11. March 2016

Cebit 2016: How to expose data spies on Android devices in a similar fashion as bank robbers

When a bank is being robbed, there is usually a prepared bundle of bills hidden in the stack of the target money. This prepared bundle explodes during the getaway of the robber and releases a sticky dye to marks the whole money as stolen. A similar concept is now used by researchers from Saarland University to uncover spying apps on mobile devices. Computer scientists at the Center for IT-Security, Privacy and Accountability (CISPA) have designed an app to enable a similar tracking of spying apps on the newest Android operating system. As a result, there is a more precise surveillance of malicious apps possible. The Demonstrator of the new app will be shown for the first time on

March 14-18 at the computer expo CeBIT in Hannover (Hall 6, Stand D28).

Android is the most used operating system for mobile devices worldwide. The system became extremely popular although users are being more or less extorted during the installation process of new apps. Either the users accept that an app gets the potentially requested access to certain data granted (e.g., to contacts or to the Internet), or they can’t install and use the app. Although users can decline with the most recent Android update certain access requests, this still only provides a deceptive sense of security.

“When an app lists the data it would like to access, I still don’t know what the app is going to do with this data”, says Oliver Schranz, PhD student at the Saarbrücken Graduate School for Computer Science at Saarland University. His assessment confirms a current study by the US-American security company “Appthority”. More than 88 percent of Android apps written for corporate use are spying on data. For this reason, Oliver Schranz, Philipp von Styp-Rekowsky and Sebastian Weisberger from CISPA teamed up to design an app that helps users and companies to track the behavior and, in particular, the information processing, in suspicious apps more precisely.

Their “TaintArtist” app is based on a method called “Taint Tracking”, which resembles the dye explosion between stacks of bills after a bank robbery. If an app accesses privacy-sensitive information, this information will be marked. “Even if the information is altered, as is the case of calculations, the marks remain and will also carry over to the new outcome. This way, we can precisely track how information flows in a suspicious app”, explains Schranz. The markers are checked once the data is handed over to operations that potentially leak them off the smartphone or are marked suspicious based on a pre-determined set of regulations. In case a misuse is detected, the CISPA app alarm goes off. The user only needs to install the app and afterwards choose which app should be monitored or what exactly should be forbidden or allowed.

Up to now, an information flow analysis required a system modification, which was out of reach for laymen users. In order to make this possible after a few steps for every user, the computer scientists from Saarbrücken use a novelty that was introduced with two most recent versions of the Android operating system: Android will no longer directly execute the intermediate form of a particular app code, but instead translates it on the smartphone to executable machine code. This allows Schranz and his colleagues to add the code necessary for adding the marks during the code translation process. According to the researchers, the app’s code will not be changed, however, the monitored app will be working a little slower. “Taking into account that smartphones process everything in a millisecond, the user will barely notice the extra computing time” explains Schranz. That’s why he is convinced that the app will also be suitable for companies. “When employees use their own devices, companies can ensure with our app that certain data will not leave the device”, according to Schranz. Whether the app will be transferred into a commercial product or will be available for free in future, stays an open question.

Photo: Credit Oliver Dietze

Further information:

Press release in German