|
| Covert channel | Description | Reported throughput (bps) | Possible countermeasures | Ref. |
|
| URL | To embed the leaked data into requested URLs through the browser | — | Taint-tracking solutions (e.g. TaintDroid) |
[9] |
| Vibration setting | Sensitive data are encoded in a sequence of changes to the three possible vibration settings (on, off, or silent only) | 87 | (1) Applying thresholds based on physical limit or behavioral patterns of human interaction
(2) Advanced monitoring solutions (e.g. XManDroid) |
| Volume setting | Sensitive data are encoded in a sequence of changes to the eight possible volume settings | 150 | Applying thresholds based on physical limit or behavioral patterns of human interaction |
| Screen status | Sensitive data are encoded in a sequence of changes to the two possible screen settings (ON, OFF) | 5.29 | Applying thresholds based on physical limit or behavioral patterns of human interaction |
| File locks | Data are sent through competing for read/write locks on a shared file in a synchronized manner | 685 | Advanced monitoring solutions (e.g. XManDroid) |
|
| Type of intents | Stolen data are encoded in intent parameters rather than its payload | 3216.74–4879.45 | Advanced monitoring solutions (e.g. XManDroid) |
[2] |
| Automatic intents | Stolen data are encoded in the automatic broadcasts triggered by changing settings rather than in the settings themselves | 50.97–91.06 | Advanced monitoring solutions (e.g. XManDroid) |
| UNIX socket discovery | Stolen data are encoded in the state (open/closed) of a socket, synchronized by the state of another socket | 1818.48–2305.67 | Advanced monitoring solutions (e.g. XManDroid) |
| Multiple settings | Data are exchanged utilizing many of the system settings at once, an improvement over using only a single system setting like volume level | 230.35–286.81 | (1) Applying thresholds based on physical limit or behavioral patterns of human interaction
(2) Advanced monitoring solutions (e.g. XManDroid) |
| Single setting | Similar to the channel of vibration/volume/screen settings above | 46.57–66.62 | (1) Applying thresholds based on physical limit or behavioral patterns of human interaction
(2) Advanced monitoring solutions (e.g. XManDroid) |
| Threads enumeration | Sensitive data are encoded in the number of threads spawned by the source application | 146.79–156.76 | Advanced monitoring solutions (e.g. XManDroid) |
| Free space on file system | Sensitive data are encoded in the number of blocks written to or deleted from the disk | 9.80–13.07 | — |
| /proc/stat statistics | Bits of stolen data are conveyed by affecting the number of jiffies used by all processes, which can be read from a usage statistics file | 3.26–7.82 | Advanced monitoring solutions (e.g. XManDroid) |
| CPU timing | Stolen data are conveyed by varying the load on the system so that the receiver process spends more time completing tasks | 3.70 | Energy-use anomaly detection (e.g. [14]) |
| CPU frequency | Stolen data are conveyed via change to processor frequency caused by the source and queried from the system, assuming support for dynamic frequency scaling | 0.56–4.88 | (1) Advanced monitoring solutions (e.g. XManDroid)
(2) Energy-use anomaly detection (e.g. [14]) |
|
| Task list with screen synch. | Sensitive data are encoded in the time elapsed before the source application kills itself and disappears from the list of running tasks, starting from the point the screen goes off | — | — |
[10] |
| Process priority with screen synch. | Sensitive data are encoded in the time during which the source process changes its UNIX priority level to a predetermined value, synchronized by the change of the screen status | 0.65 | Advanced monitoring solutions (e.g. XManDroid) |
| Process priority | Same as previous channel but without control from the screen status, leading the receiver to continuously monitor processes’ priorities | 17.6 | (1) Advanced monitoring solutions (e.g. XManDroid)
(2) Energy-use anomaly detection (e.g. [14]) |
| Screen status | The screen is watched till it turns off and then the source turns it on, waits until it is turned off again, and encodes the data in the delay before turning the screen on for the second time | 0.22 | — |
|
