TY - GEN
T1 - MobiLogLeak
T2 - 27th IEEE International Conference on Software Analysis, Evolution, and Reengineering, SANER 2020
AU - Zhou, Rui
AU - Hamdaqa, Mohammad
AU - Cai, Haipeng
AU - Hamou-Lhadj, Abdelwahab
N1 - Publisher Copyright:
© 2020 IEEE.
PY - 2020/2
Y1 - 2020/2
N2 - Logging is an essential software practice that is used by developers to debug, diagnose and audit software systems. Despite the advantages of logging, poor logging practices can potentially leak sensitive data. The problem of data leakage is more severe in applications that run on mobile devices, since these devices carry sensitive identification information ranging from physical device identifiers (e.g., IMEI MAC address) to communications network identifiers (e.g., SIM, IP, Bluetooth ID), and application-specific identifiers related to the location and the users' accounts. This preliminary study explores the impact of logging practices on data leakage of such sensitive information. Particularly, we want to investigate whether log-related statements inserted into an application code could lead to data leakage. While studying logging practices in mobile applications is an active research area, to our knowledge, this is the first study that explores the interplay between logging and security in the context of mobile applications for Android. We propose an approach called MobiLogLeak, an approach that identifies log statements in deployed apps that leak sensitive data. MobiLogLeak relies on taint flow analysis. Among 5,000 Android apps that we studied, we found that 200 apps leak sensitive data through logging.
AB - Logging is an essential software practice that is used by developers to debug, diagnose and audit software systems. Despite the advantages of logging, poor logging practices can potentially leak sensitive data. The problem of data leakage is more severe in applications that run on mobile devices, since these devices carry sensitive identification information ranging from physical device identifiers (e.g., IMEI MAC address) to communications network identifiers (e.g., SIM, IP, Bluetooth ID), and application-specific identifiers related to the location and the users' accounts. This preliminary study explores the impact of logging practices on data leakage of such sensitive information. Particularly, we want to investigate whether log-related statements inserted into an application code could lead to data leakage. While studying logging practices in mobile applications is an active research area, to our knowledge, this is the first study that explores the interplay between logging and security in the context of mobile applications for Android. We propose an approach called MobiLogLeak, an approach that identifies log statements in deployed apps that leak sensitive data. MobiLogLeak relies on taint flow analysis. Among 5,000 Android apps that we studied, we found that 200 apps leak sensitive data through logging.
KW - Data Leakage
KW - Logging Practices
KW - Mobile Applications
KW - Taint Flow Analysis
UR - https://www.scopus.com/pages/publications/85083568384
U2 - 10.1109/SANER48275.2020.9054831
DO - 10.1109/SANER48275.2020.9054831
M3 - Conference contribution
AN - SCOPUS:85083568384
T3 - SANER 2020 - Proceedings of the 2020 IEEE 27th International Conference on Software Analysis, Evolution, and Reengineering
SP - 577
EP - 581
BT - SANER 2020 - Proceedings of the 2020 IEEE 27th International Conference on Software Analysis, Evolution, and Reengineering
A2 - Kontogiannis, Kostas
A2 - Khomh, Foutse
A2 - Chatzigeorgiou, Alexander
A2 - Fokaefs, Marios-Eleftherios
A2 - Zhou, Minghui
PB - Institute of Electrical and Electronics Engineers Inc.
Y2 - 18 February 2020 through 21 February 2020
ER -