Northwestern University has developed a way to plug privacy holes in Android apps once and for all

Consumers may not have to endure through the game of whack-a-mole that the mobile industry has been playing with security exploits on Android for much longer if one of the newest projects at Northwestern University bears fruit. Its computer science department has developed a piece of software that could effectively bullet-proof mobile apps against privacy leaks.

The system, debuted in a recently published patent filing, shifts the focus from patching holes as they appear to controlling the flow of information in a way that ensures nothing ever gets through. That’s achieved using a tagging mechanism that marks any part of an app identified as providing access to important details such that the outbound data can be clearly distinguished as it travels about.

The software is able to intelligently determine what is worthy of that extra attention and what isn’t. In a social networking client, for instance, a sharing function that syncs posts to your page would be ignored, while a geotagging option that broadcasts your location data would be added to the list of components to be flagged.

The magic happens during the download, when the application is disassembled into a special kind of code that the system can scan to isolate the parts in need of special scrutiny and then put back together with the original Google Play Store security certificate on top. The whole process takes less than four minutes, although the filing states that half of the apps on which Northwestern tested the software took longer to analyze.

From there, the software tracks the data coming out of the exposed ends and blocks any suspicious code paths through which the information may be routed. That continuous monitoring has been found to incur a median overhead increase of 17 percent in Northwestern’s tests, but that’s a small sacrifice to make for near-absolute privacy when making mobile payments or editing personal data.

The security stems from the fact that compromising an app monitored by the software would not only require gaining access to the targeted sensitive data but also sidestepping the restrictions governing the movement of that data. Northwestern’s system can’t be taken as perfect and there’s always the risk of misconfiguration, but the addition of an extra obstacle shoots down most attempts to exploit new unpatched vulnerabilities such as Stagefright.

The best part is that the system doesn’t require modifying the firmware of the device on which it’s running to perform the monitoring, which means that the functionality could theoretically be implemented in apps out-of-the-box. If it wanted to, Google could go as far as automatically applying the technology to every submission to the Play Store.