Talk #1: Graph-Aided Directed Testing of Android Applications for Checking Runtime Privacy Behaviours
While automated testing of mobile applications is very useful for checking run-time behaviours and specifications, its capability in discovering issues in apps is often limited in practice due to long testing time. A common practice is to randomly and exhaustively explore the whole app test space, which takes a lot of time and resource to achieve good coverage and reach targeted parts of the apps.
In this paper, we present MAMBA, a directed testing system for checking privacy in Android apps. MAMBA performs path searches of user events in control-flow graphs of callbacks generated from static analysis of app bytecode. Based on the paths found, it builds test cases comprised of user events that can trigger the executions of the apps and quickly direct the apps activity transitions from the starting activity towards target activities of interest, revealing potential accesses to privacy-sensitive data in the apps. MAMBAs backend testing engine then simulates the executions of the apps following the generated test cases to check actual runtime behavior of the apps that may leak users private data. We evaluated MAMBA against another automated testing approach that exhaustively searches for target activities in 24 apps, and found that our graph-aided directed testing achieves the same coverage of target activities 6.1 times faster on average, including the time required for bytecode analysis and test case generation. By instrumenting privacy access/leak detectors during testing, we were able to verify from test logs that almost half of target activities accessed user privacydata, and 26.7% of target activities leaked privacy data to the network.
This a pre-conference talk for The 11th IEEE/ACM International Workshop on Automation of Software Test (AST 2016).
Talk #2: Leveraging Automated Privacy Checking for Design of Mobile Privacy Protection Mechanisms
While mobile platforms rely on developers to follow good practices in privacy design, developers might not always adhere. In addition, it is often difficult for users to understand the privacy behaviour of their applications without some prolonged usage. To aid in these issues, we describe on-going research to improve privacy protection by utilizing techniques that mine privacy information from application binaries as a grey-box (Automated Privacy Checking). The outputs can then be utilized to improve the users ability to exercise privacy-motivated discretion. We conducted a user study to observe the effects of presenting information on leak-causing triggers within applications in the form of privacy message overlays. We found that while users prior usage time largely determined their usage behaviour, presenting trigger information helped users who disapproved with data use and had sufficient understanding of the implications of data leaks. Users inherent level of privacy consciousness and surprise levels were also factors in ensuring the effectiveness of messages.
This a pre-conference talk for Workshop on Bridging the Gap Between Privacy By Design and Privacy in Practice - (Co-located with CHI 2016).
Joseph CHAN Joo Keng is a 4th Year PhD student in the School of Information Systems (SIS) at SMU, with the Livelabs Urban Lifestyle Innovation Platform. His research is in dynamic/static analysis for mobile application privacy analytics. Joseph spent 10 months at Carnegie Mellon University (CMU) under the LARC-CMU Overseas PhD Training Residency, where he worked on a mobile privacy decision crowd-sourcing platform for the Android operating system. He was previously a communications technology, integration and research engineer in the government and private industry prior to joining SMU. His academic advisors are Associate Professor Rajesh K. BALAN and Assistant Professor JIANG Lingxiao.
