HideMyApp: Hiding the Presence of Sensitive Apps on Android
Millions of users rely on mobile health (mHealth) apps to manage their wellness and medical conditions. However, the simple fact that an mHealth app (e.g., diabetes app) is installed on a users’ phone, can reveal sensitive information about the user’s health. Android’s open design allows any app, even without permissions, to check which other apps are installed on the same device; to date, no mechanism exist to effectively hide the use of sensitive apps.
We propose HideMyApp (HMA), a practical and robust solution that hides the presence of mHealth and other sensitive apps from nosy apps on the same phone. HMA relies on user-level virtualization techniques, thus avoiding changes to the operating system (OS) or to apps while still supporting key functionality. We evaluated HMA on devices runnning Android 6.0 to 8.1 and a diverse set of mHealth apps. Our experimental evaluation shows that HMA supports main features in most apps and introduces acceptable delays at runtime; such findings were validated by a user-study.
- HideMyApp Overview
HideMyApp (HMA) is the ﬁrst system that enables organizations and developers to distribute sensitive apps to their users while considerably reducing the risk of such apps being detected by nosy apps on the same phone. Apps protected by HMA expose signiﬁcantly less identifying metadata, therefore, it is more difﬁcult for nosy apps to detect their presence, even when the nosy apps have all Android permissions and debugging privileges. Users employ a client app called HMA Manager to anonymously (un)install, use, and to update the apps selected from the HMA app store; an the HMA App Store does not learn about the set of apps that a user has installed from the store. HMA transparently works on stock Android devices, it does not require root access, and it preserves the app-isolation security model of the Android operating system (OS). Still, HMA preserves the key functionalities of mHealth apps, e.g., connecting to external devices via Bluetooth, sending information over the Internet, and storing information in databases.
With HMA, users launch a sensitive app inside the context of a container app, without requiring the sensitive app to be installed. A container app is a dynamically generated wrapper around the Android application package (APK) of the sensitive app, and it is designed in such a way that the sensitive app cannot be ﬁngerprinted yet still can support inter-process communication between the sensitive app and other installed apps. To launch the APK from the container app, HMA relies on techniques described in existing work: the dynamic loading of compiled source code and app resources from the APKs and user-level app-virtualization techniques. HMA provides multiple tiers of protection: For baseline protection against current threats, HMA obfuscates static meta-data of sensitive apps (e.g., their package names and components). To provide more advanced protection (e.g., against side-channel attacks), HMA can add an additional layer of obfuscation for sensitive apps (e.g., randomizing memory access). In some cases, app developers might need to be involved to make changes to the apps.
- Demo Video
You can see our HMA prototype in action in this video.
- Source Code
The experimental source code for HideMyApp can be found here.
- Research Paper
- A. Pham, I. Dacosta, E. Losiouk, J. Stephan, K. Huguenin, and J.-P. Hubaux. HideMyApp: Hiding the Presence of Sensitive Apps on Android. In Proceedings of the 28th USENIX Security Symposium, Santa Clara, CA, USA, August 2019.
- Contact Information
For additional information about HideMyApp, please contact Prof. Jean-Pierre Hubaux.
For more details about our research projects, please visit the page of the Laboratory for Data Security (LDS).