Scaling Contextual Privacy to Mobile Device Manager (MDM) Environments
Abstract
Examining the privacy/security of mobile apps either involves performing static or dynamic analysis. Static analysis involves parsing program code to detect risks. It has the advantage of being rapid, as no code is run, but has the disadvantage of being inaccurate often yielding false positives because it evaluates what a program could do, and not what it actually does. Dynamic analysis involves running programs with instrumentation to monitor their behaviors, which yields no false positives, but has heretofore not scaled. This contract supported the research and development of AppCensus, which is a scalable automatic dynamic analysis pipeline. AppCensus uses a testbed of instrumented phones running a bespoke version of Android to monitor the privacy and security behaviors of mobile apps. It detects what files, commands, and sensitive user data is accessed by a given app, as well as whether it is transmitted off of the device and to whom regardless of whether or not encryption is used (e.g., TLS). Apps can be queued for testing via website or API, and the results can be viewed online or downloaded as reports, and the API could provide privacy and security intelligence to existing MDM solutions. AppCensus is now a commercially-viable SaaS product.
Document Details
- Document Type
- Technical Report
- Publication Date
- Oct 31, 2019
- Accession Number
- AD1083501
Entities
People
- Nathan Good
- Serge Egelman
Organizations
- International Computer Science Institute