Triceratops: Privacy-protecting Mobile Apps
Presented as part of the 2014 HCSS conference.
Abstract:
We propose to build a tool, Triceratops, for protecting user privacy in mobile applications. It allows any user to protect his or her personal information from malicious mobile apps, in ways that are not possible today. Triceratops takes a mobile app with a set of privacy policies as input, and generates a secured version of the app. The secured app dynamically and efficiently enforces the specified policies, guaranteeing privacy of its users.
More specifically, our tool provides (a) Finer grained control than current private data access models, and (b) Privacy guarantees, which ensure no false negatives (no missed alarms) regarding malicious leakage. These properties provide a more secure environment for users with smartphones. Furthermore, the following three properties make Triceratops practical: (1) Automated: The tool runs in a fully automated manner, with no manual code-inspection required. It also directly analyzes the compiled binary without requiring the access to source code. (2) Portable: Triceratops uses static code instrumentation to enforce the privacy policies by adding additional checks to the app. Thus it can be used to enforce privacy policies on any runtime environment without modifying the host OS. (3) Lightweight: Triceratops utilizes a novel technique that combines static optimization and runtime enforcement to achieve precise user privacy protection, while minimizing runtime overhead. We are excited that Triceratop’s enhanced privacy guarantee and ease of use have the potential to make secure mobile apps a reality.
Speaker Bio:
Edward Wu is a 2nd year Phd student in Computer Science & Engineering at University of Washington, Seattle. His current research is in building new software defenses to make computing devices more secure and his research interest lies in the intersection of security, programming languages, and systems. He interned at Qualcomm Product Security group during summer 2012, where he worked on static instrumentation based runtime memory error detectors for Qualcomm's proprietary embedded ISA and OS. He received B.S. in Electrical Engineering and Computer Science from University of California, Berkeley in 2012. As an undergrad, he worked with Prof. Dawn Song at Berkeley on binary analysis, vulnerability discovery (BitBlaze) and mobile security (DroidBlaze).