Be Careful What You Write, Someone Might Read It: Logging Personally Identifiable Information on Android
| dc.contributor.advisor | Reardon, Joel | |
| dc.contributor.author | Lyons, Allan | |
| dc.contributor.committeemember | Reardon, Joel | |
| dc.contributor.committeemember | Henry, Ryan | |
| dc.contributor.committeemember | Hagen, Gregory | |
| dc.date | 2023-02 | |
| dc.date.accessioned | 2023-01-06T20:57:54Z | |
| dc.date.available | 2023-01-06T20:57:54Z | |
| dc.date.issued | 2023-01-03 | |
| dc.description.abstract | The Android Operating System provides a central, shared logging system that multiplexes messages from all of the various components including the operating system and all of the apps that run on it. A permission system exists that prevents these log messages from being read by processes other than the one that created them; however, there is an exception to this restriction for a privileged class of apps. This includes preinstalled system apps provided by Google, the manufacturer of the device, or the mobile network operator. As a consequence of this exception, Google admonishes developers that for privacy reasons they must refrain from logging personal or sensitive information to the system log. In this thesis, we examine the pervasive logging of Personally Identifiable Information (PII) throughout the Android ecosystem. With local lab experiments we show that freshly reset phones log PII---every phone we tested logged multiple identifiers. Then, through a field study we show that this logging is pervasive in the wild with PII being detected in the logs of 94.1% of the devices in our dataset which represented all of the observed manufacturers. We statically analyze the Android Open Source Project (AOSP) source code to identify the origin of some of the observed excessive logging and are able to attribute log entries to specific parts of the code and find that Google itself does not follow its own specific advice to not log sensitive data and more generally to remove debug logging from release software. Finally, we analyze the privacy policies of major cell-phone manufacturers and find that some report that they may collect these logs. | en_US |
| dc.identifier.citation | Lyons, A. (2023). Be Careful What You Write, Someone Might Read It: Logging Personally Identifiable Information on Android (Master's thesis, University of Calgary, Calgary, Canada). Retrieved from https://prism.ucalgary.ca. | en_US |
| dc.identifier.uri | http://hdl.handle.net/1880/115654 | |
| dc.identifier.uri | https://dx.doi.org/10.11575/PRISM/40580 | |
| dc.language.iso | eng | en_US |
| dc.publisher.faculty | Science | en_US |
| dc.publisher.institution | University of Calgary | en |
| dc.rights | University of Calgary graduate students retain copyright ownership and moral rights for their thesis. You may use this material in any way that is permitted by the Copyright Act or through licensing that has been assigned to the document. For uses that are not allowable under copyright legislation or licensing, you are required to seek permission. | en_US |
| dc.subject | Privacy | en_US |
| dc.subject | Mobile Privacy | en_US |
| dc.subject | Mobile Systems Security | en_US |
| dc.subject.classification | Computer Science | en_US |
| dc.title | Be Careful What You Write, Someone Might Read It: Logging Personally Identifiable Information on Android | en_US |
| dc.type | master thesis | en_US |
| thesis.degree.discipline | Computer Science | en_US |
| thesis.degree.grantor | University of Calgary | en_US |
| thesis.degree.name | Master of Science (MSc) | en_US |
| ucalgary.item.requestcopy | false | en_US |