Attention! Your Copied Data is Under Monitoring: A Systematic Study of Clipboard Usage in Android Apps
Recently, clipboard usage has become prevalent in mobile apps allowing users to copy and paste text within the same app or across different apps. However, insufficient access control on the clipboard in the mobile operating systems exposes its contained data to high risks where one app can read the data copied in other apps and store it locally or even send it to remote servers. Unfortunately, the literature only has ad-hoc studies in this respect and lacks a comprehensive and systematic study of the entire mobile app ecosystem. To establish the missing links, this paper proposes an automated tool, ClipboardScope, that leverages the principled static program analysis to uncover the clipboard data usage in mobile apps at scale by defining a usage as a combination of two aspects, i.e., how the clipboard data is validated and where does it go. It defines four primary categories of clipboard data operation, namely spot-on, grand-slam, selective, and cherry-pick, based on the clipboard usage in an app. ClipboardScope is evaluated on 26,201 out of a total of 2.2 million mobile apps available on Google Play as of June 2022 that access and process the clipboard text. It identifies 23,948, 848, 1,075, and 330 apps that are recognized as the four designated categories, respectively. In addition, we uncovered a prevalent programming habit of using the SharedPreferences object to store historical data, which can become an unnoticeable privacy leakage channel.
Wed 17 AprDisplayed time zone: Lisbon change
14:00 - 15:30 | Security 1Research Track / Journal-first Papers at Grande Auditório Chair(s): Letizia Jaccheri Norwegian University of Science and Technology (NTNU) | ||
14:00 15mTalk | Marco: A Stochastic Asynchronous Concolic Explorer Research Track Jie Hu University of California Riverside, Yue Duan Singapore Management University, Heng Yin UC Riverside Pre-print | ||
14:15 15mTalk | Smart Contract and DeFi Security Tools: Do They Meet the Needs of Practitioners? Research Track Stefanos Chaliasos Imperial College London, Marcos Antonios Charalambous Imperial College London, Liyi Zhou Imperial College London, Rafaila Galanopoulou University of Athens, Arthur Gervais Imperial College London, Dimitris Mitropoulos University of Athens, Ben Livshits Imperial College London | ||
14:30 15mTalk | DocFlow: Extracting Taint Specifications from Software Documentation Research Track Marcos Tileria Royal Holloway, University of London, Jorge Blasco Universidad Politécnica de Madrid, Santanu Dash University of Surrey | ||
14:45 15mTalk | Toward Improved Deep Learning-based Vulnerability Detection Research Track Adriana Sejfia University of Edinburgh, Satyaki Das University of Southern California, Saad Shafiq University of Southern California, Nenad Medvidović University of Southern California Pre-print | ||
15:00 15mTalk | Attention! Your Copied Data is Under Monitoring: A Systematic Study of Clipboard Usage in Android Apps Research Track Yongliang Chen City University of Hong Kong, Ruoqin Tang City University of Hong Kong, Chaoshun Zuo Ohio State University, Xiaokuan Zhang George Mason University, Lei Xue Sun Yat-Sen University, Xiapu Luo The Hong Kong Polytechnic University, Qingchuan Zhao City University of Hong Kong | ||
15:15 7mTalk | Evolution of Automated Weakness Detection in Ethereum Bytecode: a Comprehensive Study Journal-first Papers Monika di Angelo TU Wien, Thomas Durieux TU Delft, João F. Ferreira INESC-ID and IST, University of Lisbon, Gernot Salzer TU Wien Link to publication DOI Pre-print File Attached | ||