HITB-Invoice-Logo

REGISTRATION CLOSES 22ND AUG

LATE: USD1299

Register

STUDENTS: USD250

Import Library, Import Liability: Analyzing Information Collection of Third-party SDKs

Date

August 26, 2022

Time

17:30

Track

Main Track

User data protection regulations in most countries and regions have clear requirements for the collection of personal information. Apps must declare reasonable use scenarios and obtain the user’s consent when collecting relevant data. Many enterprises have invested greatly to guarantee the privacy policy compliance of their apps. However, it is still a challenging problem when third-party SDKs are imported.

In particular:

  1. The app cannot comprehensively monitor the information collection behaviors of the embedded SDKs, for example, what data is collected and when the data is collected and uploaded.
  2. It is difficult for app developers to analyze the information collection behaviors of the third-party SDKs, due to lack of expertise.
  3. The third-party SDKs evolve fast, such that it is unrealistic to conduct manual privacy audit for each version.

 

To solve the above problems, we develop a static taint analyzer against SDKs, based on Facebook’s open source tool Mariana Trench and our own tool.

Our analyzer sorts out the locations of all sensitive information calls as source points and the locations of all network interfaces as sink points. It solves the challenge of asynchronous invocation that undermines of existing analyzer. Addressing this challenge, our analyzer manages to achieve accuracy of 95%, recall rate of 71.26%, and F-measure of 83.22%. We apply our analyzer to some mainstream apps, and find that some of them miss disclosing collected user information due to their embedded SDKs. We open source our analyzer, to benefit app developers.

Speakers

Senior Security Researcher

Bytedance

Wang Zeyu, a white hat security researcher form Wuheng Lab and a former senior engineer of OPPO ZIWU CYBER SECURITY LAB, is dedicated to the research on security vulnerabilities and privacy issues of Android applications and Internet of things devices. He has contributed a lot of vulnerabilities for mobile Internet applications and mobile phone manufacturers. His work has appeared at Hitb2021. He’s an expert at vulnerability mining of Hybrid applications in Android and is the author of Rpktool.

Faculty Member

The University of Queensland

Dr. Bai Guangdong is a faculty member at The University of Queensland. He received his PhD degree from National University of Singapore in 2015. His research interest spans across the broad areas of mobile security, web security, and protocol verification. During his previous research, he has worked on analyzing authentication protocol implementation, online payment, and Android security. His research has helped identify and fix serious security vulnerabilities for major websites like Sina Weibo. His work appears in top security conferences, such as NDSS, Syscan, HITB and Black Hat Europe.

Senior Security Researcher

Bytedance

Zhang Qing is a senior security researcher and privacy security expert. Previously, he was a visiting scholar of Model Checking Lab in National University of Singapore. His interests include Android security, IoT security and payment security, specializing in privacy security, reverse engineering and fuzzing. He is a holder of international Privacy Technology Certification certificate(CIPT) and Certified Information Privacy Professional/Europe(CIPP/E). His work has appeared at Syscan360 2016, Black Hat 2017, HITB 2017, HITB 2018, HITB 2020, Black Hat 2021 and so on. In 2016-2021, he won many whole year’s first-place prizes in vulnerability detection of some major companies, such as Samsung, Huawei, Meizu, Chuizi, OPPO and Oneplus.

Other Talks in This Track

LOCATION

Main Track

DATE

August 26

TIME

09:00

LOCATION

Main Track

DATE

August 26

TIME

10:30

LOCATION

Main Track

DATE

August 26

TIME

14:00

LOCATION

Main Track

DATE

August 26

TIME

15:00