14-829 / 18-638: Mobile and IoT Security - Fall 2021
Lab 2: Subverting Android Permissions for Fun and Profit
- Due: Sep 17
- Description: This lab will build on what you learned in the previous lab and give you an opportunity
to play the role of the curious developer. Knowing the progression of Android permissions, you'll develop
an application that has very simple user-facing functionality on the outside but sneaky location tracking hidden
underneath, regardless of what Android version is running. You'll also have an opportunity to expand beyond location
tracking to learning other sensitive information about the user.
- Tasks:
- Design a useful app that secretly benefits the developer - Modify your basic app from Lab 1 to have some
very simple functionality (e.g., playing a game, helping the user find the most adorable cat photos) in the foreground.
In the background, include "silent" functionality to periodically record/report the user's location without using any
of Android's location permissions. Other permissions are allowed as needed, and your app can check the running OS
version and act accordingly. You can safely assume that the user does not try to detect the unusual behavior (e.g., using
task manager, logs, or traffic analysis), but the background functionality should not be obvious and the app should not
appear to depend on location data (e.g., finding cats, but not finding nearby cats). Your app should attempt to get the most
information possible for each Android OS version between 4.4 and 11 (inclusive), at a rate of one measurement per second.
Your app cannot require, obtain, or leverage root access.
- Track your user - Using the data exfiltrated from the user's device, create a data analysis and visualization
tool to map the target user's inferred location history (not on their Android device, but on your host machine) after
you have collected enough location information that you can tell where the user went. There are many ways to do this,
and most of them are acceptable, but only test on yourself. Also, make sure to keep track of actual location history
while recording, so you can compare to ground truth. Ask for help if this is unclear. If you don't have a physical device
that can collect the needed information, we will provide one for you. Otherwise, some data sets may be available as a backup plan.
- Learn something else about your user - Access other non-permission-protected resources on the Android device to
learn something about your user (i.e., yourself) other than location that is interesting, privacy-sensitive, and unrelated
to the foreground app (e.g., a health tracker should learn your health info, but not your banking password).
- Deliverables & Submission:Prepare a written summary of your efforts and responses for the above tasks.
The summary report should include:
- A brief summary of what you did for each task and how you satisfied the requirements and constraints of the lab.
- Suitable images or short code snippets (not all of your code) to demonstrate that you accomplished the goals of each task.
In particular, include images showing your map visualization of user tracking and a nice visual representation (if applicable)
of any other sensitive information learned about the user.
- A brief description of any interesting findings.
This summary should be formatted in an easy-to-read way, using font size 10 or greater, and submitted via Canvas as a
.pdf
document.
- Grading: This lab is worth 20 points, with 4 points allocated to the description of your
methodology and development efforts, 8 points for describing suitable location tracking functionality under all
required Android versions, 4 points for visualization of results, and 4 points for meeting all of the
constraints. We reserve the right to take off points for unreadable reports, poor writing, missing details, inappropriate
content, etc.