Life after App Uninstallation: Are the Data Still Alive? Data Residue Attacks on Android

Abstract

Uninstalling apps from mobile devices is among the most common user practices on smartphones. It may sound trivial, but the entire process involves multiple system components coordinating to remove the data belonging to the uninstalled app. Despite its frequency and complexity, little has been done to understand the security risks in the app’s uninstallation process. In this project, we have conducted the first systematic analysis of Android’s data cleanup mechanism during the app’s uninstallation process. Our analysis reveals that data residues are pervasive in the system after apps are uninstalled. For each identified data residue instance, we have formulated hypotheses and designed experiments to see whether it can be exploited to compromise the system security. The results are surprising: we have found 12 instances of vulnerabilities caused by data residues. By exploiting them, adversaries can steal user’s online-account credentials, access other app’s private data, escalate privileges, eavesdrop on user’s keystrokes, etc. We call these attacks the data residue attacks. To evaluate the real-world impact of the attacks, we have conducted an analysis on the top 100 apps in each of the 27 categories from GooglePlay. The result shows that a large portion of the apps can be the target of the data residue attacks. We have further evaluated the effectiveness of popular app markets (GooglePlay, Amazon appstore and Samsung appstore) in preventing our attacking apps from reaching their markets. Moreover, we have studied the data residue attacks on 10 devices from different vendors to see how vendor customization can affect our attacks. Google has acknowledged all our findings, and is working with us to get the problems fixed.