TaintArtist promises to detect abusive phone apps
Whether you’re in charge of mobile security for your agency or just a consumer trying to keep your personal information private, the smartphone presents a growing challenge. Because agencies are trying to accommodate employees who want to use their personal mobile devices and apps, screening for malware that can intercept messages, track calls and even tap into the device’s microphone is difficult if not impossible.
The size of that challenge was recently highlighted by researchers at the Center for IT Security, Privacy and Accountability (CISPA) at the University of Saarland in Germany, who found that more than 88 percent of Android apps secretly tap into user data.
Those researchers suggested that, rather than trying to screen apps, it may be more effective to monitor the behavior of installed apps for signs of “improper” behavior.
As a result, three CISPA researchers -- Oliver Schranz, Philipp von Styp-Rekowsky and Sebastian Weisgerber -- developed an app to track what data apps are accessing and what they are attempting to do with it. The app is called “TaintArtist,” a reference to “taint tracking,” the practice of including an exploding dye packet in bundles of cash stolen by bank robbers.
According to Schranz, one common culprit is malware that attempts to identify users by tracking device IDs and other data. “This is a rather easy case where our system will notice that the app is requesting the device ID and will taint it,” Schranz said. “Eventually, the app will send out the identifier over the Internet, probably with small modifications, which can then be detected by TaintArtist. At this point, the system will interrupt the application and inform the user before that data is about to leak.”
TaintArtist, which is still in development, then offers the user the option either to allow the action that TaintArtist considers potentially harmful or to abort the app. “It's generally not possible to automate this decision,” Schranz said, “because each user needs to decide for himself what is allowed and what needs to be blocked, and everything needs to be judged in the current context.”
Schranz offered the example of a piece of malware taking control of an instant messaging program. If the user actually intended to send a message, he or she will likely decline to block it when TaintArtist warns of the action. But if the user hasn’t initiated a message and TaintAlert detects a transmission attempt, “this would be an invasion of his privacy and therefore a valid reason to block the request,” he said.
TaintAlert also allows the user to create policies about what behaviors should be monitored. A user might, for example, choose to protect private photos but not contacts or calendar entries.
Currently TaintAlert is still a “proof-of-concept prototype that proves we can solve the main technical challenges,” Schranz said, adding that the team has received generally positive feedback from testers. “Many people have asked when and how to get our system, so we are currently evaluating how to proceed here, he said. “At this point, I cannot say anything more than that we keep it open whether we want to make it publicly available, create an enterprise version or go down a completely different path.”
Posted by Patrick Marshall on Mar 29, 2016 at 2:09 PM