Emerging Tech

Blog archive
TaintArtist promises to detect abusive smartphone apps

TaintArtist promises to detect abusive phone apps

Whether you’re in charge of mobile security for your agency or just a consumer trying to keep your personal information private, the smartphone presents a growing challenge.  Because agencies are trying to accommodate employees who want to use their personal mobile devices and apps, screening for malware that can intercept messages, track calls and even tap into the device’s microphone is difficult if not impossible.

The size of that challenge was recently highlighted by researchers at the Center for IT Security, Privacy and Accountability (CISPA) at the University of Saarland in Germany, who found that more than 88 percent of Android apps secretly tap into user data. 

Those researchers suggested that, rather than trying to screen apps, it may be more effective to monitor the behavior of installed apps for signs of “improper” behavior. 

As a result, three CISPA researchers -- Oliver Schranz, Philipp von Styp-Rekowsky and Sebastian Weisgerber -- developed an app to track what data apps are accessing and what they are attempting to do with it.  The app is called “TaintArtist,” a reference to “taint tracking,” the practice of including an exploding dye packet in bundles of cash stolen by bank robbers. 

According to Schranz, one common culprit is malware that attempts to identify users by tracking device IDs and other data.  “This is a rather easy case where our system will notice that the app is requesting the device ID and will taint it,” Schranz said.  “Eventually, the app will send out the identifier over the Internet, probably with small modifications, which can then be detected by TaintArtist. At this point, the system will interrupt the application and inform the user before that data is about to leak.”

TaintArtist, which is still in development, then offers the user the option either to allow the action that TaintArtist considers potentially harmful or to abort the app.  “It's generally not possible to automate this decision,” Schranz said, “because each user needs to decide for himself what is allowed and what needs to be blocked, and everything needs to be judged in the current context.”

Schranz offered the example of a piece of malware taking control of an instant messaging program.  If the user actually intended to send a message, he or she will likely decline to block it when TaintArtist warns of the action.  But if the user hasn’t initiated a message and TaintAlert detects a transmission attempt, “this would be an invasion of his privacy and therefore a valid reason to block the request,” he said.

TaintAlert also allows the user to create policies about what behaviors should be monitored.  A user might, for example, choose to protect private photos but not contacts or calendar entries.

Currently TaintAlert is still a “proof-of-concept prototype that proves we can solve the main technical challenges,”  Schranz said, adding that the team has received generally positive feedback from testers.  “Many people have asked when and how to get our system, so we are currently evaluating how to proceed here, he said.  “At this point, I cannot say anything more than that we keep it open whether we want to make it publicly available, create an enterprise version or go down a completely different path.”

Posted by Patrick Marshall on Mar 29, 2016 at 2:09 PM


  • Congress
    Rep. Jim Langevin (D-R.I.) at the Hack the Capitol conference Sept. 20, 2018

    Jim Langevin's view from the Hill

    As chairman of of the Intelligence and Emerging Threats and Capabilities subcommittee of the House Armed Services Committe and a member of the House Homeland Security Committee, Rhode Island Democrat Jim Langevin is one of the most influential voices on cybersecurity in Congress.

  • Comment
    Pilot Class. The author and Barbie Flowers are first row third and second from right, respectively.

    How VA is disrupting tech delivery

    A former Digital Service specialist at the Department of Veterans Affairs explains efforts to transition government from a legacy "project" approach to a more user-centered "product" method.

Stay Connected

Sign up for our newsletter.

I agree to this site's Privacy Policy.