MorphDroid: Fine-grained Privacy Verification

Mobile devices are rich in sensors, such as a Global Positioning System (GPS) tracker, microphone and camera, and have access to numerous sources of personal information, including the device ID, contacts and social data. This richness increases the functionality of mobile apps, but also creates privacy threats. As a result, different solutions have been proposed to verify or enforce privacy policies.

A key limitation of existing approaches is that they reason about privacy at a coarse level, without accounting for declassification rules, such that the location for instance is treated as a single unit of information without reference to its many fields. As a result, legitimate app behaviors --- such as releasing the user's city rather than exact address --- are perceived as privacy violations, rendering existing analyses overly conservative and thus of limited usability.

In this paper, we present MorphDroid, a novel static analysis algorithm that verifies mobile applications against fine-grained privacy policies. Such policies define constraints over combinations of fine-grained units of private data. Specifically, through a novel design, MorphDroid tracks flows of fine-grained privacy units while addressing important challenges, including (i) detection of correlations between different units (e.g. longitude and latitude) and (ii) modeling of semantic transformations over private data (e.g. conversion of the location into an address).

We have implemented MorphDroid, and present a thorough experimental evaluation atop a benchmark suite for Android static analyses (DroidBench), and the 500 top-popular Google Play applications in 2014. Our experiments involve a spectrum of 5 security policies, ranging from a strict coarse-grained policy to a more realistic fine-grained policy that accounts for declassification rules. The experiment on DroidBench shows that MorphDroid achieves precision and recall above 90%. In addition, the experiments on popular apps show that the gap is dramatic, with the most conservative policy detecting violations in 171 of the applications (34%), and the more realistic policy flagging only 4 of the applications as misbehaved (<1%). In addition, MorphDroid exhibits good performance with an average analysis time of <20 seconds, where on average apps consist 1.4M lines of code.

Author(s):

Pietro Ferrara    
IBM T.J. Watson Research Center
United States

Omer Tripp    
IBM T.J. Watson Research Center
United States

Marco Pistoia    
IBM T.J. Watson Research Center
United States