Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

WhiteLie: A Robust System for Spoofing User Data in Android Platforms

Harish Yadav, Vikas Maurya, Abhilash Jindal, Vireshwar Kumar

TL;DR

WhiteLie addresses the privacy gaps in Android's permission model by delivering a non-rooted, runtime data-spoofing system that can feed spoofed data to apps and automatically respond to privacy violations. It achieves this via dynamic hooking on non-rooted devices, using Xposed/LSPatch/Shizuku to interpose sensitive API calls without modifying the OS or app binaries. The approach demonstrates high real-world effectiveness, spoofing 78.32% of permission-protected data across 70 apps with minimal overhead and without crashes, while also mitigating side-channel attacks and detecting malicious behavior. The work shows practical potential for user-centric privacy protections on existing Android devices and highlights vulnerabilities in current continuous-authentication schemes that rely on sensor data. Overall, WhiteLie offers a comprehensive, deployable privacy mechanism that preserves app functionality while enhancing user control over shared data.

Abstract

Android employs a permission framework that empowers users to either accept or deny sharing their private data (for example, location) with an app. However, many apps tend to crash when they are denied permission, leaving users no choice but to allow access to their data in order to use the app. In this paper, we introduce a comprehensive and robust user data spoofing system, WhiteLie, that can spoof a variety of user data and feed it to target apps. Additionally, it detects privacy-violating behaviours, automatically responding by supplying spoofed data instead of the user's real data, without crashing or disrupting the apps. Unlike prior approaches, WhiteLie requires neither device rooting nor altering the app's binary, making it deployable on stock Android devices. Through experiments on more than 70 popular Android apps, we demonstrate that WhiteLie is able to deceive apps into accepting spoofed data without getting detected. Our evaluation further demonstrates that WhiteLie introduces negligible overhead in terms of battery usage, CPU consumption, and app execution latency. Our findings underscore the feasibility of implementing user-centric privacy-enhancing mechanisms within the existing Android ecosystem.

WhiteLie: A Robust System for Spoofing User Data in Android Platforms

TL;DR

WhiteLie addresses the privacy gaps in Android's permission model by delivering a non-rooted, runtime data-spoofing system that can feed spoofed data to apps and automatically respond to privacy violations. It achieves this via dynamic hooking on non-rooted devices, using Xposed/LSPatch/Shizuku to interpose sensitive API calls without modifying the OS or app binaries. The approach demonstrates high real-world effectiveness, spoofing 78.32% of permission-protected data across 70 apps with minimal overhead and without crashes, while also mitigating side-channel attacks and detecting malicious behavior. The work shows practical potential for user-centric privacy protections on existing Android devices and highlights vulnerabilities in current continuous-authentication schemes that rely on sensor data. Overall, WhiteLie offers a comprehensive, deployable privacy mechanism that preserves app functionality while enhancing user control over shared data.

Abstract

Android employs a permission framework that empowers users to either accept or deny sharing their private data (for example, location) with an app. However, many apps tend to crash when they are denied permission, leaving users no choice but to allow access to their data in order to use the app. In this paper, we introduce a comprehensive and robust user data spoofing system, WhiteLie, that can spoof a variety of user data and feed it to target apps. Additionally, it detects privacy-violating behaviours, automatically responding by supplying spoofed data instead of the user's real data, without crashing or disrupting the apps. Unlike prior approaches, WhiteLie requires neither device rooting nor altering the app's binary, making it deployable on stock Android devices. Through experiments on more than 70 popular Android apps, we demonstrate that WhiteLie is able to deceive apps into accepting spoofed data without getting detected. Our evaluation further demonstrates that WhiteLie introduces negligible overhead in terms of battery usage, CPU consumption, and app execution latency. Our findings underscore the feasibility of implementing user-centric privacy-enhancing mechanisms within the existing Android ecosystem.

Paper Structure

This paper contains 25 sections, 13 figures, 4 tables.

Table of Contents

  1. Introduction
  2. Related Work
  3. Motivation
  4. Inadequate Android Permission Framework
  5. Limitations of Existing User Data Spoofing Mechanisms
  6. Achilles Heel of Continuous User Authentication
  7. WhiteLie Methodology
  8. Background on Hooking
  9. Hooking on Non-Rooted Device
  10. Spoofing User Data with Hooking
  11. WhiteLie and its Robustness
  12. Robust Mechanism
  13. Spoofing Real-world Apps
  14. Hooking Hidden APIs
  15. Isolation
  16. ...and 10 more sections

Figures (13)

  • Figure 1: Screenshots illustrating how a user can share spoofed location using WhiteLie with the Uber app.
  • Figure 2: Example illustrating how the Xposed module class method hijacks the original method call.
  • Figure 3: Heatmap illustrating status of user data deceived for various popular apps by WhiteLie.
  • Figure 4: WhiteLie architecture.
  • Figure 5: Screenshots of WhiteLie app UI while performing experiments to deceive location data for Uber.
  • ...and 8 more figures