Abstract
Data security and privacy of Android users is one of the challenging security problems addressed by the security research community. A major source of the security vulnerabilities in Android apps is attributed to bugs within source code, insecure APIs, and unvalidated code before performing sensitive operations. Specifically, the major class of app vulnerabilities is related to the categories such as inter-component communication (ICC), networking, web, cryptographic APIs, storage, and runtime-permission validation. A major portion of current contributions focus on identifying a smaller subset of vulnerabilities. In addition, these methods do not discuss how to remove detected vulnerabilities from the affected code.
In this work, we propose a novel vulnerability detection and patching framework, Vulvet, which employs static analysis approaches from different domains of program analysis for detection of a wide range of vulnerabilities in Android apps. We propose an additional light-weight technique, FP-Validation, to mitigate false positives in comparison to existing solutions owing to over-approximation. In addition to improved detection, Vulvet provides an automated patching of apps with safe code for each of the identified vulnerability using bytecode instrumentation. We implement Vulvet as an extension of Soot. To demonstrate the efficiency of our proposed framework, we analyzed 3,700 apps collected from various stores and benchmarks consisting of various weak implementations. Our results indicate that Vulvet is able to achieve vulnerability detection with 95.23% precision and 0.975 F-measure on benchmark apps; a significant improvement in comparison to recent works along with successful patching of identified vulnerabilities.
- Stefan Krüger, Sarah Nadi, Michael Reif, Karim Ali, Mira Mezini, Eric Bodden, Florian Göpfert, Felix Günther, Christian Weinert, Daniel Demmler, et al. 2017. CogniCrypt: Supporting developers in using cryptography. In Proceedings of the 32nd IEEE/ACM International Conference on Automated Software Engineering. IEEE Press, 931--936.Google ScholarDigital Library
- Youn Kyu Lee, Jae Young Bang, Gholamreza Safi, Arman Shahbazian, Yixue Zhao, and Nenad Medvidovic. 2017. A SEALANT for inter-app security holes in Android. In Proceedings of the IEEE/ACM 39th International Conference on Software Engineering (ICSE’17). IEEE, 312--323.Google ScholarDigital Library
- Joydeep Mitra and Venkatesh-Prasad Ranganath. 2017. Ghera: A repository of Android app vulnerability benchmarks. In Proceedings of the 13th International Conference on Predictive Models and Data Analytics in Software Engineering. ACM, 43--52.Google Scholar
- Ibéria Medeiros, Nuno Neves, and Miguel Correia. 2016. Detecting and removing web application vulnerabilities with static analysis and data mining. IEEE Trans. Reliab. 65, 1 (2016), 54--69.Google ScholarCross Ref
- Yuji Kosuga, Kenji Kono, Miyuki Hanaoka, Miho Hishiyama, and Yu Takahama. 2007. Sania: Syntactic and semantic analysis for automated testing against SQL injection. In Proceedings of the 23rd Annual Computer Security Applications Conference (ACSAC’07). IEEE, 107--117.Google Scholar
- V. Benjamin Livshits and Monica S. Lam. 2005. Finding security vulnerabilities in Java applications with static analysis. In Proceedings of the USENIX Security Symposium, Vol. 14.Google Scholar
- Nenad Jovanovic, Christopher Kruegel, and Engin Kirda. 2006. Pixy: A static analysis tool for detecting web application vulnerabilities. In Proceedings of the IEEE Symposium on Security and Privacy. IEEE, 6--pp.Google Scholar
- Omer Tripp and Omri Weisman. 2018. Identifying stored security vulnerabilities in computer software applications. US Patent 9,904,786.Google Scholar
- MITRE. 2018. Common Vulnerabilities and Exposures (CVE). Retrieved from https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=Android.Google Scholar
- Patrick Lam, Eric Bodden, Ondrej Lhoták, and Laurie Hendren. 2011. The Soot framework for Java program analysis: A retrospective. In Proceedings of the Cetus Users and Compiler Infastructure Workshop (CETUS’11), Vol. 15. 35.Google Scholar
- Erika Chin, Adrienne Porter Felt, Kate Greenwood, and David Wagner. 2011. Analyzing inter-application communication in Android. In Proceedings of the 9th International Conference on Mobile Systems, Applications, and Services. ACM, 239--252.Google ScholarDigital Library
- Lingguang Lei, Yi He, Kun Sun, Jiwu Jing, Yuewu Wang, Qi Li, and Jian Weng. 2017. Vulnerable implicit service: A revisit. In Proceedings of the ACM SIGSAC Conference on Computer and Communications Security (CCS’17). ACM, New York, NY, 1051--1063. DOI:http://dx.doi.org/10.1145/3133956.3133975Google ScholarDigital Library
- Tosin Daniel Oyetoyan and Marcos Lordello Chaim. 2017. Comparing capability of static analysis tools to detect security weaknesses in mobile applications. In CEUR Workshop Proceedings Vol. 1977. 8--18.Google Scholar
- Lori Flynn. 2015. DRD09. Restrict access to sensitive activities. Retrieved from https://wiki.sei.cmu.edu/confluence/display/android/DRD09.+Restrict+access+to+sensitive+activities.Google Scholar
- Gaku Mochizuki. 2015. JVN#37825153 AirDroid for Android vulnerable in handling of implicit intents. Retrieved from http://jvn.jp/en/jp/JVN37825153/.Google Scholar
- Wei Xu, Sandeep Bhatkar, and Ramachandran Sekar. 2006. Taint-enhanced policy enforcement: A practical approach to defeat a wide range of attacks. In Proceedings of the USENIX Security Symposium. 121--136.Google Scholar
- Yajin Zhou Xuxian Jiang and Zhou Xuxian. 2013. Detecting passive content leaks and pollution in Android applications. In Proceedings of the 20th Network and Distributed System Security Symposium (NDSS’13).Google Scholar
- Hiroshi Kumagai. 2014. JVN#55438786 Content Provider in CamiApp for Android fails to restrict access permissions. Retrieved from http://jvn.jp/en/jp/JVN55438786/index.html.Google Scholar
- Alberto Ornaghi and Marco Valleri. 2003. Man in the middle attacks demos, 2003. https://bbs.pku.edu.cn/attach/53/35/533561f8d8187eb6/ManInMiddle.pdf (visited: 2020-05-04).Google Scholar
- Tongbo Luo, Hao Hao, Wenliang Du, Yifei Wang, and Heng Yin. 2011. Attacks on WebView in the Android system. In Proceedings of the 27th Computer Security Applications Conference. ACM, 343--352.Google ScholarDigital Library
- NIST. 2018. CVE-2018-5298 Detail. Retrieved from https://nvd.nist.gov/vuln/detail/CVE-2018-5298.Google Scholar
- MITRE. 2014. CVE-2014-5930. (2014). Retrieved from https://www.cvedetails.com/cve/CVE-2014-5930/.Google Scholar
- MITRE. 2014. CVE-2014-7609. (2014). Retrieved from https://www.cvedetails.com/cve/CVE-2014-7609/.Google Scholar
- Checkmarx. 2018. Common Vulnerabilities and Exposures (CVE). Retrieved from https://www.checkmarx.com/2018/01/23/tinder-someone-may-watching-swipe-2/.Google Scholar
- Mu Zhang and Heng Yin. 2014. AppSealer: Automatic generation of vulnerability-specific patches for preventing component hijacking attacks in Android applications. In Proceedings of the 21st Network and Distributed System Security Symposium (NDSS’14). Citeseer.Google Scholar
- Michelle Y. Wong and David Lie. 2016. IntelliDroid: A targeted input generator for the dynamic analysis of Android malware. In Proceedings of the Network and Distributed System Security Symposium (NDSS’16), Vol. 16. 21--24.Google Scholar
- Siegfried Rasthofer, Steven Arzt, and Eric Bodden. 2014. A machine-learning approach for classifying and categorizing Android sources and sinks. In Proceedings of the Network and Distributed System Security Symposium (NDSS’14), Vol. 14. Citeseer, 1125.Google Scholar
- Steven Arzt, Siegfried Rasthofer, Christian Fritz, Eric Bodden, Alexandre Bartel, Jacques Klein, Yves Le Traon, Damien Octeau, and Patrick McDaniel. 2014. Flowdroid: Precise context, flow, field, object-sensitive, and lifecycle-aware taint analysis for Android apps. ACM Sigplan Not. 49, 6 (2014), 259--269.Google ScholarDigital Library
- Yu-Cheng Lin. 2015. Androbugs Framework Project. Retrieved from https://github.com/AndroBugs/AndroBugs_Framework.Google Scholar
- Chia-Wei Tien, Tse-Yung Huang, Ting-Chun Huang, Wei-Ho Chung, and Sy-Yen Kuo. 2017. MAS: Mobile-apps assessment and analysis system. In Proceedings of the 47th IEEE/IFIP International Conference on Dependable Systems and Networks Workshop (DSN-W’17). IEEE, 145--148.Google Scholar
- Frances E. Allen. 1970. Control flow analysis. ACM Sigplan Not., Vol. 5. ACM, 1--19.Google Scholar
- 2018. Findsecbugs. Retrieved from https://find-sec-bugs.github.io/.Google Scholar
- Edward Flanker and Anant Shrivastava. 2014. Joint Advanced Defect assEsment for Android applications. Retrieved from https://github.com/flankerhqd/JAADAS.Google Scholar
- Google Play market. Retrieved from http://play.google.com/store/apps/.Google Scholar
- 2014 PlayDrone Android Apps. Retrieved from https://archive.org/details/android.Google Scholar
- Nduo Market. Retrieved from https://www.nduo.cn/.Google Scholar
- Mobomarket. Retrieved from https://mobomarket.jaleco.com/.Google Scholar
- APK4Fun. Retrieved from https://www.apk4fun.com/.Google Scholar
- GFAN. Retrieved from http://apk.gfan.com/.Google Scholar
- Androidpur. Retrieved from http://androidpur.org/.Google Scholar
- APPSAPK. Retrieved from https://www.appsapk.com/.Google Scholar
- CWE-329. Retrieved from https://cwe.mitre.org/data/definitions/329.html.Google Scholar
- Animesh Chhotaray, Adib Nahiyan, Thomas Shrimpton, Domenic Forte, and Mark Tehranipoor. 2017. Standardizing bad cryptographic practice: A teardown of the IEEE standard for protecting electronic-design intellectual property. In Proceedings of the ACM SIGSAC Conference on Computer and Communications Security. ACM, 1533--1546.Google Scholar
- Zakir Durumeric, Frank Li, James Kasten, Johanna Amann, Jethro Beekman, Mathias Payer, Nicolas Weaver, David Adrian, Vern Paxson, Michael Bailey, et al. 2014. The matter of heartbleed. In Proceedings of the Conference on Internet Measurement. ACM, 475--488.Google ScholarDigital Library
- Mu Zhang, Yue Duan, Heng Yin, and Zhiruo Zhao. 2014. Semantics-aware Android malware classification using weighted contextual API dependency graphs. In Proceedings of the ACM SIGSAC Conference on Computer and Communications Security. ACM, 1105--1116.Google Scholar
- Haoyu Wang, Yao Guo, Ziang Ma, and Xiangqun Chen. 2015. Wukong: A scalable and accurate two-phase approach to Android app clone detection. In Proceedings of the International Symposium on Software Testing and Analysis. ACM, 71--82.Google Scholar
- Wu Zhou, Yajin Zhou, Xuxian Jiang, and Peng Ning. 2012. Detecting repackaged smartphone applications in third-party Android marketplaces. In Proceedings of the 2nd ACM Conference on Data and Application Security and Privacy. ACM, 317--326.Google Scholar
- Charlie Soh, Hee Beng Kuan Tan, Yauhen Leanidavich Arnatovich, and Lipo Wang. 2015. Detecting clones in Android applications through analyzing user interfaces. In Proceedings of the IEEE 23rd International Conference on Program Comprehension. IEEE Press, 163--173.Google Scholar
- Amiangshu Bosu, Fang Liu, Danfeng Daphne Yao, and Gang Wang. 2017. Collusive data leak and more: Large-scale threat analysis of inter-app communications. In Proceedings of the ACM on Asia Conference on Computer and Communications Security. ACM, 71--85.Google Scholar
- Japan Smart Phone Security Association. 2016. Android Application Secure Design/Secure Coding Guidebook. Retrieved from https://www.jssec.org/dl/android_securecoding.pdf.Google Scholar
- Steve Quirolgico, Jeffrey Voas, Tom Karygiannis, Christoph Michael, and Karen Scarfone. 2015. Vetting the Security of Mobile Applications. Retrieved from http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-163.pdf.Google Scholar
- Taiwan Industrial Development Bureau Ministry of Economic Affairs. 2016. Mobile Application Security Guideline. Retrieved from http://www.mas.org.tw/spaw2/uploads/files/1050219-1.pdf.Google Scholar
- Steven Arzt, Sarah Nadi, Karim Ali, Eric Bodden, Sebastian Erdweg, and Mira Mezini. 2015. Towards secure integration of cryptographic software. In Proceedings of the ACM International Symposium on New Ideas, New Paradigms, and Reflections on Programming and Software (Onward!). ACM, 1--13.Google Scholar
- Alireza Sadeghi, Hamid Bagheri, and Sam Malek. 2015. Analysis of Android inter-app security vulnerabilities using COVERT. In Proceedings of the IEEE/ACM 37th IEEE International Conference on Software Engineering (ICSE’15), Vol. 2. IEEE, 725--728.Google Scholar
- Long Lu, Zhichun Li, Zhenyu Wu, Wenke Lee, and Guofei Jiang. 2012. CHEX: Statically vetting Android apps for component hijacking vulnerabilities. In Proceedings of the ACM Conference on Computer and Communications Security. ACM, 229--240.Google Scholar
- David Sounthiraraj, Justin Sahs, Garret Greenwood, Zhiqiang Lin, and Latifur Khan. 2014. SMV-HUNTER: Large scale, automated detection of SSL/TLS man-in-the-middle vulnerabilities in Android apps. In Proceedings of the 21stNetwork and Distributed System Security Symposium (NDSS’14). Citeseer.Google Scholar
- Google Developers. 2018. Android Lint. Retrieved from https://developer.android.com/studio/write/lint.Google Scholar
- Daniele Gallingani, Rigel Gjomemo, VN Venkatakrishnan, and Stefano Zanero. 2014. Static detection and automatic exploitation of intent message vulnerabilities in android applications, 2014. http://www.ieee-security.org/TC/SPW2015/MoST/papers/s3p1.pdf (visited: 2020-05-04).Google Scholar
- Sebastian Poeplau, Yanick Fratantonio, Antonio Bianchi, Christopher Kruegel, and Giovanni Vigna. 2014. Execute this! Analyzing unsafe and malicious dynamic code loading in Android applications. In Proceedings of the Network and Distributed System Security Symposium (NDSS), Vol. 14. 23--26.Google ScholarCross Ref
- Fengguo Wei, Sankardas Roy, Xinming Ou, et al. 2014. Amandroid: A precise and general inter-component data flow analysis framework for security vetting of Android apps. In Proceedings of the ACM SIGSAC Conference on Computer and Communications Security. ACM, 1329--1341.Google Scholar
Index Terms
- Vulvet: Vetting of Vulnerabilities in Android Apps to Thwart Exploitation
Recommendations
Bittersweet ADB: Attacks and Defenses
ASIA CCS '15: Proceedings of the 10th ACM Symposium on Information, Computer and Communications SecurityAndroid devices and applications become prevalent and ask for unanticipated capabilities thanks to the increased interests in smartphones and web applications. As a way to use the capabilities not directly available to ordinary users, applications have ...
Automatically securing permission-based software by reducing the attack surface: an application to Android
ASE '12: Proceedings of the 27th IEEE/ACM International Conference on Automated Software EngineeringIn the permission-based security model (used e.g. in Android and Blackberry), applications can be granted more permissions than they actually need, what we call a “permission gap”. Malware can leverage the unused permissions for achieving their ...
A Survey on Denial of Service Attacks and Preclusions
ICIA-16: Proceedings of the International Conference on Informatics and AnalyticsSecurity is concerned with protecting assets. The aspects of security can be applied to any situation- defense, detection and deterrence. Network security plays important role of protecting information, hardware and software on a computer network. ...
Comments