AndroTIME: Identifying Timing Side Channels in the Android API

Gerald Palfinger*, Bernd Prünster, Dominik Ziegler

*Corresponding author for this work

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Abstract

The permission system of Android has continuously evolved to better guard the privacy of users. New permissions have been introduced and existing methods which were abused now require a permission or have been entirely removed. Retrieving private data about users without their consent is thus getting continuously harder for applications.
In this paper, we systematically analyse how timing-based side channels in the Android API can be used to circumvent this tight permission system. We introduce AndroTIME, a framework to automatically detect such side channels in the Android API. Using this automated approach, we were able to identify several new timing-based side-channel leaks in Android 10 and Android 11. The detected side channels enable querying for installed applications, active accounts, files, and browser logins. The leaked information could be used to fingerprint users, detect secret user habits, or even infer a concrete user identity.
Original languageEnglish
Title of host publicationProceedings of the 19th IEEE International Conference on Trust, Security and Privacy in Computing and Communications
Place of PublicationChina
Number of pages8
Publication statusAccepted/In press - 30 Sep 2020
EventThe 19th IEEE International Conference on Trust, Security and Privacy in Computing and Communications - Guangdong Hotel, Hybrider Event, China
Duration: 29 Dec 20201 Jan 2021
http://ieee-trustcom.org/TrustCom2020/

Conference

ConferenceThe 19th IEEE International Conference on Trust, Security and Privacy in Computing and Communications
Abbreviated titleIEEE TrustCom 2020
CountryChina
CityHybrider Event
Period29/12/201/01/21
Internet address

Fingerprint Dive into the research topics of 'AndroTIME: Identifying Timing Side Channels in the Android API'. Together they form a unique fingerprint.

  • Projects

    A-SIT - Secure Information Technology Center Austria

    Stranacher, K., Dominikus, S., Leitold, H., Marsalek, A., Teufl, P., Bauer, W., Aigner, M. J., Rössler, T., Neuherz, E., Dietrich, K., Zefferer, T., Mangard, S., Payer, U., Orthacker, C., Lipp, P., Reiter, A., Knall, T., Bratko, H., Bonato, M., Suzic, B., Zwattendorfer, B., Kreuzhuber, S., Oswald, M. E., Tauber, A., Posch, R., Bratko, D., Feichtner, J., Ivkovic, M., Reimair, F., Wolkerstorfer, J. & Scheibelhofer, K.

    21/05/996/08/20

    Project: Research area

    Cite this

    Palfinger, G., Prünster, B., & Ziegler, D. (Accepted/In press). AndroTIME: Identifying Timing Side Channels in the Android API. In Proceedings of the 19th IEEE International Conference on Trust, Security and Privacy in Computing and Communications China.