Although modern smartphone platforms emphasize user privacy protection by continually improving security mechanisms, vulnerabilities still exist, especially in the case of the Android operating system. The Android security mechanism almost delegates the entire responsibility of granting access permissions to apps to end users, who often are unaware of all the possible consequences of granting permission. Additionally, the loose protection mechanism regulating access to media files (images, videos, audio, etc.) can be exploited by attackers as a side-channel to gather sensitive data. This paper shows how sharing images containing sensitive metadata may result in an intentional or unintentional leakage of users' personal or confidential information. We designed MetaLeak, a system based on apps' hybrid analysis, to assess the identified risks. We used MetaLeak to analyze 5,000 popular apps and found that 21.9% of them sent at least one type of sensitive metadata over the internet. Moreover, for only 10.4% of the apps in our dataset, the app's actual behavior w.r.t. collecting GPS data is compliant with the developer's claims.
MetaLeak: Assessing Image Metadata Leakage in Android Apps
Nguyen T. T. L.;Carminati B.;Ferrari E.
2024-01-01
Abstract
Although modern smartphone platforms emphasize user privacy protection by continually improving security mechanisms, vulnerabilities still exist, especially in the case of the Android operating system. The Android security mechanism almost delegates the entire responsibility of granting access permissions to apps to end users, who often are unaware of all the possible consequences of granting permission. Additionally, the loose protection mechanism regulating access to media files (images, videos, audio, etc.) can be exploited by attackers as a side-channel to gather sensitive data. This paper shows how sharing images containing sensitive metadata may result in an intentional or unintentional leakage of users' personal or confidential information. We designed MetaLeak, a system based on apps' hybrid analysis, to assess the identified risks. We used MetaLeak to analyze 5,000 popular apps and found that 21.9% of them sent at least one type of sensitive metadata over the internet. Moreover, for only 10.4% of the apps in our dataset, the app's actual behavior w.r.t. collecting GPS data is compliant with the developer's claims.
I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.
