Android平台在近幾來的盛行，在手機或平板上不僅運算能力越來越強大，每一個裝置上儲存的個人隱私資訊亦是不勝枚舉，從裝置上的手機資訊、GPS地理位置資料到這些年興起的第三方支付信用卡資訊等，儘管使用上的便利與實用帶給人們極大的歡迎，但是相對而來的隱私資料外洩資安問題也成為了容易被竊取的目標。隱蔽通道的資料傳遞是一種別於過往的資訊通道，建立隱蔽通道使用的是將要傳遞的資訊先透過某種編碼方式傳送，而雙方溝通的虛擬物件是事先設計好的而且很難以被一般偵測方式給察覺出來，而近年來隱蔽通道被使用在Android平台上，使的資料外洩的問題更甚嚴重。過去的研究主要從資料的行經動向來檢測出異常的使用行為，而這類的防禦機制無法抵抗透過隱密編碼方式的隱蔽通道。

我們提供一個使用意圖建立隱蔽通道的檢測與估量頻寬的方法，可以用來分析Android平台上是否存在著隱蔽通道攻擊的存在。本方法不同於資料行為的追蹤，本方法藉由與意圖廣播系統相關的日誌紀錄，透過訊號的分解與分析配合上API使用頻率之間的交叉比對，檢測出隱含隱蔽通道的存在並估量出其頻寬，而實驗的環境是在實體機器並有著使用者正常使用的情境下，進而能探討出偵測的有效性與頻寬大小的關係。

本研究有以下幾點貢獻：（1）我們提供一個偵測與估量系統，用以判斷是否存在隱蔽通道，以預防Android平台上遭受到隱私資料外洩的事件；（2）創建追蹤特定日誌的紀錄系統，用以監控所有App程式的廣播行為紀錄；（3）在實體機上有使用者正常使用環境下估量出意圖隱蔽通道的頻寬。

In the past few years, Android mobile platform has grown explosively. The rapid technological development of hardware and software led to high computing capabilities on mobile devices. Because of the huge number of Android users, mobile devices become a target for various hackers to steal sensitive data, such as user intelligence, credit card information, etc. The covert channel data transmission is different from the past information channel, the establishment of the covert channel is used to pass the information through a certain encoding way of transmission, and the two virtual objects for communication are designed in advance and it is difficult to be detected. In recent years covert channels are used on Android platform so that the exposure of data is even more serious. In the past research, the researchers mainly focus on the destination of data to detect the abnormal behavior and this type of defense mechanism can not resist through the secret coding of the covert channel.

The goal of this study is to propose a mechanism which is capable of the intent-based covert channel detection and the bandwidth estimation. In order to identify the presence of intent-based covert channel attack with Android platform, we use the method different from tracking data behavior, which detects the existence of implicit covert channels by evaluating the cross-comparison between the API usage frequency and analyzing the decomposition of the signal in the log records related to the intent broadcasting system. Our experiment is done on the physical machine which considers user activities, and then we discuss the effectiveness of the detection and the relation to bandwidth size.

The proposed approach gives the following contributions: (1) Providing a detection system which can analyze the presence of covert storage channel using intent as the virtual object; (2) Developing a log tracking system with user activities involved; (3) Estimating the lower bound of bandwidth of intent covert storage channel information capacity in the Android environment.

[1] M. Alazab, R. Layton, S. Venkataraman, and P. Watters, “Malware detectionbased on structural and behavioural features of api calls,” Edith Cowan University,2010.
[2] G. Android, Android Framework, 2017. [Online]. Available: https://developer.android.com/guide/platform/index.html
[3] G. Android, Android Intent, 2017. [Online]. Available: https://developer.android.com/reference/android/content/Intent.html
[4] G. Android, Android Open Source Project (AOSP), 2017. [Online]. Available:https://source.android.com/
[5] G. Android, Android Platform Architecture Stacks, 2017. [Online]. Available:https://developer.android.com/guide/platform/index.html#api-framework
[6] G. Android, Android util, 2017. [Online]. Available: https://developer.android.com/reference/android/util/package-summary.html
[7] G. Android, AOSP Running Build, 2017. [Online]. Available: https://source.android.com/source/running48
[8] G. Android, Logcat Command-line Tool, 2017. [Online]. Available: https://developer.android.com/studio/command-line/logcat.html
[9] J. Barbiˇc, A. Safonova, J.-Y. Pan, C. Faloutsos, J. K. Hodgins, andN. S. Pollard, “Segmenting motion capture data into distinct behaviors,” inProceedings of Graphics Interface 2004, ser. GI ’04. School of ComputerScience, University of Waterloo, Waterloo, Ontario, Canada: Canadian Human-Computer Communications Society, 2004, pp. 185–194. [Online]. Available:http://dl.acm.org/citation.cfm?id=1006058.1006081
[10] S. Bugiel, L. Davi, A. Dmitrienko, T. Fischer, and A.-R. Sadeghi, “Xmandroid: Anew android evolution to mitigate privilege escalation attacks,” Technische Universit¨at Darmstadt, Technical Report TR-2011-04, 2011.
[11] Y. Cao, Y. Fratantonio, M. Egele, A. Bianchi, C. Kruegel, G. Vigna, and Y. Chen,“Edgeminer: Automatically detecting implicit control flow transitions throughthe android framework,” in Proceedings of Internet Society Network and DistributedSystem Security Symposium(NDSS) Symposium, 2015.
[12] B. Carrara and C. Adams, “Out-of-band covert channels—a survey,” ACMComput. Surv., vol. 49, no. 2, pp. 23:1–23:36, June 2016. [Online]. Available:http://doi.acm.org/10.1145/2938370
[13] B. Carrara and C. Adams, “A survey and taxonomy aimed at the detectionand measurement of covert channels,” in Proceedings of the 4th ACMWorkshop on Information Hiding and Multimedia Security, ser. IH&MMSec’16. New York, NY, USA: ACM, 2016, pp. 115–126. [Online]. Available:http://doi.acm.org/10.1145/2909827.2930800
[14] L. Caviglione, M. Gaggero, J. F. Lalande, W. Mazurczyk, and M. Urbaski,“Seeing the unseen: Revealing mobile malware hidden communications via energyconsumption and artificial intelligence,” IEEE Transactions on InformationForensics and Security, vol. 11, no. 4, pp. 799–810, April 2016.
[15] E. Chin, A. P. Felt, K. Greenwood, and D. Wagner, “Analyzing interapplicationcommunication in android,” in Proceedings of the 9th InternationalConference on Mobile Systems, Applications, and Services, ser. MobiSys’11. New York, NY, USA: ACM, 2011, pp. 239–252. [Online]. Available:http://doi.acm.org/10.1145/1999995.2000018
[16] C.Ratanamahatana, J.Lin, D.Gunopulos, E.Keogh, M.Vlachos, and G.Das,Mining time series data. Data Mining and Knowledge Discovery Handbook,Springer, 2010.
[17] C. Deng, “Time series decomposition using singular spectrum analysis,” EastTennessee State University, 2014.
[18] D. D. Dhobale, V. R. Ghorpade, B. S. Patil, and S. B. Patil, “Steganography byhiding data in tcp/ip headers,” in 2010 3rd International Conference on AdvancedComputer Theory and Engineering(ICACTE), vol. 4, Aug 2010, pp. V4–61–V4–65.
[19] W. Enck, P. Gilbert, B. G. Chun, L. P. Cox, J. Jung, P. McDaniel, and A. N.Sheth, “Taintdroid: An information-flow tracking system for realtime privacymonitoring on smartphones,” in Proceedings of the 9th USENIX Symposium onOperating Systems Design and Implementation, 2010.
[20] P. Esling and C. Agon, “Time-series data mining,” ACM Comput. Surv.,vol. 45, no. 1, pp. 12:1–12:34, Dec. 2012. [Online]. Available: http://doi.acm.org/10.1145/2379776.2379788
[21] D. Evtyushkin, D. Ponomarev, and N. Abu-Ghazaleh, “Understanding andmitigating covert channels through branch predictors,” ACM Trans. Archit.Code Optim., vol. 13, no. 1, pp. 10:1–10:23, Mar. 2016. [Online]. Available:http://doi.acm.org/10.1145/2870636
[22] Gartner, Worldwide Smartphone Sales to End Users by Operating System in1Q17 (Thousands of Units), 2017. [Online]. Available: https://www.gartner.com/newsroom/id/3725117
[23] Google, Google Play, 2017. [Online]. Available: https://play.google.com/store
[24] S. Heuser, A. Nadkarni, W. Enck, and A.-R. Sadeghi, “Asm: A programmableinterface for extending android security,” in 23rd USENIX Security Symposium(USENIX Security 14). San Diego, CA: USENIX Association, 2014, pp. 1005–1019. [Online]. Available: https://www.usenix.org/conference/usenixsecurity14/technical-sessions/presentation/heuser
[25] A. S. Hussein, “Visualizing document similarity using n-grams and latent semanticanalysis,” in 2016 SAI Computing Conference (SAI), July 2016, pp. 269–279.
[26] P. Indyk, N. Koudas, and S. Muthukrishnan, “Identifying representative trendsin massive time series data sets using sketches,” in Proceedings of the 26thInternational Conference on Very Large Data Bases, ser. VLDB ’00. SanFrancisco, CA, USA: Morgan Kaufmann Publishers Inc., 2000, pp. 363–372.[Online]. Available: http://dl.acm.org/citation.cfm?id=645926.671699
[27] J. Jaskolka and R. Khedri, “Exploring covert channels,” in 2011 44th HawaiiInternational Conference on System Sciences, Jan 2011, pp. 1–10.
[28] J. Jaskolka and R. Khedri, “Mitigating covert channels based on analysis of thepotential for communication,” Theoretical Computer Science, vol. 643, pp. 1–37,2016.
[29] M. U. Jean-Francois Lalande, SteganoCC: Covert Channels for Android, 4 2017.[Online]. Available: http://steganocc.gforge.inria.fr/
[30] A. Kapelner, “Latent semantic analysis using google n-grams,” Computer andInformation Science University of Pennsylvania, 2010.
[31] R. Ko, H. M. Lee, A. B. Jeng, and T. E. Wei, “Vulnerability detection of multiplelayer colluding application through intent privilege checking,” in 2015 5th InternationalConference on IT Convergence and Security (ICITCS), Aug 2015, pp.1–7.
[32] G. Kollios, Indexing Time Series, 2007. [Online]. Available: http://www.cs.bu.edu/gkollios/dm07/LectNotes/TSIndexing.ppt
[33] J.-F. Lalande and S.Wendzel, “Hiding privacy leaks in android applications usinglow-attention raising covert channels,” in Availability, Reliability and Security(ARES), 2013 Eighth International Conference on. IEEE, 2013, pp. 701–710.
[34] A. Liu, J. Chen, and H. Wechsler, Real-Time Covert Timing Channel Detectionin Networked Virtual Environments. Berlin, Heidelberg: Springer BerlinHeidelberg, 2013, pp. 273–288. [Online]. Available: http://dx.doi.org/10.1007/978-3-642-41148-9 19
[35] X. Liu, Z. Zhou, W. Diao, Z. Li, and K. Zhang, “An empirical study on androidfor saving non-shared data on public storage,” in IFIP International InformationSecurity Conference. Springer, 2015, pp. 542–556.
[36] X. Liu, Z. Zhou, W. Diao, Z. Li, and K. Zhang, “When good becomesevil: Keystroke inference with smartwatch,” in Proceedings of the 22Nd ACMSIGSAC Conference on Computer and Communications Security, ser. CCS’15. New York, NY, USA: ACM, 2015, pp. 1273–1285. [Online]. Available:http://doi.acm.org/10.1145/2810103.2813668
[37] N. B. Lucena, G. Lewandowski, and S. J. Chapin, “Covert channels in ipv6,” inInternational Workshop on Privacy Enhancing Technologies. Springer, 2005,pp. 147–166.
[38] C. Marforio, A. Francillon, S. Capkun, S. Capkun, and S. Capkun, Applicationcollusion attack on the permission-based security model and its implications formodern smartphone systems. Department of Computer Science, ETH ZurichZ¨urich, Switzerland, 2011.
[39] C. Marforio, H. Ritzdorf, A. Francillon, and S. Capkun, “Analysis of thecommunication between colluding applications on modern smartphones,” inProceedings of the 28th Annual Computer Security Applications Conference,ser. ACSAC ’12. New York, NY, USA: ACM, 2012, pp. 51–60. [Online].Available: http://doi.acm.org/10.1145/2420950.2420958
[40] T. Markmann, D. Gessner, and D. Westhoff, “Quantdroid: Quantitative approachtowards mitigating privilege escalation on android,” in 2013 IEEE InternationalConference on Communications (ICC), June 2013, pp. 2144–2149.
[41] W. Mazurczyk and L. Caviglione, “Information hiding as a challenge for malwaredetection,” IEEE Security Privacy, vol. 13, no. 2, pp. 89–93, Mar 2015.
[42] W. Mazurczyk and L. Caviglione, “Steganography in modern smartphones andmitigation techniques,” IEEE Communications Surveys Tutorials, vol. 17, no. 1,pp. 334–357, Firstquarter 2015.
[43] W. McKinney, Python Data Analysis Library: pandas, 2017. [Online]. Available:http://pandas.pydata.org/
[44] Y. Najaflou, B. Jedari, F. Xia, L. T. Yang, and M. S. Obaidat, “Safety challengesand solutions in mobile social networks,” IEEE Systems Journal, vol. 9, no. 3,pp. 834–854, Sept 2015.
[45] T. Oliphant, The fundamental package for scientific computing withPython:numpy, 2017. [Online]. Available: http://www.numpy.org/
[46] J.-Y. Pan, H. Kitagawa, C. Faloutsos, and M. Hamamoto, “Autosplit: Fast andscalable discovery of hidden variables in stream and multimedia databases,” inPacific-Asia Conference on Knowledge Discovery and Data Mining. Springer,2004, pp. 519–528.
[47] A. PC, “Student research abstract: Analysing the vulnerability exploitationin android with the device-mapper-verity (dm-verity),” in Proceedings of theSymposium on Applied Computing, ser. SAC ’17. New York, NY, USA: ACM,2017, pp. 576–577. [Online]. Available: http://doi.acm.org/10.1145/3019612.3019934
[48] W. Qi, Y. Xu, W. Ding, Y. Jiang, J. Wang, and K. Lu, “Privacy leaks when youplay games: A novel user-behavior-based covert channel on smartphones,” in2015 IEEE 23rd International Conference on Network Protocols (ICNP), Nov2015, pp. 201–211.
[49] W. Qi, W. Ding, X. Wang, Y. Jiang, Y. Xu, J. Wang, and K. Lu, “Constructionand mitigation of user-behavior-based covert channels on smartphones,” IEEETransactions on Mobile Computing, 2017.
[50] K. V. Ravi Kanth, D. Agrawal, and A. Singh, “Dimensionality reduction forsimilarity searching in dynamic databases,” in Proceedings of the 1998 ACMSIGMOD International Conference on Management of Data, ser. SIGMOD’98. New York, NY, USA: ACM, 1998, pp. 166–176. [Online]. Available:http://doi.acm.org/10.1145/276304.276320
[51] C. H. Rowland, “Covert channels in the tcp/ip protocol suite,” First Monday,vol. 2, no. 5, 1997.
[52] A. O. Spiridonov, E. M. Karchevskii, and A. I. Nosich, “Analytical regularizationof a generalized eigenwave problem for weakly guiding step-index optical fibersby muller boundary integral equations,” in 2015 Days on Diffraction (DD), May2015, pp. 1–6.
[53] E. L. Wiki, Android Logging System, 2015. [Online]. Available: http://elinux.org/Android Logging System
[54] Wikipedia, Covert Channel TCSEC criteria, 2017. [Online]. Available:https://en.wikipedia.org/wiki/Covert channel
[55] Wikipedia, Google Nexus 7 Second Generation, 2017. [Online]. Available:https://en.wikipedia.org/wiki/Google Nexus#Second generation
[56] S. J. Wilson, “Data representation for time series data mining: time domainapproaches,” Wiley Interdisciplinary Reviews: Computational Statistics, vol. 9,no. 1, 2017.
[57] D. J. Wu, C. H. Mao, T. E. Wei, H. M. Lee, and K. P. Wu, “Droidmat: Androidmalware detection through manifest and api calls tracing,” in 2012 Seventh AsiaJoint Conference on Information Security, Aug 2012, pp. 62–69.
[58] J. Yan, D. Dong, and W. Chen, “The effectiveness of blind source separationusing independent component analysis for gnss time series analysis,” in EGUGeneral Assembly Conference Abstracts, vol. 18, 2016, p. 12691.
[59] W. Yang, Y. Zhang, J. Li, H. Liu, Q. Wang, Y. Zhang, and D. Gu, “Show me themoney! finding flawed implementations of third-party in-app payment in androidapps,” in Proceeding of the Network and Distributed System Security Symposium(NDSS), 2017.
[60] M. Yue,W. H. Robinson, L.Watkins, and C. Corbett, “Constructing timing-basedcovert channels in mobile networks by adjusting cpu frequency,” in Proceedingsof the Third Workshop on Hardware and Architectural Support for Security andPrivacy. ACM, 2014, p. 2.
[61] T. Zseby, F. I. Vzquez, V. Bernhardt, D. Frkat, and R. Annessi, “A networksteganography lab on detecting tcp/ip covert channels,” IEEE Transactions onEducation, vol. 59, no. 3, pp. 224–232, Aug 2016.