An Android application user privacy leakage vulnerability identification method
By combining program slicing, correlation analysis, and non-injective transformation techniques, this technology automates the detection of cross-user data transmission vulnerabilities in Android applications, solving the problem of identifying inconsistencies and privacy leaks in existing technologies, and achieving efficient and accurate vulnerability detection and remediation.
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Patents(China)
- Current Assignee / Owner
- FUDAN UNIVERSITY
- Filing Date
- 2022-09-03
- Publication Date
- 2026-07-10
AI Technical Summary
Existing technologies struggle to accurately identify and detect vulnerabilities in the excessive transmission of privacy data across user platforms in Android applications, particularly the risk of user privacy leaks caused by inconsistencies in data during transmission.
By employing static code pre-analysis, correlation analysis, and machine learning methods based on program slicing technology, combined with non-injective transformation analysis technology, this method automatically detects vulnerabilities in the excessive transmission of cross-user personal data. It identifies data flow paths through forward and backward taint analysis, and uses semantic information to identify sensitive data and detect the injectivity of transformation operations.
It achieves efficient and automated detection of vulnerabilities in the excessive transmission of cross-user personal data, improves the accuracy and efficiency of identifying sensitive data, reduces the false alarm rate, and provides effective vulnerability verification and remediation information.
Smart Images

Figure CN115470494B_ABST
Abstract
Description
Technical Field
[0001] This invention belongs to the field of software vulnerability discovery technology, specifically relating to a method for identifying user privacy leakage vulnerabilities in Android applications. Background Technology
[0002] In recent years, an increasing number of mobile applications have offered user connectivity features. These applications often transmit rich and diverse data between users, helping them establish connections and bringing them great convenience and a wealth of services. However, this also raises some privacy and security issues. A new privacy and security risk, summarized as "excessive transmission of cross-user personal data," has emerged with the widespread use of cross-user platforms. This refers to the process of sensitive user data containing more information than actually needed for the service being transmitted from one user to other users. In this process, attackers can impersonate ordinary application users to steal excessive amounts of sensitive information from other users, leading to privacy breaches.
[0003] While numerous studies have investigated user data breaches in mobile applications, most have focused on the illegal collection of personal data within these applications, with limited attention paid to the security of this emerging cross-user platform functionality. Consequently, existing research on the privacy risks and detection methods in this area remains quite limited. Detecting "cross-user excessive data transfer" vulnerabilities using existing technologies faces two main difficulties. First, current privacy detection techniques struggle to accurately identify sensitive data belonging to the victim user from the various data transmitted during cross-user connections. This includes data that needs proper filtering of non-sensitive information or locations (such as the latitude and longitude of a shopping mall), as well as personal data not belonging to the victim user. Second, existing technologies struggle to detect the "excessive data transfer" problem addressed in this method. Identifying "excessive data transfer" can be understood as detecting inconsistencies between received and used data. Application developers typically do not directly use the raw data transmitted from the server but rather perform customized transformations based on the specific circumstances before presenting it to the user interface. This results in differences in form between the presented content and the original data, even if the amount of information is identical. Therefore, it is impossible to determine these inconsistencies simply by directly comparing the original data with the actually presented data. Summary of the Invention
[0004] The purpose of this invention is to provide an automated detection method for Android application user privacy leakage vulnerabilities, applicable to the detection of "excessive transmission of cross-user personal data" vulnerabilities.
[0005] "Excessive transmission of cross-user personal data" is a complex application-layer vulnerability. The detected vulnerability is a user privacy breach caused by a discrepancy between the user privacy information received by the Android application client and the information actually displayed on the user interface. Specifically, if the amount of other user privacy information actually received by the Android application client is greater than the amount displayed on the user interface, attackers can illegally obtain more sensitive data than what is shown by monitoring the network, thus posing a risk of user privacy breach.
[0006] Detecting such vulnerabilities presents several challenges, including accurately analyzing how data flows to the user interface, what transformations the data undergoes that could lead to inconsistencies, and how to accurately identify other people's private information within the data.
[0007] The automated detection method for Android application user privacy leakage vulnerabilities provided by this invention combines multiple technologies to effectively overcome these difficulties, specifically divided into three stages (process framework as follows). Figure 1 (as shown)
[0008] The first stage involves static code pre-analysis based on program slicing technology;
[0009] The task of this stage is to identify the code data structure storing user information and analyze how this information is displayed on the user interface. Specifically, the pre-analysis includes two parts: forward taint analysis and backward taint analysis. Forward taint analysis traces the information flowing from the network interface to the intermediate data structure, that is, starting from the standard network interface, analyzing the intermediate data structure to which the information flows. Backward taint analysis traces the process of information flowing from the intermediate data structure to the user interface, that is, starting from the standard user interface interface, analyzing which intermediate data structures the information comes from and what transformations the information undergoes before being displayed on the interface. The output information of this stage is the intermediate data structure at the intersection of forward taint analysis and backward taint analysis, as well as the identified transformation operations.
[0010] The second phase involves identifying the privacy information of other users.
[0011] The task at this stage is to analyze which information transmitted from the server belongs to the privacy information of other users (i.e., users different from the current user of the application); and to use association analysis techniques and machine learning methods to analyze the semantic information contained in the code, and to determine which intermediate data structures store user information, as well as the privacy information of other users.
[0012] The third stage involves risk detection based on non-injective transformation analysis techniques.
[0013] This stage determines whether a user privacy breach exists by judging whether the transformation operation during the flow of user privacy data to the user interface is injective.
[0014] The three stages will be described in detail below.
[0015] The first stage involves static code pre-analysis based on program slicing technology;
[0016] "Excessive Transmission of Cross-User Personal Data" focuses on the inconsistency between the transmitted private information belonging to other users and the user data actually presented on the interface. Therefore, it's necessary to analyze the data flow from transmission to the client until its presentation on the user interface. This is addressed using program slicing techniques. Observations suggest that developers typically use some kind of intermediate data structure to manage the data transmitted to the client; the most common intermediate data structure is the class used in object-oriented programming languages. To identify which information is transmitted to the client, the analysis tool needs to find these intermediate data structures through code analysis. Observations also suggest that developers typically divide data processing into two steps: first, storing the data transmitted to the client in an intermediate data structure; then retrieving the data from the intermediate data structure, possibly performing some transformations, and displaying it on the user interface. Therefore, this method also divides the analysis into two steps: the first step is forward taint analysis starting from standard network interface functions, analyzing the process of data flow from the client to the intermediate data structure; the second step is backward taint analysis starting from standard user interface functions, analyzing the process of data flow from the intermediate data structure to the user interface (static code pre-analysis methods such as...). Figure 2 (As shown).
[0017] Forward Taint Analysis: Forward taint analysis starts with standard network library functions. This invention references third-party network library usage data provided by the authoritative ranking website AppBrain, compiling a list of the most commonly used network library interfaces in Android applications as the starting point for forward taint analysis; it also compiles a list of the most commonly used deserialization third-party libraries in Android applications as identifiers for intermediate data structures. When forward analysis encounters the deserialization interface of a commonly used deserialization library, it records information about the intermediate data structure generated there.
[0018] Backward Taint Analysis: Backward taint analysis starts with standard user interface functions. This invention compiles all standard user interface functions provided in the Android development documentation. Additionally, this invention statistically analyzes the usage of view components in the sample application code, selecting frequently used view components and using their corresponding standard user interface functions as the starting point for backward taint analysis. When backward analysis reaches intermediate data structures, it records information about those intermediate data structures.
[0019] The second phase involves identifying the privacy information of other users.
[0020] "Excessive transmission of cross-user personal data" is a privacy vulnerability that exposes other users (distinct from the current user of the application). Therefore, detection tools need to identify private information belonging to other users from various types of information transmitted to the client. There are two main challenges: first, how to identify sensitive user data (such as a user's geographical location, distinct from data belonging to non-sensitive things or locations, such as the latitude and longitude of a shopping mall); and second, how to identify whether the subject of sensitive user data is another user (i.e., the victim). This invention utilizes semantic information contained in application code to implement a privacy information identification technology based on correlation analysis and machine learning, which can accurately identify sensitive data belonging to other users.
[0021] This stage utilizes semantic information in the code to help identify user privacy information and distinguish between the privacy information of the current user and other users. Specifically, it uses the semantic information contained in the name of the intermediate data structure and the names of its members to help determine whether it is an intermediate data structure used to store user information; and it uses semantic information contained in network requests, the name of the intermediate data structure, and the user interface to help distinguish whether the user information is the privacy information of the current user or that of other users.
[0022] Identifying Sensitive User Data: Existing methods for identifying sensitive user data are typically based on keyword matching or machine learning. These techniques are not well-suited to addressing the problem of excessive cross-user personal data transmission because they cannot distinguish whether seemingly sensitive data belongs to a user or an unrelated entity, such as public objects or locations. Observations suggest that the semantic information contained in the names of intermediate data structures and their member variables in code can be effectively used to identify sensitive user data. For example, the semantics of a Java class named "UserProfile" can help determine that it is an intermediate data structure storing user personal information; similarly, if a class's member variable name is "age," representing age—information strongly correlated with an individual user—it can be inferred that this class stores sensitive user data. Members in these intermediate data structures judged to store sensitive user data are likely user-related and are therefore retained. Based on these observations, this invention trains a binary classification machine learning model to effectively identify the semantic information in the names of intermediate data structures and retain all member information within intermediate data structures determined to store sensitive user data. Following this, this method employs association analysis, utilizing association information provided by semantic dictionaries such as WordNet and ConceptNet to classify these retained information words based on semantic relationships. Some unclassified words require minimal manual classification. Thus, this invention obtains a relatively complete privacy word set. Member variables of any intermediate data structures associated with this word set will be identified.
[0023] Identifying whether the subject of sensitive user data belongs to other users: The sensitive user data identified in the previous step includes data from other users and data from the current user. It is necessary to exclude data belonging to the current user to reduce false positives in the vulnerability identification results. Observations show that application code also contains semantic information that helps distinguish between other users and the current user, specifically including: 1) Semantic information in network requests, such as the request address " / api / v1 / users / nearby" indicating data from nearby users; 2) The names of intermediate data structures, such as "Follower" indicating information from other followers, while "MyProfile" clearly indicates information from the current user; 3) Semantic information contained in the user interface, such as information from other users typically not appearing in the Android application's settings page. This invention trains a binary classification machine learning model based on these three aspects of semantic information to help determine whether the subject of sensitive user data belongs to other users.
[0024] The third stage involves risk detection based on non-injective transformation analysis techniques.
[0025] Sensitive user data typically undergoes certain transformations before being presented to the user interface. The specific transformations used depend on the application's development logic and the developer's individual style. Therefore, detection tools struggle to directly analyze whether these highly customized transformations lead to inconsistencies between the transmitted sensitive information and the actually presented information. Observations suggest that the inconsistency between the data transmitted to the client and the data actually presented on the user interface is mathematically a non-injective relationship. Regardless of the data transformation, inconsistencies only occur when information loss happens during data flow. From the perspective of "excessive transmission of cross-user personal data" vulnerabilities, this inconsistency can occur in two ways. First, the sensitive user data transmitted to the client may not reach the user interface (i.e., regardless of the data's value, the displayed value on the user interface is always "empty," thus exhibiting a non-injective nature), clearly falling under the aforementioned "inconsistency" problem. Second, if the data undergoes a non-injective transformation before reaching the user interface, such as data masking, the aforementioned "inconsistency" problem will also occur. For the first scenario, identification can be performed during the code pre-analysis stage. For the second scenario, this invention designs a general detection scheme: constructing a scarecrow virtual user profile, assigning reasonable values to some commonly used user attributes, and simultaneously performing minor perturbations on the attribute values of the virtual scarecrow user to generate different but adjacent values, allowing the data transformation operation to act on these adjacent values. If different values produce the same result after the data transformation operation, it indicates that the data transformation operation is non-injective, meaning that there is an inconsistency vulnerability that this method is concerned with. For example, if the precise distance between users is 54.123 kilometers, this method will perturb its adjacent values, generating three distance values: 54.122 kilometers, 54.123 kilometers, and 54.124 kilometers. After a data transformation operation that rounds to two decimal places, these three values produce the same result: 54.12 kilometers. This proves the existence of the aforementioned inconsistency, which could lead to a vulnerability of "excessive transmission of cross-user personal data" that could leak the precise location of users. The specific working method of this stage is as follows: Figure 3 As shown.
[0026] This invention implements several advanced analysis techniques. Bidirectional program slicing analysis model the general flow of data from the network to the mobile client, comprehensively identifying the data structure that centrally manages various types of information at the intersection of two slice analyses. The combination of correlation analysis and machine learning techniques fully utilizes the rich semantic information in mobile application code to identify data structures storing user information and other user information, achieving comprehensive privacy coverage and thus helping to widely and accurately identify information related to other user privacy in mobile applications. Non-injective data transformation analysis precisely abstracts the mathematical essence of the targeted vulnerability, enabling the detection of risk transformation operations related to the targeted vulnerability from diverse data transformation methods existing in the real world. This invention's tool boasts high detection efficiency, high automation, and accurate analysis results, effectively enabling large-scale detection of "excessive transmission of cross-user personal data" vulnerabilities and providing effective information for vulnerability verification and remediation. Attached Figure Description
[0027] Figure 1 This is a diagram showing the overall architecture of the system of the present invention.
[0028] Figure 2 This is a flowchart of the code pre-analysis phase.
[0029] Figure 3 This is a flowchart of the risk detection phase. Detailed Implementation
[0030] This invention designs and implements a vulnerability detection method for "excessive transmission of cross-user personal data," which combines bidirectional program slicing analysis technology, privacy information identification technology assisted by correlation analysis and machine learning methods, and non-injective data transformation analysis technology. This section provides a detailed introduction to the specific implementation of this framework.
[0031] I. Static Code Pre-analysis Based on Program Slicing Technology
[0032] This invention uses the Soot / Flowdroid framework to implement code for program slice analysis. The pre-analysis phase takes Android application code as input. First, it performs forward analysis starting from standard network library functions, recording the intermediate data structures that the data can reach. Then, it performs backward analysis starting from standard user interface functions, recording which intermediate data structures the data displayed on the interface originates from. The forward and backward analyses generate some intersecting intermediate data structures, which serve as candidate intermediate data structures for storing sensitive user information and are the output of the pre-analysis phase. Furthermore, the pre-analysis phase also preserves semantic information in the code for subsequent analysis steps.
[0033] II. Identification of other users' privacy information
[0034] The other user privacy information identification stage of the present invention takes the candidate intermediate data structure obtained in the pre-analysis stage and the extracted semantic information as input. First, the intermediate data structure storing sensitive user information is identified by using the semantic information in the candidate intermediate data structure and its member variable names. For the candidate intermediate data structure name, the present invention uses machine learning technology to train a binary classification model to determine whether the data structure name contains information representing user data through manually labeled samples. In addition, based on previous research (such as SUPOR[1], Uipicker[2]), the present invention collected as many privacy words as possible to form an original privacy item list and divided them into 52 categories. Then, three Android application analysis experts manually judge whether these privacy items are strongly related to sensitive user data. Specifically, if two or more experts reach a consensus on a certain intermediate data structure, it will be labeled as strongly related to user data. Using the tool of ClueFinder[3], if the candidate intermediate data structure contains privacy items that are strongly related to users, it will also be judged as strongly related to sensitive user data. Through the above two discrimination criteria, the present invention can effectively identify the intermediate data structure storing sensitive user information from the candidate intermediate data structure. Furthermore, for the intermediate data structures that are strongly correlated with sensitive user data, their member information (such as member variables of Java classes) will be preserved and clustered using a semantic association analysis method. Member words with the same or similar meanings will be grouped together, ultimately forming a privacy word set containing 64 categories, which serves as the basis for identifying sensitive user data.
[0035] In addition, this invention collects network requests, names of intermediate data structures, and information contained in the user interface, and manually labels whether they are related to other user data to help determine whether an intermediate data structure stores information belonging to other users; and based on this, a binary classification machine learning model is trained to perform actual sensitive user data subject identification, i.e. whether it belongs to other users.
[0036] III. Risk Detection Based on Non-Injective Transformation Analysis Techniques
[0037] The risk detection stage of this invention, based on non-injective transformation technology, uses information provided in the first two stages as input to determine whether the transformation operation is injective. First, of the 64 privacy items provided in the second stage, 40 categories with clear meanings are assigned common values as standard values through analytical experience, while the remaining 24 categories do not yet have standard values provided. Thus, a set of virtual scarecrow user data is constructed as the basis for testing the non-injectiveness of the transformation operation. The testing method involves slightly perturbing these standard values to generate values that are close but different, and then using the standard values and the perturbed values as the original input to run the transformation operation extracted in the pre-analysis stage. If the test results produce the same output value, it proves that the tested transformation operation is a non-injective data transformation operation. Accordingly, this invention automatically generates a risk report for subsequent verification.
[0038] References
[0039] [1] Jianjun Huang, Zhichun Li, Xusheng Xiao, Zhenyu Wu, Kangjie Lu, Xiangyu Zhang, and Guofei Jiang. 2015. {SUPOR}: Precise and scalablesensitive user input detection for Android apps. In Usenix Security Symposium (USENIX Security) .
[0040] [2] Yuhong Nan, Min Yang, Zhemin Yang, Shunfan Zhou, Guofei Gu, and Xiao Feng Wang. 2015. Uipicker: User-input privacy identification in mobile applications. In Usenix Security Symposium (USENIX Security) .
[0041] [3] Yuhong Nan, Zhemin Yang, Xiaofeng Wang, Yuan Zhang, Donglai Zhu, and Min Yang. 2018. Finding Clues for Your Secrets: Semantics-Driven, Learning-Based Privacy Discovery in Mobile Apps. ISOC Network and Distributed System Security Symposium (NDSS) .
Claims
1. A method for identifying user privacy leakage vulnerabilities in Android applications, wherein the identified vulnerabilities are user privacy leakage vulnerabilities caused by inconsistencies between other user privacy information received by the Android application client and other user information actually presented on the user interface; characterized in that, The method for identifying Android application user privacy leak vulnerabilities is divided into three stages: Phase 1: Static code pre-analysis based on program slicing technology The task at this stage is to identify the code data structure that stores user privacy information and analyze how this information is displayed on the user interface. Specifically, the pre-analysis is divided into two parts: forward taint analysis and backward taint analysis. Forward taint analysis is to track the information flowing from the network interface to the intermediate data structure, that is, to analyze the intermediate data structure to which the information flows, starting from the standard network interface. Backward taint analysis is the process of tracing information from intermediate data structures to the user interface. It starts with the standard user interface and analyzes the source of the intermediate data structure of the information and the transformations that the information undergoes before being displayed on the interface. The output information at this stage is the intermediate data structure at the intersection of forward taint analysis and backward taint analysis, as well as the identified transformation operations; The second phase involves identifying the privacy information of other users. The task at this stage is to analyze the information received by the network interface that belongs to the privacy information of other users, where "other users" refers to users who are different from the user currently using the application. By using association analysis techniques to analyze semantic information in the code, the intermediate data structure storing user information can be determined, and it can be further determined whether other users' privacy information is stored. The semantic information contained in network requests, intermediate data structure names, and user interface can be used to help distinguish whether the user information is the privacy of the current user or the privacy of other users. The third stage involves risk detection based on non-injective transformation analysis techniques. The task at this stage is to determine whether there are vulnerabilities that could lead to the leakage of other users' privacy information by judging whether the transformation operation in the process of other users' privacy information flowing to the user interface is injective. If different values produce the same result after the data transformation operation, it means that the data transformation operation is non-injective, that is, there is a vulnerability of inconsistency that is of concern.
2. The method for identifying Android application user privacy leakage vulnerabilities according to claim 1, characterized in that, In the first phase: The forward taint analysis starts from standard network library functions. Specifically, based on data on the usage of third-party network libraries from authoritative ranking websites, the most commonly used network library interfaces in Android applications are compiled as the starting point for forward taint analysis. At the same time, the most commonly used deserialization third-party libraries in Android applications are compiled as identifiers for identifying intermediate data structures. When the forward analysis reaches the deserialization interface of a commonly used deserialization library, the information of the intermediate data structure generated there is recorded. The backward taint analysis starts from standard user interface functions; it specifically compiles all standard user interface functions provided in the Android development documentation; in addition, it statistically analyzes the usage of view components in the sample application code, selects the view components with high usage frequency, and uses their corresponding standard user interface functions as the starting point for backward taint analysis. When the backward analysis reaches an intermediate data structure, record the information of that intermediate data structure.
3. The method for identifying Android application user privacy leakage vulnerabilities according to claim 1, characterized in that, In the second stage, semantic information in the code is used to help identify user privacy information and distinguish the privacy information of the current user from that of other users. Specifically, the semantic information contained in the name of the intermediate data structure and the names of the members of the intermediate data structure is used to help determine whether it is an intermediate data structure used to store user information. The semantic information contained in network requests, the name of the intermediate data structure, and the user interface is used to help distinguish whether the user information is the privacy of the current user or the privacy of other users.
4. The method for identifying Android application user privacy leakage vulnerabilities according to claim 3, characterized in that, In the second phase: Identifying Sensitive User Data: A binary classification machine learning model is trained to identify semantic information in the names of intermediate data structures and retain all member information within intermediate data structures identified as storing sensitive user data. Then, an association analysis method is used to classify these retained information words based on semantic association using association information provided by the WordNet and ConceptNet semantic dictionaries. This results in a complete privacy word set. Member variables of any intermediate data structure associated with this word set will be identified. Identify whether the subject of sensitive user data is another user: The sensitive user data identified in the previous step includes data of other users and data of the current user. It is necessary to exclude data belonging to the current user in order to reduce false alarms in the vulnerability identification results. The application code contains semantic information that can help distinguish between other users and the current user, specifically including: (1) semantic information in network requests; (2) the name of intermediate data structures; and (3) semantic information contained in the user interface. Based on the semantic information in these three aspects, a binary classification machine learning model is trained to determine whether the subject of sensitive user data is another user.
5. The method for identifying Android application user privacy leakage vulnerabilities according to claim 4, characterized in that, In the third stage: The inconsistency between the data containing other users' private information transmitted to the client and the data actually presented in the user interface is mathematically a non-injective relationship. This manifests in two ways: First, the sensitive user data transmitted to the client does not flow to the user interface; regardless of the data's value, the displayed value on the user interface is always "empty." This is mathematically non-injective and falls under the aforementioned "inconsistency" problem. Second, the data undergoes a non-injective transformation operation before flowing to the user interface, also resulting in the aforementioned "inconsistency" problem. The first situation can be identified during code pre-analysis. For the second situation, a general detection scheme is designed: construct a scarecrow virtual user profile, assign reasonable values to some commonly used user attributes, and simultaneously perform minor perturbations on the virtual scarecrow user's attribute values to generate different but adjacent values. The data transformation operation then applies to these adjacent values. If different values produce the same result after the data transformation operation, it indicates that the data transformation operation is non-injective, meaning that the inconsistency vulnerability of concern exists.