research-article

AuDroid: Preventing Attacks on Audio Channels in Mobile Devices

Authors:

Giuseppe Petracca,

Yuqiong Sun,

Trent Jaeger,

Ahmad AtamliAuthors Info & Claims

ACSAC '15: Proceedings of the 31st Annual Computer Security Applications Conference

Pages 181 - 190

https://doi.org/10.1145/2818000.2818005

Published: 07 December 2015 Publication History

Get Access

Abstract

Voice control is a popular way to operate mobile devices, enabling users to communicate requests to their devices. However, adversaries can leverage voice control to trick mobile devices into executing commands to leak secrets or to modify critical information. Contemporary mobile operating systems fail to prevent such attacks because they do not control access to the speaker at all and fail to control when untrusted apps may use the microphone, enabling authorized apps to create exploitable communication channels. In this paper, we propose a security mechanism that tracks the creation of audio communication channels explicitly and controls the information flows over these channels to prevent several types of attacks. We design and implement AuDroid, an extension to the SE Linux reference monitor integrated into the Android operating system for enforcing lattice security policies over the dynamically changing use of system audio resources. To enhance flexibility, when information flow errors are detected, the device owner, system apps and services are given the opportunity to resolve information flow errors using known methods, enabling AuDroid to run many configurations safely. We evaluate our approach on 17 widely-used apps that make extensive use of the microphone and speaker, finding that AuDroid prevents six types of attack scenarios on audio channels while permitting all 17 apps to run effectively. AuDroid shows that it is possible to prevent attacks using audio channels without compromising functionality or introducing significant performance overhead.

References

[1]

S. Heuser, A. Nadkarni, W. Enck and A. Sadeghi. ASM: A Programmable Interface for Extending Android Security, USENIX Security'14.

Digital Library

Google Scholar

[2]

M. Backes, S. Bugiel, S. Gerling, and P. von Styp-Rekowsky. Android Security Framework: Extensible Multi-layered Access Control on Android, ACSAC'14.

Digital Library

Google Scholar

[3]

Y. Jang, C. Song, S. Chung, T. Wang and W. Lee. A11Y Attacks: Exploiting Accessibility in Operating Systems, CCS'14.

Digital Library

Google Scholar

[4]

W. Diao, X. Liu, Z. Zhou and K. Zhang. Your Voice Assistant is Mine: How to Abuse Speakers to Steal Information and Control Your Phone, SPSM'14.

Digital Library

Google Scholar

[5]

Z. Xu and S. Zhu. SemaDroid: A Privacy-Aware Sensor Management Framework for Smartphones, CODASPY'15.

Digital Library

Google Scholar

[6]

F. Roesner, T. Kohno, A. Moshchuk, B. Parno, H. Wang and C. Cowan. User-Driven Access Control: Rethinking Permission Granting in Modern Operating Systems, SP'12.

Digital Library

Google Scholar

[7]

X.F. Li. AWS: Android Workload Suite for User Interaction Measurement, Intel, 2011.

Google Scholar

[8]

L. Chayong, K. Euna, and K. Hyesoon. The AM-Bench: An Android Multimedia Benchmark Suite, Georgia Tech, 2012.

Google Scholar

[9]

H. Beigi. Fundamentals of speaker recognition, Spinger, 2011.

Digital Library

Google Scholar

[10]

A. Bianchi, J. Corbetta, L. Invernizzi, Y. Frantantonio, C. Kruegel, and G. Vigna. What the App is That? Deception and Countermeasures in the Android User Interface, Oakland'15.

Google Scholar

[11]

D.E. Denning. A Lattice Model of Secure Information Flow, ACM, 1976.

Digital Library

Google Scholar

[12]

K.J. Biba. Integrity Considerations for Secure Computer Systems, MITRE, 1977.

Google Scholar

[13]

D.E. Bell and L.J. LaPadula. Secure Computer System: Unified Exposition and Multics Interpretation. Deputy for Command and Management Systems, HQ Electronic Systems Division (AFSC), 1976.

Google Scholar

[14]

R. Schlegel, K. Zhang, X.Y. Zhou, M. Intwala, A. Kapadia, and X. Wang. Soundcomber: A stealthy and context-aware sound trojan for smartphones. NDSS'11.

Google Scholar

[15]

Trusted Computer System Evaluation Criteria (Orange Book). NCSC, 1985.

Google Scholar

[16]

Android Accessibility - TalkBack. http://developer.android.com/design/patterns/acces-sibility.html

Google Scholar

[17]

Android Accessibility - TextToSpeech. http://developer.android.com/reference/android/speech/tts/TextToSpeech.html

Google Scholar

[18]

Security Enhancements for Android. http://selinuxproject.org/page/NB_SEforAndroid_1

Google Scholar

[19]

Smartphone OS Market Share. http://www.idc.com/prodserv/smartphone-os-market-share.jsp

Google Scholar

[20]

Android 5.0 APIs. http://developer.android.com/about/versions/android-5.0.html

Google Scholar

[21]

Java Native Interface. http://en.wikipedia.org/wiki/Java_Native_Interface

Google Scholar

[22]

Android Verified Boot. https://source.android.com/devices/tech/security/ve-rifiedboot/index.html

Google Scholar

[23]

Android Open Source Project. https://source.android.com/

Google Scholar

[24]

What if smart devices could be hacked with just a voice? http://now.avg.com/voice-hacking-devices/

Google Scholar

[25]

Android System Permission. http://developer.android.com/guide/topics/security/permissions.html

Google Scholar

[26]

N. Hardy. The Confused Deputy, Operating Systems Review, 1988.

Digital Library

Google Scholar

[27]

J.P. Anderson. Computer Security Technology Planning Study, Volume II, 1972.

Google Scholar

[28]

S. Smalley and R. Craig. Security Enhanced (SE) Android: Bringing Flexible MAC to Android, NDSS'13.

Google Scholar

Cited By

View all

Ma XXu DYang CLi PLi D(2024)A Speech Adversarial Sample Detection Method Based on Manifold LearningMathematics10.3390/math1208122612:8(1226)Online publication date: 19-Apr-2024
https://doi.org/10.3390/math12081226
Preda MGreco CIanni MLupia FPugliese A(2024)Light Sensor Based Covert Channels on Mobile DevicesInformation Sciences10.1016/j.ins.2024.121581(121581)Online publication date: Oct-2024
https://doi.org/10.1016/j.ins.2024.121581
Champa ARabbi MEishita FZibran M(2024)Are We Aware? An Empirical Study on the Privacy and Security Awareness of Smartphone SensorsSoftware Engineering and Management: Theory and Application10.1007/978-3-031-55174-1_10(139-158)Online publication date: 3-May-2024
https://doi.org/10.1007/978-3-031-55174-1_10
Show More Cited By

Index Terms

AuDroid: Preventing Attacks on Audio Channels in Mobile Devices
1. Security and privacy
  1. Systems security
    1. Operating systems security
2. Software and its engineering
  1. Software organization and properties
    1. Contextual software domains
      1. Operating systems

Recommendations

Empirical Analysis of System-Level Vulnerability Metrics through Actual Attacks

The Common Vulnerability Scoring System (CVSS) is a widely used and well-established standard for classifying the severity of security vulnerabilities. For instance, all vulnerabilities in the US National Vulnerability Database (NVD) are scored ...
Proactive defense of insider threats through authorization management
UAAII '11: Proceedings of 2011 international workshop on Ubiquitous affective awareness and intelligent interaction

Among various attacks that may potentially target information systems, insider threat is recognized as an important factor of serious damage. In this paper, we investigate this problem from the view of authorizations in the context of access control. ...
An OS security protection model for defeating attacks from network
ICISS'07: Proceedings of the 3rd international conference on Information systems security

Security threats to operating systems today largely come from network. Traditional discretionary access control mechanism alone can hardly defeat them. Although traditional mandatory access control models can effectively protect the security of OS, they ...

Reviews

Reviewer: Sundara Nagarajan

Are you an Android operating system (OS) developer, exploring application-independent ways to secure the audio channels in a device__?__ Petracca et al. have implemented one such scheme: AuDroid for Android OS. As of now, mobile OSs do not enforce flow control through microphone and speaker devices and have only limited access control. Consequently, malicious applications could snoop information flowing through the audio channels of the device. The authors propose an extension to the Android OS to enforce security policies and then implement it. The authors evaluate AuDroid using six types of attack scenarios described in detail in the paper. The workings of the audio channels are also described. The paper presents a good literature survey of existing solution approaches and related work. The paper addresses three challenges in securing communications via audio channels: the dynamic creation of audio channels, the special functional requirements of apps, and communication with external parties whose identity (and intentions) may not be established. The paper goes on to describe threat and trust models, followed by a detailed design of AuDroid. The paper treats the Android OS architecture relevant to audio stream architecture in some detail (version 5.0.1_r1). The implementation is validated using 17 widely used apps. The validation procedure details are reported and performance overhead analyzed. I could not find the source code of AuDroid at the location mentioned in the paper; however, it can be found using GitHub search. The authors claim that "the customization needed to integrate AuDroid in a vanilla Android OS distribution is [low]." Documentation coming with the source base is minimal. Still, this is a well-written implementation paper regarding an important problem and its solution. Online Computing Reviews Service

Access critical reviews of Computing literature here

Become a reviewer for Computing Reviews.

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

ACSAC '15: Proceedings of the 31st Annual Computer Security Applications Conference

December 2015

489 pages

ISBN:9781450336826

DOI:10.1145/2818000

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

In-Cooperation

ACSA: Applied Computing Security Assoc

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 07 December 2015

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article
Research
Refereed limited

Conference

ACSAC 2015

ACSAC 2015: 2015 Annual Computer Security Applications Conference

December 7 - 11, 2015

CA, Los Angeles, USA

Acceptance Rates

Overall Acceptance Rate 104 of 497 submissions, 21%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

49
Total Citations
View Citations
401
Total Downloads

Downloads (Last 12 months)17
Downloads (Last 6 weeks)1

Reflects downloads up to 04 Jan 2025

Other Metrics

View Author Metrics

Citations

Cited By

View all

Ma XXu DYang CLi PLi D(2024)A Speech Adversarial Sample Detection Method Based on Manifold LearningMathematics10.3390/math1208122612:8(1226)Online publication date: 19-Apr-2024
https://doi.org/10.3390/math12081226
Preda MGreco CIanni MLupia FPugliese A(2024)Light Sensor Based Covert Channels on Mobile DevicesInformation Sciences10.1016/j.ins.2024.121581(121581)Online publication date: Oct-2024
https://doi.org/10.1016/j.ins.2024.121581
Champa ARabbi MEishita FZibran M(2024)Are We Aware? An Empirical Study on the Privacy and Security Awareness of Smartphone SensorsSoftware Engineering and Management: Theory and Application10.1007/978-3-031-55174-1_10(139-158)Online publication date: 3-May-2024
https://doi.org/10.1007/978-3-031-55174-1_10
Vlachos VStamatiou YNikoletseas S(2023)The Privacy Flag Observatory: A Crowdsourcing Tool for Real Time Privacy Threats EvaluationJournal of Cybersecurity and Privacy10.3390/jcp30100033:1(26-43)Online publication date: 29-Jan-2023
https://doi.org/10.3390/jcp3010003
Guri M(2023) POWER-SUPPLaY: Leaking Sensitive Data From Air-Gapped, Audio-Gapped Systems by Turning the Power Supplies into Speakers IEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2021.313340620:1(313-330)Online publication date: 1-Jan-2023
https://doi.org/10.1109/TDSC.2021.3133406
Champa ARabbi MEishita FZibran M(2023)Are We Aware? An Empirical Study on the Privacy and Security Awareness of Smartphone Sensors2023 IEEE/ACIS 21st International Conference on Software Engineering Research, Management and Applications (SERA)10.1109/SERA57763.2023.10197713(287-294)Online publication date: 23-May-2023
https://doi.org/10.1109/SERA57763.2023.10197713
Chimuco FSequeiros JLopes CSimões TFreire MInácio P(2023)Secure cloud-based mobile apps: attack taxonomy, requirements, mechanisms, tests and automationInternational Journal of Information Security10.1007/s10207-023-00669-z22:4(833-867)Online publication date: 17-Feb-2023
https://doi.org/10.1007/s10207-023-00669-z
Sun KWang SSun KWang S(2023)IntroductionSecure Voice Processing Systems against Malicious Voice Attacks10.1007/978-3-031-44748-8_1(1-11)Online publication date: 31-Oct-2023
https://doi.org/10.1007/978-3-031-44748-8_1
Jones DGhasemi SGračanin DAzab M(2023)Privacy, Safety, and Security in Extended Reality: User Experience Challenges for Neurodiverse UsersHCI for Cybersecurity, Privacy and Trust10.1007/978-3-031-35822-7_33(511-528)Online publication date: 9-Jul-2023
https://doi.org/10.1007/978-3-031-35822-7_33
Tida VShah RHei X(2022)Deep Learning Approach for Protecting Voice-Controllable Devices From Laser AttacksSecurity, Data Analytics, and Energy-Aware Solutions in the IoT10.4018/978-1-7998-7323-5.ch008(125-142)Online publication date: 2022
https://doi.org/10.4018/978-1-7998-7323-5.ch008
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Cited By

Index Terms

Recommendations

Empirical Analysis of System-Level Vulnerability Metrics through Actual Attacks

Proactive defense of insider threats through authorization management

An OS security protection model for defeating attacks from network

Reviews

Access critical reviews of Computing literature here