Benjamin Davis
ABSTRACT
An obvious asset of the Android platform is the tremendous number and variety of available apps. There is a less obvious, but potentially even more important, benefit to the fact that nearly all apps are developed using a common platform. We can leverage the relatively uniform nature of Android apps to allow users to tweak applications for improved security, usability, and functionality with relative ease (compared to desktop applications). We design and implement an Android app rewriting framework for customizing behavior of existing applications without requiring source code or app-specific guidance. Following app-agnostic transformation policies, our system rewrites applications to insert, remove, or modify behavior. The rewritten application can run on any unmodified Android device, without requiring rooting or other custom software. This paper describes RetroSkeleton, our app rewriting framework, including static and dynamic interception of method invocations, and creating policies that integrate with each target app. We show that our system is capable of supporting a variety of useful policies, including providing flexible fine-grained network access control, building HTTPS-Everywhere functionality into apps, implementing automatic app localization, informing users of hidden behavior in apps, and updating apps depending on outdated APIs. We evaluate these policies by rewriting and testing more than one thousand real-world apps from Google Play.
- Adblock Plus. http://adblockplus.org. Accessed: 2012/12/10.Google Scholar
- Adblock Plus for Android. http://adblockplus.org/en/android-about. Accessed: 2012/12/10.Google Scholar
- Clojure. http://clojure.org. Accessed: 2012/12/10.Google Scholar
- dex2jar: Tools to work with Android .dex and Java .class files. http://code.google.com/p/dex2jar/. Accessed: 2012/12/10.Google Scholar
- Google Play. https://play.google.com/store. Accessed: 2012/12/10.Google Scholar
- NoScript Firefox Extension. http://noscript.net. Accessed: 2012/12/10.Google Scholar
- T.J. Watson Libraries for Analysis (WALA). http://wala.sourceforge.net, 2012. Accessed: 2012/12/10.Google Scholar
- A. R. Beresford, A. Rice, N. Skehin, and R. Sohan. MockDroid: Trading Privacy for Application Functionality on Smartphones. In HotMobile, 2011. Google ScholarDigital Library
- E. Butler. Firesheep. http://codebutler.com/firesheep/. Accessed: 2012/12/10.Google Scholar
- A. Chander, J. Mitchell, and I. Shin. Mobile Code Security by Java Bytecode Instrumentation. In DARPA Information Survivability Conference & Exposition II, 2001. DISCEX'01. Proceedings, volume 2, pages 27--40. IEEE, 2001.Google ScholarCross Ref
- B. Davis, B. Sanders, A. Khodaverdian, and H. Chen. I-ARM-Droid: A Rewriting Framework for In-App Reference Monitors for Android Applications. In IEEE Mobile Security Technologies (MoST), May 2012.Google Scholar
- EFF. HTTPS-Everywhere. https://www.eff.org/https-everywhere/. Accessed: 2012/12/10.Google Scholar
- W. Enck, D. Octeau, P. McDaniel, and S. Chaudhuri. A Study of Android Application Security. In Proceedings of the 20th USENIX Security Symposium, August 2011. Google ScholarDigital Library
- U. Erlingsson. The Inlined Reference Monitor Approach to Security Policy Enforcement. PhD thesis, Cornell University, 2003. Google ScholarDigital Library
- U. Erlingsson and F. Schneider. IRM Enforcement of Java Stack Inspection. In Security and Privacy, 2000. S P 2000. Proceedings. 2000 IEEE Symposium on, pages 246 --255, 2000. Google ScholarDigital Library
- S. Fahl, M. Harbach, T. Muders, L. Baumgartner, B. Freisleben, and M. Smith. Why Eve and Mallory Love Android: An Analysis of Android SSL (In)Security. In Proceedings of the 2012 ACM Conference on Computer and Communications Security, CCS '12, pages 50--61. ACM, 2012. Google ScholarDigital Library
- A. Felt, E. Chin, S. Hanna, D. Song, and D. Wagner. Android Permissions Demystified. In Proceedings of the 18th ACM Conference on Computer and Communications Security, pages 627--638. ACM, 2011. Google ScholarDigital Library
- B. Gruver. smali: An Assembler/Disassembler for Android's dex Format. https://code.google.com/p/smali/. Accessed: 2012/12/10.Google Scholar
- P. Hornyack, S. Han, J. Jung, S. Schechter, and D. Wetherall. These Aren't the Droids You're Looking For: Retrofitting Android to Protect Data from Imperious Applications. In Proceedings of the 18th ACM Conference on Computer and Communications Security, CCS '11, pages 639--652. ACM, 2011. Google ScholarDigital Library
- IDC. International Data Corporation Worldwide Quarterly Mobile Phone Tracker. http://www.idc.com/getdoc.jsp?containerId=prUS23638712. Accessed: 2012/12/10.Google Scholar
- J. Jeon, K. K. Micinski, J. A. Vaughan, A. Fogel, N. Reddy, J. S. Foster, and T. Millstein. Dr. Android and Mr. Hide: Fine-Grained Permissions in Android Applications. In Proceedings of the Second ACM Workshop on Security and Privacy in Smartphones and Mobile Devices, SPSM '12, pages 3--14. ACM, 2012. Google ScholarDigital Library
- M. Nauman, S. Khan, and X. Zhang. Apex: Extending Android Permission Model and Enforcement with User-Defined Runtime Constraints. In Proceedings of the 5th ACM Symposium on Information, Computer and Communications Security, pages 328--332. ACM, 2010. Google ScholarDigital Library
- V. Rastogi, Y. Chen, and W. Enck. AppsPlayground: Automatic Security Analysis of Smartphone Applications. In Proceedings of the Third ACM Conference on Data and Application Security and Privacy, CODASPY '13, pages 209--220, New York, NY, USA, 2013. ACM. Google ScholarDigital Library
- D. Reynaud, D. Song, T. Magrino, and R. S. Edward Wu. FreeMarket: Shopping for Free in Android Applications. In Proceedings of the 19th Annual Network & Distributed System Security Symposium, Feb. 2012.Google Scholar
- A. Rudys and D. Wallach. Enforcing Java Run-Time Properties Using Bytecode Rewriting. Software Security Theories and Systems, pages 271--276, 2003. Google ScholarDigital Library
- B. Womack. Google Says 700,000 Applications Available for Android. http://buswk.co/PDb2tm. Accessed: 2012/12/10.Google Scholar
- R. Xu, H. Saídi, and R. Anderson. Aurasium: Practical Policy Enforcement for Android Applications. In Proceedings of the 21st USENIX Conference on Security Symposium, Security'12, pages 27--27. USENIX Association, 2012. Google ScholarDigital Library
- Y. Zhou, Z. Wang, W. Zhou, and X. Jiang. Hey, You, Get Off of My Market: Detecting Malicious Apps in Official and Alternative Android Markets. In Proceedings of the 19th Annual Network & Distributed System Security Symposium, Feb. 2012.Google Scholar
- Y. Zhou, X. Zhang, X. Jiang, and V. Freeh. Taming Information-Stealing Smartphone Applications (on Android). Trust and Trustworthy Computing, pages 93--107, 2011. Google ScholarDigital Library
Index Terms
- RetroSkeleton: retrofitting android apps
Recommendations
Rewriting an Android app using RetroSkeleton
MobiSys '13: Proceeding of the 11th annual international conference on Mobile systems, applications, and servicesThis video demonstrates one potential application of RetroSkeleton, which is a system for specifying and applying transformations to Android apps via bytecode rewriting. These transformation policies are app-agnostic and can be applied to Android apps ...
Portability of Dalvik in iOS
CSSS '12: Proceedings of the 2012 International Conference on Computer Science and Service SystemIn this paper we analyze the Dalvik virtual machine architecture, and study several key technologies about the process of porting Dalvik for the iOS platform. We successfully build a Dlavik based JAVA runtime environment on the iOS platform which has ...
Amniote: A User Space Interface to the Android Runtime
ENASE 2019: Proceedings of the 14th International Conference on Evaluation of Novel Approaches to Software EngineeringThe Android Runtime (ART) executes apps in a dedicated virtual machine called the Dalvik VM. The Dalvik VM creates a Zygote instance when the device first boots which is responsible for sharing Android runtime libraries to new applications. New apps ...
Comments