PhD Oral Exam - Sajjad Pourali, Information and Systems Engineering

When studying for a doctoral degree (PhD), candidates submit a thesis that provides a critical review of the current state of knowledge of the thesis subject as well as the student’s own contributions to the subject. The distinguishing criterion of doctoral graduate research is a significant and original contribution to knowledge.

Once accepted, the candidate presents the thesis orally. This oral exam is open to the public.

Abstract

The widespread adoption of the Android operating system has brought significant convenience to users globally. However, this prevalence has also exposed users to new forms of privacy and security threats originating from the apps they use. Android apps often collect and process sensitive user sensitive information without their user's explicit awareness or consent, using sophisticated techniques that traditional security measures fail to detect.

This thesis addresses critical gaps in mobile privacy and security by exploring three under-researched areas: (i) detection of privacy leaks via non-standard communication, (ii) identification and attribution of TLS certificate validation failures, and (iii) privacy risks from out-of-sight app operations.

First, we developed ThirdEye, a dynamic analysis tool designed to detect privacy leaks by focusing on the use of custom encryption across both HTTP/S and non-HTTP protocols, as well as covert channels via shared storage media. Utilizing ThirdEye, we analyzed 12,598 popular Android apps and discovered that 2,887 apps employed custom encryption for network transmission and storage. Among these, 2,465 apps transmitted device information that could be used to fingerprint users. Additionally, 299 apps transmitted insecurely encrypted content, and several utilized vulnerable cryptographic keys and weak algorithms such as RC4 and DES.

Second, we introduced Marvin, an automated dynamic analysis tool designed to identify TLS certificate validation failures, including the phenomenon we term validation hijacking. Marvin exercises app states to maximize coverage of potential TLS connections, traces real-time code execution related to TLS validation, and captures network traffic using a man-in-the-middle proxy with intentionally invalid certificates. Our analysis showed that a significant number of apps exhibited insecure TLS certificate validation, with validation hijacking prevalent due to insecure overrides in third-party libraries like OkHttp, often without developers’ awareness.

Third, we developed BackChecker, a novel dynamic analysis tool that detects and attributes data leakage occurring during out-of-sight app operations across multiple apps simultaneously. BackChecker systematically triggers and monitors Android background processes, including services and job schedulers, to identify privacy leaks when the app is not actively in use. Our large-scale empirical study of 15,456 popular Android apps revealed that 13,068 apps established network connections while not visible, 7,534 continued activity regardless of app state, and 10,524 transmitted sensitive information during out-of-sight operations. Additionally, we uncovered undocumented and inconsistent behaviors in Android that facilitate background execution, highlighting significant issues in platform policies.

By addressing these challenges, this thesis contributes to the development of more robust privacy and security measures in the Android ecosystem. Our tools provide advanced capabilities for detecting such sophisticated threats. The findings offer valuable insights into systemic vulnerabilities in modern mobile apps, emphasizing the need for enhanced detection mechanisms and stricter enforcement of security practices.