Virginia Tech's DIALDroid shows Android apps steal data through secret collusion
Researchers from Virginia Tech have found that Android apps can work together to mine personal information from smartphones. While users have long been aware of the need to check the privacy settings and permissions for individual apps, few people will have thought of the potential for collusion between apps that, individually, have innocuous-looking settings.
A team from the Department of Computer Science at Virginia Tech's College of Engineering developed a tool called DIALDroid (Database powered ICC AnaLysis for anDroid) and used it to monitor the exchange of data between apps. Analysis of 110,150 apps over three years found that security and privacy is put at risk as information is shared between different, independent apps that users may have installed.
Associate Professor Daphne Yao presented the findings in Dubai at the Association for Computing Machinery Asia Computer and Communications Security Conference, saying: "What this study shows undeniably with real-world evidence over and over again is that app behavior, whether it is intentional or not, can pose a security breach depending on the kinds of apps you have on your phone."
The research team notes that while some of the apps that pose a risk may do so completely unintentionally, there are examples of malware that also exploit data sharing. Yao says:
Of the apps we studied, we found thousands of pairs of apps that could potentially leak sensitive phone or personal information and allow unauthorized apps to gain access to privileged data.
Through its research the team found "thousands of pairs of apps that could potentially leak sensitive phone or personal information and allow unauthorized apps to gain access to privileged data."
The full report is available to read online, and DIALDroid has been open-sourced and is available on GitHub for anyone to use.