Panoptispy: Characterizing Audio and Video Exfiltration from Android Applications

Authors: Elleen Pan (Northeastern University), Jingjing Ren (Northeastern University), Martina Lindorfer (UC Santa Barbara), Christo Wilson (Northeastern University), David Choffnes (Northeastern University)

Volume: 2018
Issue: 4
Pages: 33–50
DOI: https://doi.org/10.1515/popets-2018-0030

Download PDF

Abstract: The high-fidelity sensors and ubiquitous internet connectivity offered by mobile devices have facilitated an explosion in mobile apps that rely on multimedia features. However, these sensors can also be used in ways that may violate user’s expectations and personal privacy. For example, apps have been caught taking pictures without the user’s knowledge and passively listened for inaudible, ultrasonic audio beacons. The developers of mobile device operating systems recognize that sensor data is sensitive, but unfortunately existing permission models only mitigate some of the privacy concerns surrounding multimedia data. In this work, we present the first large-scale empirical study of media permissions and leaks from Android apps, covering 17,260 apps from Google Play, AppChina, Mi.com, and Anzhi. We study the behavior of these apps using a combination of static and dynamic analysis techniques. Our study reveals several alarming privacy risks in the Android app ecosystem, including apps that over-provision their media permissions and apps that share image and video data with other parties in unexpected ways, without user knowledge or consent. We also identify a previously unreported privacy risk that arises from third-party libraries that record and upload screenshots and videos of the screen without informing the user and without requiring any permissions.

Keywords: privacy; mobile devices; audio, video, and image leaks

Copyright in PoPETs articles are held by their authors. This article is published under a Creative Commons Attribution-NonCommercial-NoDerivs license.