Information flow based defensive chain for data leakage detection and prevention: a survey

TL;DR

This survey reviews information flow control techniques for detecting and preventing data leakage in mobile and IoT applications, emphasizing lifecycle protection and proposing a systematic defensive chain framework.

Contribution

It introduces an information flow based defensive chain framework that systematically categorizes IFC techniques across application development phases.

Findings

Most attacks occur during application execution.

Existing IFC techniques vary in performance and limitations.

Lifecycle-based defense enhances data leakage prevention.

Abstract

Mobile and IoT applications have greatly enriched our daily life by providing convenient and intelligent services. However, these smart applications have been a prime target of adversaries for stealing sensitive data. It poses a crucial threat to users' identity security, financial security, or even life security. Research communities and industries have proposed many Information Flow Control (IFC) techniques for data leakage detection and prevention, including secure modeling, type system, static analysis, dynamic analysis, \textit{etc}. According to the application's development life cycle, although most attacks are conducted during the application's execution phase, data leakage vulnerabilities have been introduced since the design phase. With a focus on lifecycle protection, this survey reviews the recent representative works adopted in different phases. We propose an information flow based defensive chain, which provides a new framework to systematically understand various IFC techniques for data leakage detection and prevention in Mobile and IoT applications. In line with the phases of the application life cycle, each reviewed work is comprehensively studied in terms of technique, performance, and limitation. Research challenges and future directions are also pointed out by consideration of the integrity of the defensive chain.