Abstract: Offered by Android system, Settings is a mechanism used by applications to read and write some global settings of the device. Data stored in Settings can be read by all the applications on the same device. Some Android applications and third-party libraries carelessly put privacy data and important configuration information into Settings, which leads to serious security risks such as privacy leakage and configuration data leakage. In this paper, we make a comprehensive study of the issues mentioned above. By analyzing a large number of applications, we find the privacy data and configuration information leaked to Settings including IMEI, BSSID and location info, etc. We also successfully undertake some data hijacking attacks and DoS attacks for Android applications and third-party libraries, which confirms that the inappropriate use of Settings can really lead to serious security problems. Based on the above research, we propose SettingsHunter, a static detection tool for Settings issues. SettingsHunter detects privacy data and important configuration information put in Settings using taint analysis technology. In order to improve the efficiency, SettingsHunter separates the analysis of third-party libraries from the one of host applications. This separation also improves the analysis ability for third-party libraries. We use SettingsHunter to analysis 3477 applications and the result shows that 23.5% of the analyzed applications put privacy data or key configuration information into Settings, of which 90.7% is due to the using of third-party libraries. These applications and third-party libraries may suffer from privacy data leakage or configuration data pollution attacks.

Key words: Android applications, third-party libraries, privacy leakage, data pollution, static taint analysis