WhiteLie: A Robust System for Spoofing User Data in Android Platforms

TL;DR

WhiteLie is a system that provides robust user data spoofing on Android, enabling privacy protection by feeding fake data to apps without crashing or requiring device modifications.

Contribution

It introduces a novel, non-intrusive user data spoofing system that detects privacy violations and responds with spoofed data on stock Android devices.

Findings

Successfully deceives over 70 popular Android apps with spoofed data

Operates without device rooting or app binary modifications

Imposes negligible overhead on device performance

Abstract

Android employs a permission framework that empowers users to either accept or deny sharing their private data (for example, location) with an app. However, many apps tend to crash when they are denied permission, leaving users no choice but to allow access to their data in order to use the app. In this paper, we introduce a comprehensive and robust user data spoofing system, WhiteLie, that can spoof a variety of user data and feed it to target apps. Additionally, it detects privacy-violating behaviours, automatically responding by supplying spoofed data instead of the user's real data, without crashing or disrupting the apps. Unlike prior approaches, WhiteLie requires neither device rooting nor altering the app's binary, making it deployable on stock Android devices. Through experiments on more than 70 popular Android apps, we demonstrate that WhiteLie is able to deceive apps into accepting spoofed data without getting detected. Our evaluation further demonstrates that WhiteLie introduces negligible overhead in terms of battery usage, CPU consumption, and app execution latency. Our findings underscore the feasibility of implementing user-centric privacy-enhancing mechanisms within the existing Android ecosystem.