Information Stealing Applications

Third party applications on the Android market increased from about 15,000 in 2009 to about 150,000 in 2010. The problem with this increase is that there are rogue apps that steal the user’s personal information. This information can include call logs, information about placed and received calls, the user’s address book, browsing history, cached e-mails, and photos taken with the built in camera. With hundreds of millions of people using smartphones, this can be a huge problem. The solution to this problem comes in the form of a system called TISSA.

TISSA allows for a kind of privacy mode on Android. Usually, when a user installs an app they are presented with all the permissions needed to run the app. In order to download the app, the user must accept all of these permissions. The problem with this is that the user cannot control what the app could do if they wish to download it. TISSA allows a user to control what the app can access after it has been downloaded. Essentially, it locks down the application and limits what it can see.

The researchers that are building TISSA were able to modify the Android framework and implement TISSA in less than 1000 lines of code. Moreover, it was found to effectively mediate access of known rogue apps with negligible performance overhead. The development of TISSA had three goals in mind: lightweight protection, application transparency, and small footprint. Lightweight protection refers to how memory and energy efficient the system is. Application transparency refers to revoking permissions while still maintaining compatibility. Small footprint refers to building on top of the existing framework, while minimizing the changes done to the framework.

TISSA consists of three main components: privacy setting content provider, privacy setting manager, and privacy-aware components. The privacy setting content provider is a privileged component to manage the privacy settings for untrusted apps. The privacy setting manager is a privileged app to manage the privacy settings of already installed apps. The privacy-aware components receives requests to access private data from the first component and will then query the privacy settings and respond according to the privacy settings for the app.