Intra-Library Collusion: A Potential Privacy Nightmare on Smartphones

Smartphones contain a trove of sensitive personal data including our location, who we talk to, our habits, and our interests. Smartphone users trade access to this data by permitting apps to use it, and in return obtain functionality provided by the apps. In many cases, however, users fail to appreciate the scale or sensitivity of the data that they share with third-parties when they use apps. To this end, prior work has looked at the threat to privacy posed by apps and the third-party libraries that they embed. Prior work, however, fails to paint a realistic picture of the full threat to smartphone users, as it has typically examined apps and third-party libraries in isolation. In this paper, we describe a novel and potentially devastating privilege escalation attack that can be performed by third-party libraries. This attack, which we call intra-library collusion, occurs when a single library embedded in more than one app on a device leverages the combined set of permissions available to it to pilfer sensitive user data. The possibility for intra-library collusion exists because libraries obtain the same privileges as their host app and popular libraries will likely be used by more than one app on a device. Using a real-world dataset of over 30,000 smartphones, we find that many popular third-party libraries have the potential to aggregate significant sensitive data from devices by using intra-library collusion. We demonstrate that several popular libraries already collect enough data to facilitate this attack. Using historical data, we show that risks from intra-library collusion have increased significantly over the last two-and-a-half years. We conclude with recommendations for mitigating the aforementioned problems.