Privacy Oracle: A System For Finding Application Leaks With Black Box Differential Testing

We describe the design and implementation of Privacy Oracle, a system that reports oil application leaks of user information via the network traffic that they send. Privacy Oracle treats each application its a black box, without access to either its internal structure or Communication protocols. This means that it call be used over a broad range of applications and information leaks (i.e., not only Web traffic content or credit card numbers). To accomplish this, we develop it differential testing technique in which perturbations in the application inputs are mapped to perturbations in the application Outputs to discover likely leaks; we leverage alignment algorithms from computational biology to find high quality mappings between different byte-sequences efficiently. Privacy Oracle includes this technique and it virtual machine-based testing system. To evaluate it, we tested 26 popular applications, including system and file utilities, media players, and IM clients. We found that Privacy Oracle discovered many small and previously undisclosed information leaks. In several cases, these are leaks of directly identifying information that are regularly sent in the clear (without end-to-end encryption) and which Could make users vulnerable to tracking by third parties or providers.