Skip to content

parasecurity/DataSafetyDiscrepancies

BranchesTags
 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

44 Commits
DEMO
DEMO
 
 
Reaper
Reaper
 
 
dataset
dataset
 
 
pseudocode
pseudocode
 
 
API_methods_list
API_methods_list
 
 
DataSafety_labelling.csv
DataSafety_labelling.csv
 
 
README.md
README.md
 
 

Repository files navigation

DataSafety

Data Safety Section is an important step towards increased platform support for data transparency, allowing users to easily understand how apps process their data. Unfortunately, in its current implementation, bad practices and relaxed policies can confuse both end-users and developers, while also creating opportunities for abuse and the surreptitious exfiltration of data. In this work, we developed a system that automatically identifies discrepancies between apps’ run-time behavior and what data developers disclose in Data Safety. Our system analyzes and identifies discrepancies in applications based on different run-time consent scenarios.

Prerequisites

  • LSPosed Framework (https://github.com/LSPosed/LSPosed)
  • MitM proxy (https://mitmproxy.org)
  • Reaper (https://github.com/Michalis-Diamantaris/Reaper)
    • We modified UIHarvester's hook from android.view.View.onDraw to android.view.View.draw to extract Android UI elements for Android 12.
    • We expanded the list of API functions that Reaper monitors. They can be found /API_methods_list
    • We extended the UIHarvester to identify not only native Android elements but also web elements using the AccessibilityService, we created an Accessibility Service that triggers when TYPE_WINDOW_CONTENT_CHANGED or TYPE_WINDOW_STATE_CHANGED and we hooked using LSPosed the onAccessibilityEvent.
  • Frida Objection for SSL Unpinning (https://github.com/sensepost/objection)

Files

  • dataset/

    Contains six csv datasets of apps with discrepancies across 3 time periods (March '23, June '23, September '23) in both the DataCollected section and DataShared section, including functions, PIIS, and the corresponding Data Safety labels that the apps collect/share but do not disclose in the Data Safety section. Also, it includes two files listing Google apps with discrepancies.

  • DataSafety_labelling.csv

    This is a spreadsheet with the mappings of each function call to the corresponding Data Safety label

  • API_methods_list

    This is the expanded version of Reaper's permission-protected function list and the list of non-permission-protected functions that yield Personally Identifiable Information (PII)

  • pseudocode/RunTimeConsentDialogDynamicIdentifier.pdf

    This is the pseudocode of the script we implemented and used to identify run-time consent dialogs dynamically.

Paper

For technical details please refer to our publication:

Abandon All Hope Ye Who Enter Here: A Dynamic, Longitudinal Investigation of Android’s Data Safety Section

https://www.usenix.org/conference/usenixsecurity24/presentation/arkalakis

About

No description, website, or topics provided.

Resources

Readme
Activity
Custom properties

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages

  • Java 46.7%
  • Python 42.5%
  • JavaScript 9.5%
  • Other 1.3%