PROFILEDROID: MULTI-LAYER PROFILING OF ANDROID APPLICATIONS X U - - PowerPoint PPT Presentation

profiledroid
SMART_READER_LITE
LIVE PREVIEW

PROFILEDROID: MULTI-LAYER PROFILING OF ANDROID APPLICATIONS X U - - PowerPoint PPT Presentation

Sep 20, 2023 26 likes •319 views

PROFILEDROID: MULTI-LAYER PROFILING OF ANDROID APPLICATIONS X U ETAO WEI LOREN Z O GOM EZ PROFESSOR I U LI AN N EAM T I U PROFESSOR M I CH ALI S FALOU T SOS U N I V ERSI T Y OF CALI FORN I A, RI V ERSI DE WE DEPEND ON SMARTPHONES MORE AND

slide-1
SLIDE 1

X U ETAO WEI LOREN Z O GOM EZ

PROFESSOR I U LI AN N EAM T I U PROFESSOR M I CH ALI S FALOU T SOS

U N I V ERSI T Y OF CALI FORN I A, RI V ERSI DE

PROFILEDROID:

MULTI-LAYER PROFILING OF ANDROID APPLICATIONS

slide-2
SLIDE 2

WE DEPEND ON SMARTPHONES MORE AND MORE

US Army CSDA initiative

(Connecting Soldiers to Digital Applications) to replace handheld radio + BLUE FORCE tracker + portable GPS + video feed ROVER

source:defenseindustrydaily.com

“FDA approves Mobisante’s smartphone ultrasound app”

[Feb 2011]

source:mobilehealthnews.com

slide-3
SLIDE 3

ANDROID IS A POPULAR SMARTPHONE PLATFORM

Operating system share of smartphone sales (US) 850,000 Android phones activated every day

[Google letter to investors, April 2012]

slide-4
SLIDE 4

BUT WE DON’T UNDERSTAND APP BEHAVIOR

source:washingtonpost.com

slide-5
SLIDE 5

Will this app leak my photos? Will this app drain my battery? Will this app tell my friends that I’m a moron?

THE ANDROID APP MARKET IS A JUNGLE

Which radio is best for me?

slide-6
SLIDE 6

FIRST STEP TO MAINTAINING THE JUNGLE

Provide a low-cost method to profile the behavior of an app Given a few short executions:

  • What did the app do?
  • How does the app use resources?
  • What entities does it communicate with?
  • What was the app supposed to do?
  • Where there conflicts? Why?
slide-7
SLIDE 7

BENEFICIAL TO

Application developers

  • Assess performance and security implications
  • Make better use of resources

End users

  • Enhance user control and improve experience
  • Push developers to make better use of resources
slide-8
SLIDE 8

ANDROID APPS

Written in Java, compiled into Dalvik VM bytecode Packaged as name.apk

  • Signed with developer’s private key
  • Essentially a .zip file containing:
  • .dex bytecode file (similar to .class)
  • “Manifest” file (XML): permissions

Permission model

  • Permissions last FOREVER!
  • Shown before install
  • All or nothing

Permissions alone aren’t enough to describe app behavior

slide-9
SLIDE 9

DYNAMIC ANALYSIS WITH PROFILEDROID

Android Device Monitoring

Android Debugging Bridge

Profiling Desktop/laptop

  • Goal

Multi-level profiling based on static and dynamic application analysis

slide-10
SLIDE 10

MONITORING AND ANALYSIS WITH PROFILEDROID

slide-11
SLIDE 11

PROFILING FRAMEWORK: MONITORING Capture 3 user traces, 5 minutes per app

Trace File

Trace File Trace File

slide-12
SLIDE 12

Playback original trace and collect logs

Logs

Trace File

Playback

PROFILING FRAMEWORK: MONITORING

slide-13
SLIDE 13

A QUICK REPLAY DEMO

slide-14
SLIDE 14

PROFILING FRAMEWORK: MONITORING

Repeat playback 10 times per user Logs

Trace File

Logs

Total of 30 runs of each app to build profile

(5 in morning and 5 at night, per app)

slide-15
SLIDE 15

PROFILING FRAMEWORK: MULTI-LAYER ANALYSIS

Android software stack Linux Kernel Libraries, Android Runtime Application Framework Application Static User OS Network

Logs What metrics can be used to capture app behavior?

slide-16
SLIDE 16

SELECTED APPS

Category App Social Facebook Games Angry Birds, Angry Birds$$ Music & Audio Pandora, Shazam, Shazam$$ Media & Video Youtube Shopping Amazon Travel Gasbuddy Health & Fitness Instant Heart Rate, Instant Heart Rate$$ Communication Dolphin browser Sports ESPN Reference Dictionary.com, Dictionary.com$$ total 27 apps: 19 free , 8 paid Wide range of apps, spanning many categories Popular apps with >1,000,000 installs

slide-17
SLIDE 17

STATIC LAYER

Source: manifest & bytecode decompilation

  • Permissions (shown at install)
  • Internet
  • Location (GPS or network)
  • Phone
  • Intents (not shown at install)
  • Resource use

without permission via deputy apps Linux Kernel Libraries, Android Runtime Application Framework Application Static User OS Network

slide-18
SLIDE 18

STATIC LAYER ANALYSIS RESULTS

App Internet GPS Camera Mic Bluetooth Telephony Facebook p p i* p Dictionary.com p i i Instant Heart Rate p p i i Shazam p p p Total (out of 27) 27 9 6 4 3 5 p = use via permissions i = use via intents (deputy apps) *for version originally tested March 2012

slide-19
SLIDE 19

USER LAYER

Source: logcat, /dev/input/event

  • Input devices and events
  • Touchscreen
  • Physical Buttons
  • Accelerometer
  • Compass
  • Light proximity sensor

Linux Kernel Libraries, Android Runtime Application Framework Application Static User OS Network

slide-20
SLIDE 20

USER LAYER ANALYSIS RESULTS

slide-21
SLIDE 21

OPERATING SYSTEM LAYER

Source: strace

  • System call categories
  • Network sockets
  • File system
  • VM & IPC
  • Enforces isolation
  • Overhead: scheduling,

idling, IPC Linux Kernel Libraries, Android Runtime Application Framework Application Static User OS Network

slide-22
SLIDE 22

OPERATING SYSTEM LAYER RESULTS

App Intensity (syscalls/sec) Filesystem (%) Network (%) VM & IPC (%) Misc (%)

Tiny Flashlight 436 1 1 77 21 Facebook 1,031 4 3 72 21 Amazon 693 1 6 77 16 InstHeartRate 944 8 2 75 15

slide-23
SLIDE 23

NETWORK LAYER

Source: tcpdump (packets and content) App traffic

  • Origin (app's website)
  • CDN and Cloud
  • Google
  • 3rd party: ads & tracking

Linux Kernel Libraries, Android Runtime Application Framework Application Static User OS Network

slide-24
SLIDE 24

NETWORK LAYER RESULTS

App Intensity (bytes/ sec) In/out ratio Origin (%) CDN+ Cloud (%) Google (%) 3rd party (%) HTTP/ HTTPS split (%)

Tiny Flashlight 134 2.49

  • 99
  • 100/-

AdvTaskKiller 26 0.94

  • 100
  • 92/8

AdvTaskKiller$$

  • Facebook

4,606 1.45 68 32

  • 23/77

Amazon 7,758 8.17 95 5

  • 99/1

InstHeartRate 575 2.39

  • 4

86 10 86/14 InstHeartRate$$ 6 0.31

  • 9

90 1 20/80

slide-25
SLIDE 25

APPLICATION THUMBNAILS

High usage Medium usage Low usage

slide-26
SLIDE 26

READING BETWEEN THE LINES

Free apps are not as free as we might think

  • 50—100% higher system call intensity
  • Dramatically higher network traffic (usually ads&tracking)

 Bad for your dataplan, your battery life, and your privacy VM-based isolation comes at a cost

  • 64—87% of system calls are due to VM and IPC
slide-27
SLIDE 27

READING BETWEEN THE LINES

Apps talk to many servers spread across many top-level domains

  • AngryBirds$$: 4 domains, AngryBirds free: 8 domains
  • Weatherbug: 13 domains, Shazam: 13 domains

Most network traffic is not encrypted Google traffic is predominant

  • Except for Amazon and Facebook which have 0 (zero) Google traffic
slide-28
SLIDE 28

FUTURE WORK

  • Expand study to include more apps
  • User profiles
  • Study the variance across users
  • Fully automate process
  • Profiler as an app to run on the device
  • Provide summary of usage on close
slide-29
SLIDE 29

QUESTIONS?