PROFILEDROID: MULTI-LAYER PROFILING OF ANDROID APPLICATIONS X U ETAO WEI LOREN Z O GOM EZ PROFESSOR I U LI AN N EAM T I U PROFESSOR M I CH ALI S FALOU T SOS U N I V ERSI T Y OF CALI FORN I A, RI V ERSI DE
WE DEPEND ON SMARTPHONES MORE AND MORE source:defenseindustrydaily.com “FDA approves Mobisante’s US Army CSDA initiative smartphone (Connecting Soldiers to Digital Applications) ultrasound app” to replace handheld radio + BLUE FORCE [Feb 2011] tracker + portable GPS + video feed ROVER source:mobilehealthnews.com
ANDROID IS A POPULAR SMARTPHONE PLATFORM Operating system share of smartphone sales (US) 850,000 Android phones activated every day [Google letter to investors, April 2012]
BUT WE DON’T UNDERSTAND APP BEHAVIOR source:washingtonpost.com
THE ANDROID APP MARKET IS A JUNGLE Will this app drain my battery? Will this app leak my photos? Which radio is best for me? Will this app tell my friends that I’m a moron?
FIRST STEP TO MAINTAINING THE JUNGLE Provide a low-cost method to profile the behavior of an app Given a few short executions: • What did the app do? • How does the app use resources? • What entities does it communicate with? • What was the app supposed to do? • Where there conflicts? Why?
BENEFICIAL TO Application developers • Assess performance and security implications • Make better use of resources End users • Enhance user control and improve experience • Push developers to make better use of resources
ANDROID APPS Written in Java, compiled into Dalvik VM bytecode Packaged as name.apk • Signed with developer’s private key • Essentially a .zip file containing: • .dex bytecode file (similar to .class) • “Manifest” file (XML): permissions Permission model • Permissions last FOREVER! • Shown before install • All or nothing Permissions alone aren’t enough to describe app behavior
DYNAMIC ANALYSIS WITH PROFILEDROID Desktop/laptop Android Device Profiling Monitoring Android Debugging Bridge • Goal Multi-level profiling based on static and dynamic application analysis
MONITORING AND ANALYSIS WITH PROFILEDROID
PROFILING FRAMEWORK: MONITORING Trace File Trace Trace File File Capture 3 user traces, 5 minutes per app
PROFILING FRAMEWORK: MONITORING Playback Trace File Logs Playback original trace and collect logs
A QUICK REPLAY DEMO
PROFILING FRAMEWORK: MONITORING Logs Trace File Logs Repeat playback 10 times per user (5 in morning and 5 at night, per app) Total of 30 runs of each app to build profile
PROFILING FRAMEWORK: MULTI-LAYER ANALYSIS Static Application User Application Framework Logs Libraries, Android Runtime OS Linux Kernel Network Android software stack What metrics can be used to capture app behavior?
SELECTED APPS Category App Social Facebook Angry Birds, Angry Birds$$ Games Pandora, Shazam, Shazam$$ Music & Audio Media & Video Youtube Shopping Amazon Travel Gasbuddy Instant Heart Rate, Instant Heart Health & Fitness Rate$$ Communication Dolphin browser Sports ESPN Reference Dictionary.com, Dictionary.com$$ total 27 apps: 19 free , 8 paid Wide range of apps, spanning many categories Popular apps with >1,000,000 installs
STATIC LAYER Source: manifest & bytecode decompilation • Permissions (shown at install) • Internet • Location (GPS or network) Static Application • Phone • … User Application Framework • Intents (not shown at install) • Resource use Libraries, Android Runtime without permission OS via deputy apps Linux Kernel Network
STATIC LAYER ANALYSIS RESULTS App Internet GPS Camera Mic Bluetooth Telephony Facebook p p i* p Dictionary.com p i i Instant Heart Rate p p i i Shazam p p p Total (out of 27) 27 9 6 4 3 5 p = use via permissions i = use via intents (deputy apps) *for version originally tested March 2012
USER LAYER Source: logcat, /dev/input/event • Input devices and events Static • Touchscreen Application • Physical Buttons User Application Framework • Accelerometer • Compass Libraries, Android Runtime • Light proximity sensor OS … Linux Kernel Network
USER LAYER ANALYSIS RESULTS
OPERATING SYSTEM LAYER Source: strace • System call categories Static Application • Network sockets • File system User Application Framework • VM & IPC • Enforces isolation Libraries, Android Runtime • Overhead: scheduling, OS idling, IPC Linux Kernel Network
OPERATING SYSTEM LAYER RESULTS App Intensity Filesystem Network VM & IPC Misc (syscalls/sec) (%) (%) (%) (%) Tiny Flashlight 436 1 1 77 21 Facebook 1,031 4 3 72 21 Amazon 693 1 6 77 16 InstHeartRate 944 8 2 75 15
NETWORK LAYER Source: tcpdump (packets and content) App traffic • Origin (app's website) Static Application • CDN and Cloud • Google User Application Framework • 3 rd party: ads & tracking Libraries, Android Runtime OS Linux Kernel Network
NETWORK LAYER RESULTS 3 rd App Intensity In/out Origin CDN+ Google HTTP/ ratio Cloud party HTTPS (bytes/ (%) (%) (%) (%) split sec) (%) Tiny Flashlight 134 2.49 - - 99 - 100/- AdvTaskKiller 26 0.94 - - 100 - 92/8 AdvTaskKiller$$ - - - - - - - Facebook 4,606 1.45 68 32 - - 23/77 Amazon 7,758 8.17 95 5 - - 99/1 InstHeartRate 575 2.39 - 4 86 10 86/14 InstHeartRate$$ 6 0.31 - 9 90 1 20/80
APPLICATION THUMBNAILS High usage Medium usage Low usage
READING BETWEEN THE LINES Free apps are not as free as we might think • 50—100% higher system call intensity • Dramatically higher network traffic (usually ads&tracking) Bad for your dataplan, your battery life, and your privacy VM-based isolation comes at a cost • 64—87% of system calls are due to VM and IPC
READING BETWEEN THE LINES Apps talk to many servers spread across many top-level domains • AngryBirds$$: 4 domains, AngryBirds free: 8 domains • Weatherbug: 13 domains, Shazam: 13 domains Most network traffic is not encrypted Google traffic is predominant • Except for Amazon and Facebook which have 0 (zero) Google traffic
FUTURE WORK • Expand study to include more apps • User profiles • Study the variance across users • Fully automate process • Profiler as an app to run on the device • Provide summary of usage on close
QUESTIONS?
Recommend
More recommend