| Smartphone is becoming ubiquitous and its sales proportions have exceeded the sales of personal computer systems since 2012. The number of smartphones will increase and perhaps at an even higher rate in the coming years. The computational capacity and numerous mobile applications benefit end user's daily life. At the same time, it stores user's personal information, such as calendar event, photo, geo-location, and manages the access to the private online resource, such as bank account, email. It is thus non-trivial to resolve the security risks of smartphone privacy leakage.;The open nature allows Android to capture a dominant share of mobile operating system market. However, the open nature challenges the protection of user privacy given those platform-driven factors: (1) unregulated mobile marketplaces, (2) Android middleware with the APIs creating unpredictable runtime behavior, (3) fragmentation. Moreover, the device usage by unauthorized users produces the risk of privacy leakage driven by the human. We claim that a comprehensive solution to the privacy leakage of Android platform needs to overcome the challenges incurred by the platform-driven factors and the human-driven factor. Four separate works are discussed: (a) AutoCog relies on a learning-based approach to deduce the semantics model and helps the user understand the in-app privacy usage by the application description; (b) DyDroid is a dynamic analysis system to fully explore the DCL usage and detect the privacy leakage; (c) AppShield allows the enforcement of arbitrary access control policy with an application rewriting design; and (d) RiskCog{} enforces the continuous and implicit user authentication by the manner of handling the device. |
