. Schlegel, K. Zhang, X. Zhou, M. Intwala, A. Kapadia, and X. Wang. Soundcomber: A stealthy and context-aware sound trojan for smartphones. In Proc. of the 18th Annual Network and Distributed System Security Symposium (NDSS), 2011.

[43]

R. Templeman, A. Kapadia, R. Hoyle, and D. Crandall. Reactive security: Responding to visual stimuli from wearable cameras. In Proc. of the 2014 ACM International Joint Conference on Pervasive and Ubiquitous Computing: Adjunct Publication, UbiComp '14 Adjunct, pages 1297--1306, New York, NY, USA, 2014. ACM.

Digital Library

[44]

B. van Wissen, N. Palmer, R. Kemp, T. Kielmann, and H. Bal. Contextdroid: an expression-based context framework for android-a. In Proc. of PhoneSense'11, 2011.

[45]

N. Xu, F. Zhang, Y. Luo, W. Jia, D. Xuan, and J. Teng. Stealthy video capturer: a new video-based spyware in 3g smartphones. In Proc. of\ the second ACM conference on Wireless network security, 2009.

Digital Library

[46]

Z. Xu, K. Bai, and S. Zhu. Taplogger: inferring user inputs on smartphone touchscreens using on-board motion sensors. In Proc. of the fifth ACM conference on Security and Privacy in Wireless and Mobile Networks, WISEC '12, pages 113--124, New York, NY, USA, 2012. ACM.

Digital Library

[47]

Y. Zhou, X. Zhang, X. Jiang, and V. Freeh. Taming information-stealing smartphone applications (on android). In Proc. of the International Conference on Trust and Trustworthy Computing (TRUST), 2011.

Digital Library

Cited By

Wan TZhang LXu YGuo ZGao BLiang H(2024)Analysis and Design of Efficient Authentication Techniques for Password Entry with the Qwerty Keyboard for VR EnvironmentsIEEE Transactions on Visualization and Computer Graphics10.1109/TVCG.2024.345619530:11(7075-7085)Online publication date: 1-Nov-2024
https://dl.acm.org/doi/10.1109/TVCG.2024.3456195
Champa ARabbi MEishita FZibran M(2024)Are We Aware? An Empirical Study on the Privacy and Security Awareness of Smartphone SensorsSoftware Engineering and Management: Theory and Application10.1007/978-3-031-55174-1_10(139-158)Online publication date: 3-May-2024
https://doi.org/10.1007/978-3-031-55174-1_10
Guri M(2023) POWER-SUPPLaY: Leaking Sensitive Data From Air-Gapped, Audio-Gapped Systems by Turning the Power Supplies into Speakers IEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2021.313340620:1(313-330)Online publication date: 1-Jan-2023
https://doi.org/10.1109/TDSC.2021.3133406
Show More Cited By

Index Terms

SemaDroid: A Privacy-Aware Sensor Management Framework for Smartphones

Recommendations

PScout: analyzing the Android permission specification
CCS '12: Proceedings of the 2012 ACM conference on Computer and communications security

Modern smartphone operating systems (OSs) have been developed with a greater emphasis on security and protecting privacy. One of the mechanisms these systems use to protect users is a permission system, which requires developers to declare what ...
Developing mobile apps using cross-platform frameworks: a case study
HCI'13: Proceedings of the 15th international conference on Human-Computer Interaction: human-centred design approaches, methods, tools, and environments - Volume Part I

In last few years, a huge variety of frameworks for the mobile cross-platform development have been released to deliver quick and overall better solutions. Most of them are based on different approaches and technologies; therefore, relying on only one ...
Messing with Android's Permission Model
TRUSTCOM '12: Proceedings of the 2012 IEEE 11th International Conference on Trust, Security and Privacy in Computing and Communications

Permission models have become very common on smartphone operating systems to control the rights granted to installed third party applications (apps). Prior to installing an app, the user is typically presented with a dialog box showing the permissions ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Conferences

CODASPY '15: Proceedings of the 5th ACM Conference on Data and Application Security and Privacy

March 2015

362 pages

ISBN:9781450331913

DOI:10.1145/2699026

General Chair:
Jaehong Park
University of Texas at San Antonio, USA
,
Program Chair:
Anna Squicciarini
The Pennsylvania State University, USA

Copyright © 2015 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 02 March 2015

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

National Science Foundation

Conference

CODASPY'15

Sponsor:

SIGSAC

CODASPY'15: Fifth ACM Conference on Data and Application Security and Privacy

March 2 - 4, 2015

Texas, San Antonio, USA

Acceptance Rates

CODASPY '15 Paper Acceptance Rate 19 of 91 submissions, 21%;

Overall Acceptance Rate 149 of 789 submissions, 19%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

53
Total Citations
View Citations
517
Total Downloads

Downloads (Last 12 months)30
Downloads (Last 6 weeks)4

Reflects downloads up to 10 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

Wan TZhang LXu YGuo ZGao BLiang H(2024)Analysis and Design of Efficient Authentication Techniques for Password Entry with the Qwerty Keyboard for VR EnvironmentsIEEE Transactions on Visualization and Computer Graphics10.1109/TVCG.2024.345619530:11(7075-7085)Online publication date: 1-Nov-2024
https://dl.acm.org/doi/10.1109/TVCG.2024.3456195
Champa ARabbi MEishita FZibran M(2024)Are We Aware? An Empirical Study on the Privacy and Security Awareness of Smartphone SensorsSoftware Engineering and Management: Theory and Application10.1007/978-3-031-55174-1_10(139-158)Online publication date: 3-May-2024
https://doi.org/10.1007/978-3-031-55174-1_10
Guri M(2023) POWER-SUPPLaY: Leaking Sensitive Data From Air-Gapped, Audio-Gapped Systems by Turning the Power Supplies into Speakers IEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2021.313340620:1(313-330)Online publication date: 1-Jan-2023
https://doi.org/10.1109/TDSC.2021.3133406
Wu YShi CZhang TWalker PLiu JSaxena NChen Y(2023)Privacy Leakage via Unrestricted Motion-Position Sensors in the Age of Virtual Reality: A Study of Snooping Typed Input on Virtual Keyboards2023 IEEE Symposium on Security and Privacy (SP)10.1109/SP46215.2023.10179301(3382-3398)Online publication date: May-2023
https://doi.org/10.1109/SP46215.2023.10179301
Champa ARabbi MEishita FZibran M(2023)Are We Aware? An Empirical Study on the Privacy and Security Awareness of Smartphone Sensors2023 IEEE/ACIS 21st International Conference on Software Engineering Research, Management and Applications (SERA)10.1109/SERA57763.2023.10197713(287-294)Online publication date: 23-May-2023
https://doi.org/10.1109/SERA57763.2023.10197713
Rivadeneira JSá Silva JColomo-Palacios RRodrigues ABoavida F(2023)User-centric privacy preserving models for a new era of the Internet of ThingsJournal of Network and Computer Applications10.1016/j.jnca.2023.103695217:COnline publication date: 1-Aug-2023
https://dl.acm.org/doi/10.1016/j.jnca.2023.103695
Chimuco FSequeiros JLopes CSimões TFreire MInácio P(2023)Secure cloud-based mobile apps: attack taxonomy, requirements, mechanisms, tests and automationInternational Journal of Information Security10.1007/s10207-023-00669-z22:4(833-867)Online publication date: 17-Feb-2023
https://doi.org/10.1007/s10207-023-00669-z
Guzman JThilakarathna KSeneviratne A(2023)Privacy and Security Issues and Solutions for Mixed Reality ApplicationsSpringer Handbook of Augmented Reality10.1007/978-3-030-67822-7_7(157-183)Online publication date: 1-Jan-2023
https://doi.org/10.1007/978-3-030-67822-7_7
Li RDiao WLi ZYang SLi SGuo S(2022)Android Custom Permissions Demystified: A Comprehensive Security EvaluationIEEE Transactions on Software Engineering10.1109/TSE.2021.311998048:11(4465-4484)Online publication date: 1-Nov-2022
https://doi.org/10.1109/TSE.2021.3119980
Du XPan XCao YHe BFang GChen YXu D(2022)FlowCog: Context-aware Semantic Extraction and Analysis of Information Flow Leaks in Android AppsIEEE Transactions on Mobile Computing10.1109/TMC.2022.3197638(1-17)Online publication date: 2022
https://doi.org/10.1109/TMC.2022.3197638
Show More Cited By

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents