資料洩漏對於行動應用程式開發者而言是嚴重的威脅，因為行動應用程式內記錄著用戶的敏感資料。使用第三方軟體開發套件來開發行動應用程式是一種常見的方法。由於第三方軟體開發套件可以取用行動應用程式內的敏感資料，且部分被取用資料可能不被行動應用程式開發者所知悉，因此使用第三方軟體開發套件可能會造成敏感資料的洩漏。本研究提出一個平台 ``WaRning-Awareness Platform' (簡稱為 WRAP)。WRAP 紀錄著第三方軟體開發套件的檔案資料，且會向行動應用程式開發者揭漏會被第三方軟體開發套件取用的敏感資料。為了展現由第三方軟體開發套件造成的敏感資料洩漏，本研究以數種安卓應用程式進行了案例分析。結果指出，若是行動應用程式開發者不注重被第三方軟體開發套件取用的資料，則資料可能會被洩漏。

Data leakage is a critical threat to app developers because apps record a variety of sensitive data collected from users. Using third-party SDKs is a common way to build apps. Since third-party SDKs could access sensitive data recorded in apps, and some accessed data may be unknown to app developers, the use of third-party SDKs may cause sensitive data leakage. This work proposes a platform named ``WaRning-Awareness Platform' (WRAP). WRAP records profiles of SDKs, and reveals the sensitive data accessed by third-party SDKs to app developers. To demonstrate the data leakage caused by third-party SDKs, this work conducts a case study with various categories of Android apps. The result indicates that if app developers do not pay full attention to the data accessed by third-party SDKs, the data would be leaked.

[1] Number of apps available in leading app stores as of 2nd quarter 2019, https://www.statista.com/statistics/276623/numberofappsavailableinleadingappstores. Accessed Aug. 2019.
[2] Number of mobile app downloads worldwide in 2017, 2018 and 2022 (in billions), https://www.statista.com/statistics/271644/worldwidefreeandpaidmobileappstoredownloads/. Accessed Aug. 2019.
[3] Worldwide mobile app revenues in 2014 to 2023 (in billion U.S. dollars),
https://www.statista.com/statistics/269025/worldwidemobileapprevenueforecast. Accessed Aug. 2019.
[4] Number of available apps at Google Play from 2nd quarter 2015 to 2nd quarter 2019, https://www.statista.com/statistics/289418/numberofavailableappsinthegoogleplaystorequarter/. Accessed Aug. 2019.
[5] Select a category and tags for your app or game, https://support.google.com/googleplay/androiddeveloper/answer/113475. Accessed Aug. 2019.
[6] Market reach of the most popular Android app categories worldwide as of June 2018,
https://www.statista.com/statistics/200855/favouritesmartphoneappcategoriesbyshareofsmartphoneusers/. Accessed Aug. 2019.
[7] SDK Marketplace, https://www.safedk.com/marketplace. Accessed Aug. 2019.
[8] How You Can Beat the ‘SDK Fatigue’, https://www.apptamin.com/blog/appsdkfatigue/. Accessed Aug. 2019.
[9] The Heartbleed Bug, http://heartbleed.com/. Accessed Aug. 2019.
[10] Common Vulnerabilities and Exposures (CVE), https://cve.mitre.org/. Accessed Aug. 2019.
[11] National Vulnerability Database, https://nvd.nist.gov/. Accessed Aug. 2019.
[12] 5 Reasons Businesses Should Update Their Mobile App Regularly, https://medium.com/@the_manifest/5reasonsbusinessesshouldupdatetheirmobileappregularly59172c680b3e/. Accessed Aug. 2019.
[13] Automatically collected events, https://support.google.com/firebase/answer/6317485. Accessed Aug. 2019.
[14] Automatically collected user properties, https://support.google.com/firebase/answer/6317486. Accessed Aug. 2019.
[15] Mobile Operating System Market Share Worldwide, http://gs.statcounter.com/osmarketshare/mobile/worldwide. Accessed Aug. 2019.
[16] Smartphone Market Share, https://www.idc.com/promo/smartphonemarketshare/os. Accessed Aug. 2019.
[17] Many Popular Android Apps Leak Sensitive Data, Leaving Millions Of Consumers At Risk, https://www.forbes.com/sites/ajdellinger/2019/06/07/manypopularandroidappsleaksensitivedataleavingmillionsofconsumersatrisk/574cfbf7521e. Accessed Aug. 2019.
[18] About security alerts for vulnerable dependencies, https://help.github.com/en/articles/aboutsecurityalertsforvulnerabledependencies. Accessed Aug. 2019.
[19] Ship Secure Ruby Apps, https://hakiri.io/. Accessed Aug. 2019.
[20] Use open source. Stay secure., https://snyk.io/. Accessed Aug. 2019.
[21] OWASP Mobile Security Project, https://www.owasp.org/index.php/OWASP_Mobile_Security_Project. Accessed Aug. 2019.
[22] Distribution dashboard, https://developer.android.com/about/dashboards/. Accessed Aug. 2019.
[23] Michael Backes, Sven Bugiel, and Erik Derr. Reliable third-party library detection in android and its security applications. In Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, CCS ’16, pages 356–367, New York, NY, USA, Oct. 2016. ACM.
[24] Ravi Bhoraskar, Seungyeop Han, Jinseong Jeon, Tanzirul Azim, Shuo Chen, Jaeyeon Jung, Suman Nath, Rui Wang, and David Wetherall. Brahmastra: Driving apps to test the security of third-party components. In Proceedings of the 23rd USENIX Security
Symposium, USENIX Security ’14, pages 1021–1036, San Diego, CA, 2014. USENIX Association.
[25] Bipin Chandra. A technical view of theopenssl ‘heartbleed’ vulnerability. Technical report, IBM, Armonk, NY, USA, 2014.
[26] Manuel Egele, David Brumley, Yanick Fratantonio, and Christopher Kruegel. An empirical study of cryptographic misuse in android applications. In Proceedings of the 2013 ACM SIGSAC Conference on Computer & Communications Security, CCS ’13, pages 73–83, New York, NY, USA, 2013. ACM.
[27] William Enck, Peter Gilbert, ByungGon Chun, Landon P. Cox, Jaeyeon Jung, Patrick McDaniel, and Anmol N. Sheth. Taintdroid: An information flow tracking system for realtime privacy monitoring on smartphones. Communications of the ACM, 57(3):99–106, March 2014.
[28] Sascha Fahl, Marian Harbach, Thomas Muders, Lars Baumgärtner, Bernd Freisleben, and Matthew Smith. Why eve and mallory love android: An analysis of android ssl (in)security. In Proceedings of the 2012 ACM Conference on Computer and Communications
Security, CCS ’12, pages 50–61, New York, NY, USA, 2012. ACM.
[29] Alessandra Gorla, Ilaria Tavecchia, Florian Gross, and Andreas Zeller. Checking app behavior against app descriptions. In Proceedings of the 36th International Conferenceon Software Engineering, ICSE ’14, pages 1025–1035, New York, NY, USA, 2014. ACM.
[30] Li Li, Alexandre Bartel, Tegawendé F. Bissyandé, Jacques Klein, Yves Le Traon, Steven Arzt, Siegfried Rasthofer, Eric Bodden, Damien Octeau, and Patrick McDaniel. Iccta: Detecting inter-component privacy leaks in android apps. In Proceedings of the 37th International Conference on Software Engineering Volume 1, ICSE ’15, pages 280–291, Piscataway, NJ, USA, 2015. IEEE Press.
[31] Tongxin Li, Xiaoyong Zhou, Luyi Xing, Yeonjoon Lee, Muhammad Naveed, XiaoFeng Wang, and Xinhui Han. Mayhem in the push clouds: Understanding and mitigating security hazards in mobile push-messaging services. In Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security, CCS ’14, pages 978–989, New York, NY, USA, 2014. ACM.
[32] Michael Ogata, Josh Franklin, Jeffrey Voas, Vincent Sritapan, and Stephen Quirolgico. Vetting the security of mobile applications. Technical report, National Institute of Standards and Technology, Bureau Dr, Gaithersburg, USA, 2019.
[33] Alireza Sadeghi, Hamid Bagheri, Joshua Garcia, and Sam Malek. A taxonomy and qualitative comparison of program analysis techniques for security assessment of android software. IEEE Transactions on Software Engineering, 43(6):492–530, June 2017.
[34] SafeDK. Mobile sdks data trends report in the android market. Technical report, SafeDK, Herzliya, Israel, 2018.
[35] Julian Schütte, Rafael Fedler, and Dennis Titze. Condroid: Targeted dynamic analysis of android applications. In Proceedings of the 29th International Conference on Advanced Information Networking and Applications, AINA ’15, pages 571–578, Piscataway, NJ, USA, 2015. IEEE.
[36] Sophoslabs. Sophoslabs 2019 threat report. Technical report, Sophoslabs, Abingdon, United Kingdom, 2019.
[37] Murugiah P. Souppaya and Karen A. Scarfone. Guidelines for managing the security of mobile devices in the enterprise. Technical report, National Institute of Standards and Technology, Bureau Dr, Gaithersburg, USA, 2013.
[38] Mark D. Syer, Meiyappan Nagappan, Ahmed E. Hassan, and Bram Adams. Revisiting prior empirical findings for mobile apps: An empirical case study on the 15 most popular opensource android apps. In Proceedings of the 2013 Conference of the Center for
Advanced Studies on Collaborative Research, CASCON ’13, pages 283–297, Riverton, NJ, USA, 2013. IBM Corp.
[39] Xiaoyin Wang, Xue Qin, Mitra Bokaei Hosseini, Rocky Slavin, Travis D. Breaux, and Jianwei Niu. Guileak: Tracing privacy policy claims on user input data for android applications. In Proceedings of the 40th International Conference on Software Engineering, ICSE ’18, pages 37–47, New York, NY, USA, 2018. ACM.