14-829: Mobile and IoT Security

14-829 / 18-638: Mobile and IoT Security - Fall 2021



Lab 2: Subverting Android Permissions for Fun and Profit

Due: Sep 17

Description: This lab will build on what you learned in the previous lab and give you an opportunity to play the role of the curious developer. Knowing the progression of Android permissions, you'll develop an application that has very simple user-facing functionality on the outside but sneaky location tracking hidden underneath, regardless of what Android version is running. You'll also have an opportunity to expand beyond location tracking to learning other sensitive information about the user.

Tasks:
  1. Design a useful app that secretly benefits the developer - Modify your basic app from Lab 1 to have some very simple functionality (e.g., playing a game, helping the user find the most adorable cat photos) in the foreground. In the background, include "silent" functionality to periodically record/report the user's location without using any of Android's location permissions. Other permissions are allowed as needed, and your app can check the running OS version and act accordingly. You can safely assume that the user does not try to detect the unusual behavior (e.g., using task manager, logs, or traffic analysis), but the background functionality should not be obvious and the app should not appear to depend on location data (e.g., finding cats, but not finding nearby cats). Your app should attempt to get the most information possible for each Android OS version between 4.4 and 11 (inclusive), at a rate of one measurement per second. Your app cannot require, obtain, or leverage root access.
  2. Track your user - Using the data exfiltrated from the user's device, create a data analysis and visualization tool to map the target user's inferred location history (not on their Android device, but on your host machine) after you have collected enough location information that you can tell where the user went. There are many ways to do this, and most of them are acceptable, but only test on yourself. Also, make sure to keep track of actual location history while recording, so you can compare to ground truth. Ask for help if this is unclear. If you don't have a physical device that can collect the needed information, we will provide one for you. Otherwise, some data sets may be available as a backup plan.
  3. Learn something else about your user - Access other non-permission-protected resources on the Android device to learn something about your user (i.e., yourself) other than location that is interesting, privacy-sensitive, and unrelated to the foreground app (e.g., a health tracker should learn your health info, but not your banking password).

Deliverables & Submission:Prepare a written summary of your efforts and responses for the above tasks. The summary report should include:
  • A brief summary of what you did for each task and how you satisfied the requirements and constraints of the lab.
  • Suitable images or short code snippets (not all of your code) to demonstrate that you accomplished the goals of each task. In particular, include images showing your map visualization of user tracking and a nice visual representation (if applicable) of any other sensitive information learned about the user.
  • A brief description of any interesting findings.
This summary should be formatted in an easy-to-read way, using font size 10 or greater, and submitted via Canvas as a .pdf document.

Grading: This lab is worth 20 points, with 4 points allocated to the description of your methodology and development efforts, 8 points for describing suitable location tracking functionality under all required Android versions, 4 points for visualization of results, and 4 points for meeting all of the constraints. We reserve the right to take off points for unreadable reports, poor writing, missing details, inappropriate content, etc.