Tuesday, 24 March 2020

On 22:43 by admin   1 comment
A research paper published this week has analyzed the current usage of a lesser-known feature of the Android operating system that could be a danger to user privacy.
The study found that many of today’s top Android apps make use of IAMs (Installed Application Methods), a set of Android OS API calls that allow app developers to get a list of other applications installed on the device.
Google initially created these API calls[12] to allow developers to detect app incompatibilities or fine-tune interactions with other apps. However, the study published this week suggests that IAMs are also being used to track and fingerprint users, posing a palpable privacy risk.
The danger to user privacy comes from the fact that an advertiser could infer interests and personal traits (gender, spoken languages, religious beliefs, age groups) by analyzing a user’s list of installed applications.
In addition, there is also the issue that users can’t protect themselves against IAM-based fingerprinting. This is because IAM calls are “silent methods,” meaning that an app does not need to ask the user for permission before it executes.
Furthermore, many IAM calls are also executed without the app developer’s knowledge. If an app supports an analytics package or an advertising library, researchers found that many of these ran silent IAM API calls without the app developer being aware this was happening.

Analyzing thousands of apps

The research paper published this week looked at all these angles and quantified IAM usage stats in the Android ecosystem for the first time.
This monumental task was carried out by a team of four academics from universities in Switzerland, Italy, and the Netherlands. The research team said it analyzed thousands of Android apps and their respective code, looking for IAM API calls, regardless of their location — the app’s code or a third-party library.
Researchers said they analyzed 14,342 Android apps published in the top categories of the Google Play Store and another set of 7,886 Android applications that had their source code published online.
According to the research team, usage of IAMs is quite common in commercial apps, with 30.29% (4,214) of the Play Store apps making IAM calls within their code. For open-source apps, this number was only at 2.89% (228 apps).
But the research team didn’t just study which apps made IAM calls, but they also looked at what IAM call each app was making in an attempt to understand how and what app developers were trying to achieve through this feature.
The table below speaks volumes.
It shows that almost half of all recorded IAM calls found inside both Play Store and open-source apps were for the packageName IAM call, which retrieves a list of locally installed apps.
All the other IAM calls had a usage percentage of less than 15%, with most being under 1%. Most of these are IAM calls for technical app details, such as signatures, app versions, last update times, or SDK version numbers.
Such calls are often used to debug apps — the primary goal and reason why the IAM API was created in the first place.
However, the high number of queries for the packageName IAM suggests that many apps are getting a list of locally installed apps, and then doing nothing else — indicating a “collection” type of behavior on the part of those apps.
This discovery that IAM calls are most likely used for data collection rather than actual debugging was later confirmed when the research team also looked at the location of the code that executed the IAM call.
What researchers found was that most IAM calls were originating from third-party libraries added to apps, rather than the apps themselves.
“A total of 7,538 and 287 calls to IAMs were detected in commercial and open-source apps respectively (some apps perform more than one call),” the research team said.
“Usages of IAMs in included libraries appear to be more common in commercial apps, where 6,306 (83.66%) of detected calls are performed in code belonging to libraries, while the remaining 1,232 (16.34%) are performed in the apps’ own code,” researchers said. “Concerning open-source apps, 178 usages (62.02%) are performed from bundled libraries while remaining 109 (37.98%) belong to the apps’ own code.”
According to the research team, more than a third of the third-party libraries that they discovered running IAM calls were used for advertising purposes, confirming that IAM calls are now being used as a user data collection mechanism.
A follow-up questionnaire with 70 app developers also found that many developers weren’t even aware that the third-party libraries they used in their apps were performing IAM calls.
“We were not aware that it was used at all,” said one of the developers who answered researchers and completed the questionnaire.
“We aren’t using it. Third-party API? If you can tell me which one I’ll remove it,” said another.
Going forward, the research team urges Google to restrict the use of IAM API calls. According to the research team, the best-case scenario would be if Google would put IAM calls under a permission request. Permissions requests are popups that ask the user if an app is allowed to take an action — in this case, allow the app to retrieve a list of all of their other apps.
More details about this research are available in a research paper titled “Leave my Apps Alone! A Study on how Android Developers Access Installed Apps on User’s Device,” set to be presented this fall at the MOBILESoft 2020 conference in Seoul, South Korea.
Source : http://www.ivanomalavolta.com/files/papers/MOBILESoft_iam_2020.pdf

1 comment:


    •• Are you Seeking for the Top Notched Legit Hackers online?
    Congratulations Your search ends right here with us. •• ⚡️⚡️

    ☑️☑️For Years Now We have Been helping companies secure their Infrastructures against malicious Attacks, however private individuals have been making use of our services to provide Optimum solutions to their cyber and Hacking related Issues by providing them unlimited Access to their desired informations from their Target such as Phone Hack (Which enables them to monitor their kids/wife/husband/boyfriend/girlfriend, by gaining access to everything they are doing on their phone without their notice), Credit Card Mishaps, Website Hacking, Funds Recoveries And Every Other Cyber Related Issues That has to Do With HACKING.

    πŸ”₯☑️COMPOSITE CYBER SECURITY SPECIALISTS is a vibrant Team of dedicated online hackers maintaining the highest standards and unparalleled professionalism in every aspect.
    We Are One Of The Leading Hack Teams In The United States With So Much Accolades From The Deep Web And IT Companies. ••
    ••We Offer Varieties Of LEGIT Hacking Services With the Help Of Our Root HackTools, Special HackTools and Our Technical Hacking Strategies Which Surpasses All Other Hackers.

    πŸ”₯☑️ Below Is A Full List Of Our Services:
    ▪️ CREDIT REPAIR. πŸ’³
    ▪️ PHONE HACKING & CLONING (giving you πŸ“± Unnoticeable access to everything Happening on the Target’s Phone)
    ▪️BITCOIN MINING ⛏ And lot More.

    πŸ”₯☑️We have a team of seasoned PROFESSIONALS under various skillsets when it comes to online hacking services. Our company in fact houses a separate group of specialists who are productively focussed and established authorities in different platforms. They hail from a proven track record and have cracked even the toughest of barriers to intrude and capture all relevant data needed by our Clients. Some Of These Specialist Includes ⭐️ DAWID CZAGAN⭐️ JACK CABLE ⭐️ SEAN MELIA ⭐️ ARNE SWINNEN ⭐️And More. All you Need To do is To Write us a Mail Then We’ll Assign any of These Hackers To You Instantly. Trust Me You Don’t wanna miss this Great Experience.

    πŸ”₯☑️COMPOSITE CYBER SECURITY SPECIALISTS is available for customer care 24/7. Feel Free to Place your Requests.

    ••• Email:

    πŸ”˜2020 © composite cybersecurity specialists
    πŸ”˜Want faster service? Contact us!
    πŸ”˜All Rights Reserved ®️.