Top

Empirical Software Engineering

Published in:

01-05-2021

Flair: efficient analysis of Android inter-component vulnerabilities in response to incremental changes

Authors: Hamid Bagheri, Jianghao Wang, Jarod Aerts, Negar Ghorbani, Sam Malek

Published in: Empirical Software Engineering | Issue 3/2021

Activate our intelligent search to find suitable subject content or patents.

search-config

AI-assisted search

Off

Abstract

Inter-component communication (ICC) among Android apps is shown to be the source of many security vulnerabilities. Prior research has developed compositional analyses to detect the existence of ICC vulnerabilities in a set of installed apps. However, they all lack the ability to efficiently respond to incremental system changes—such as adding/removing apps. Every time the system changes, the entire analysis has to be repeated, making them too expensive for practical use, given the frequency with which apps are updated, installed, and removed on a typical Android device. This paper presents a novel technique, dubbed FLAIR, for efficient, yet formally precise, security analysis of Android apps in response to incremental system changes. Leveraging the fact that the changes are likely to impact only a small fraction of the prior analysis results, FLAIR recomputes the analysis only where required, thereby greatly improving analysis performance without sacrificing the soundness and completeness thereof. Our experimental results using numerous collections of real-world apps corroborate that FLAIR can provide an order of magnitude speedup over prior techniques.

previous article How to Better Distinguish Security Bug Reports (Using Dual Hyperparameter Optimization)

next article Improving energy-efficiency by recommending Java collections

Dont have a licence yet? Then find out more about our products and how to get one now:

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 340 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

inform now

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 390 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Maschinenbau + Werkstoffe

Jetzt Wissensvorsprung sichern!

inform now

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

inform now

Jackson D (2012) Software Abstractions, 2nd edn., MIT Press, Cambridge

Alloy Models from the Covert project (2015) https://seal.ics.uci.edu/projects/covert

Malgenome Project (2017) http://www.malgenomeproject.org

DroidBench (2018). https://github.com/secure-software-engineering/DroidBench/

ICC-Bench (2018) https://github.com/fgwei/ICC-Bench

Bazaar (2019). https://cafebazaar.ir//

F-Droid (2019) https://f-droid.org/

Flair web page (2019) https://sites.google.com/view/flairappanalysis

Google Play Market (2019) http://play.google.com/store/apps/

Number of available apps in the Google Play Store (2019) https://www.statista.com/statistics/266210/number-of-available-applications-in-the-google-play-store/

About Android App Bundles (2020) https://developer.android.com/guide/app-bundle

About Dynamic Delivery (2020) https://developer.android.com/guide/app-bundle/dynamic-delivery

GitHub Repository (2020) https://github.com/

Mobile Operating System Market Share Worldwide (2020) https://gs.statcounter.com/os-market-share/mobile/worldwide

Alhanahnah M, Yan Q, Bagheri H, Zhou H, Tsutano Y, Srisa-an W, Luo X (2019) Detecting vulnerable android inter-app communication in dynamically loaded code. In: IEEE International conference on computer communications, INFOCOM, Paris, France, April 29 - May 2, 2019, pp 550–558. https://doi.org/10.1109/INFOCOM.2019.8737637

Alhanahnah M, Yan Q, Bagheri H, Zhou H, Tsutano Y, Srisa-an W, Luo X (2020) DINA: detecting hidden android inter-app communication in dynamic loaded code. IEEE Trans Inf Forensics Secur 15:2782–2797. https://doi.org/10.1109/TIFS.2020.2976556CrossRef

Armando A, Costa G, Merlo A (2012) Formal modeling and reasoning about the android security framework Palamidessi C, Ryan MD (eds). https://doi.org/10.1007/978-3-642-41157-1_5

Arzt S, Rasthofer S, Fritz C, Bodden E, Bartel A, Klein J, Le Traon Y, Octeau D, McDaniel P (2014) Flowdroid: Precise context, flow, field, object-sensitive and lifecycle-aware taint analysis for android apps. In: ACM SIGPLAN Conference on programming language design and implementation, PLDI ’14, Edinburgh, United Kingdom - June 09 - 11, 2014, PLDI’14.ACM, Edinburgh, pp 29

Bagheri H, Garcia J, Sadeghi A, Malek S, Medvidovic N (2016) Software architectural principles in contemporary mobile software: from conception to practice. J Syst Softw 119:31–44. https://doi.org/10.1016/j.jss.2016.05.039CrossRef

Bagheri H, Kang E, Malek S, Jackson D (2015) Detection of design flaws in the android permission protocol through bounded verification. In: Bjørner N, de Boer F (eds) FM 2015: formal methods, Lecture Notes in Computer Science, vol 9109, pp 73–89. Springer International Publishing. https://doi.org/10.1007/978-3-319-19249-9_6

Bagheri H, Kang E, Malek S, Jackson D (2018) A Formal Approach for Detection of Security Flaws in the Android Permission System. Form Asp Comput 30(5):525–544. https://doi.org/10.1007/s00165-017-0445-zCrossRef

Bagheri H, Malek S (2016) Titanium: efficient analysis of evolving alloy specifications. In: Proceedings of the ACM SIGSOFT International symposium on the foundations of software engineering, FSE’16

Bagheri H, Sadeghi A, Behrouz RJ, Malek S (2016) Practical, formal synthesis and automatic enforcement of security policies for android. In: 46th Annual IEEE/IFIP international conference on dependable systems and networks, DSN 2016, Toulouse, France, June 28 - July 1, 2016. IEEE Computer Society, pp 514–525. https://doi.org/10.1109/DSN.2016.53

Bagheri H, Sadeghi A, Garcia J, Malek S (2015) COVERT: compositional analysis of android inter-app permission leakage IEEE. Trans Softw Eng (TSE)

Bagheri H, Song Y, Sullivan KJ (2010) Architectural style as an independent variable. In: Pecheur C, Andrews J, Nitto ED (eds) ASE 2010, 25th IEEE/ACM International conference on automated software engineering, Antwerp, Belgium, September 20-24, 2010. ACM, pp 159–162. https://doi.org/10.1145/1858996.1859026

Bagheri H, Sullivan KJ (2012) Pol: specification-driven synthesis of architectural code frameworks for platform-based applications. In: Ostermann K, Binder W (eds) Generative programming and component engineering, GPCE’12, Dresden, Germany, September 26-28, 2012. ACM, pp 93–102. https://doi.org/10.1145/2371401.2371416

Bagheri H, Sullivan KJ (2013) Bottom-up model-driven development. In: Notkin D, Cheng BHC, Pohl K (eds) 35th International conference on software engineering, ICSE ’13, San Francisco, CA, USA, May 18-26, 2013. IEEE Computer Society, pp 1221–1224. https://doi.org/10.1109/ICSE.2013.6606683

Bagheri H, Sullivan KJ (2016) Model-driven synthesis of formally precise, stylized software architectures. Formal Asp Comput 28 (3):441–467. https://doi.org/10.1007/s00165-016-0360-8MathSciNetCrossRef

Bagheri H, Tang C, Sullivan KJ (2014) TradeMaker: Automated dynamic analysis of synthesized tradespaces. In: Jalote P, Briand LC, van der Hoek A (eds) 36th International conference on software engineering, ICSE ’14, Hyderabad, India - May 31 - June 07, 2014. ACM, pp 106–116. https://doi.org/10.1145/2568225.2568291

Bagheri H, Tang C, Sullivan KJ (2017) Automated synthesis and dynamic analysis of tradeoff spaces for object-relational mapping. IEEE Trans Software Eng 43(2):145–163. https://doi.org/10.1109/TSE.2016.2587646CrossRef

Bagheri H, Wang J, Aerts J, Malek S (2018) Efficient, evolutionary security analysis of interacting android apps. In: 2018 IEEE International conference on software maintenance and evolution (ICSME), pp 357–368. https://doi.org/10.1109/ICSME.2018.00044

Bosu A, Liu F, Yao DD, Wang G (2017) Collusive data leak and more: large-scale threat analysis of inter-app communications. In: Proceedings of the 2017 ACM on Asia conference on computer and communications security, AsiaCCS 2017, Abu Dhabi, United Arab Emirates, April 2-6, 2017. pp 71–85

Bugiel S, Davi L, Dmitrienko A, Fischer T, Sadeghi A (2011) Xmandroid: a new android evolution to mitigate privilege escalation attacks. Technische UniversitÃt Darmstadt Technical Report TR-2011-04

Bugiel S, David L, Dmitrienko A, Fischer T, Sadeghi A, Shastry B (2012) Towards taming privilege-escalation attacks on android. In: 19th Annual network and distributed system security symposium, NDSS 2012, San Diego, California, USA, February 5-8

Bugliesi M, Calzavara S, SpanÃ A (2013) Lintent: Towards security type-checking of android applications. In: Beyer D, Boreale M (eds) Formal techniques for distributed systems, no. 7892 in Lecture Notes in Computer Science. https://doi.org/10.1007/978-3-642-38592-6_20. Springer, Berlin, pp 289–304

Chaudhuri A (2009) Language-based security on Android. In: Proceedings of programming languages and analysis for security (PLAS’09). pp 1–7

Chin E, Felt AP, Greenwood K, Wagner D (2011) Analyzing inter-application communication in android. In: Proceedings of the 9th international conference on mobile systems, applications, and services. ACM, Washington, pp 239–252

Cozza R, Durand I, Gupta A (2014) Market share: ultramobiles by region, OS and Form Factor, 4Q13 and 2013 Gartner market research report

Davi L, Dmitrienko A, Sadeghi A, Winandy M Burmester M, Tsudik G, Magliveras S, Ilić I (eds) (2010) Privilege escalation attacks on android. Springer, Berlin

Dietz M, Shekhar S, Pisetsky Y, Shu A, Wallach DS (2011) QUIRE: Lightweight provenance for smart phone operating systems. In: USENIX Security symposium. San Francisco, CA

Felt AP, Chin E, Hanna S, Song D, Wagner D (2011) Android permissions demystified. In: Proceedings of the 18th ACM Conference on computer and communications security, CCS ’11. https://doi.org/10.1145/2046707.2046779. ACM, Chicago, pp 627–638

Felt AP, Hanna S, Chin E, Wang HJ, Moshchuk E (2011) Permission re-delegation: attacks and defenses. In: In 20th Usenix security symposium. San Francisco, CA

Fragkaki E, Bauer L, Jia L, Swasey D (2012) Modeling and enhancing android’s permission system. In: 17th European symposium on research in computer security (ESORICS), pp 1–18

Fuchs AP, Chaudhuri A, Foster JS (2009) SCanDroid: automated security certification of Android applications

Ganov S, Khurshid S, Perry DE (2012) Annotations for alloy: automated incremental analysis using domain specific solvers. In: Proceedings of ICFEM, pp 414–429

Hammad M, Bagheri H, Malek S (2017) Determination and enforcement of least-privilege architecture in android. In: 2017 IEEE International conference on software architecture, ICSA 2017, Gothenburg, Sweden, April 3-7, 2017. IEEE, pp 59–68. https://doi.org/10.1109/ICSA.2017.18

Hammad M, Bagheri H, Malek S (2019) DelDroid: An automated approach for determination and enforcement of least-privilege architecture in android. J Syst Softw 149:83–100CrossRef

Jackson D (2002) Alloy: a lightweight object modelling notation. ACM Trans Softw Eng Methodol (TOSEM) 11(2):256–290CrossRef

Khurshid S, Marinov D (2004) TestEra: specification-based testing of java programs using SAT. Autom Softw Eng 11(4):403–434CrossRef

Klieber W, Flynn L, Bhosale A, Jia L, Bauer L (2014) Android taint flow analysis for app sets. In: Proceedings of the 3rd ACM SIGPLAN International workshop on the state of the art in java program analysis. ACM, Edinburgh, UK, pp 1–6

Lee YK, Bang JY, Safi G, Shahbazian A, Zhao Y, Medvidovic N (2017) A SEALANT for inter-app security holes in android. In: Proceedings of the 39th International conference on software engineering, ICSE 2017, Buenos Aires, Argentina, May 20-28, 2017. pp 312–323

Li L, Bartel A, Bissyandé TF, Klein J, Traon YL (2015) ApkCombiner: combining multiple android apps to support inter-app analysis. In: Federrath H, Gollmann D (eds) ICT Systems security and privacy protection - 30th IFIP TC 11 International conference, SEC 2015, Hamburg, Germany, May 26-28, 2015, Proceedings, ICT SEC’15, vol 455. Springer, pp 513–527. https://doi.org/10.1007/978-3-319-18467-8_34

Li L, Bartel A, Bissyande T, Klein J, Traon YL, Arzt S, Rasthofer S, Bodden E, Octeau D, McDaniel P (2015) IccTA: Detecting inter-component privacy leaks in android apps. In: Proceedings of the 37th International conference on software engineering, ICSE 2015. Florence, Italy

Li L, Bartel A, Klein J, Traon YL, Arzt S, Rasthofer S, Bodden E, Octeau D, McDaniel P (2014) I know what leaked in your pocket: uncovering privacy leaks on android apps with static taint analysis. arXiv:1404.7431 [cs]

Lu L, Li Z, Wu Z, Lee W, Jiang G (2012) Chex: statically vetting android apps for component hijacking vulnerabilities. In: Proceedings of the 2012 ACM conference on computer and communications security. ACM, Raleigh, pp 229–240

Marforio C, Ritzdorf H, Francillo A, Capkun S (2012) Analysis of the communication between colluding applications on modern smartphones. In: The annual computer security applications conference (ACSAC), ACSAC’12

Mirzaei N, Garcia J, Bagheri H, Sadeghi A, Malek S (2016) Reducing combinatorics in GUI testing of android applications. In: Dillon LK, Visser W, Williams L (eds) Proceedings of the 38th International conference on software engineering, ICSE 2016, Austin, TX, USA, May 14-22, 2016. ACM, pp 559–570. https://doi.org/10.1145/2884781.2884853

Near JP, Jackson D (2014) Derailer: interactive security analysis for web applications. In: Proceedings of the 29th ACM/IEEE International conference on automated software engineering, ASE ’14. https://doi.org/10.1145/2642937.2643012. ACM, New York, pp 587–598

Octeau D, Jha S, Dering M, McDaniel P, Bartel A, Li L, Klein J, Traon YL (2016) Combining static analysis with probabilistic models to enable market-scale android inter-component analysis. In: Bodík R, Majumdar R (eds) Proceedings of the 43rd Annual ACM SIGPLAN-SIGACT symposium on principles of programming languages, POPL 2016, St. Petersburg, FL, USA, January 20 - 22, 2016. ACM, pp 469–484. https://doi.org/10.1145/2837614.2837661

Octeau D, Luchaup D, Dering M, Jha S, McDaniel P (2015) Composite constant propagation: application to android inter-component communication analysis. In: International conference on software engineering. IEEE, Florence

Octeau D, McDaniel P, Jha S, Bartel A, Bodden E, Klein J, Le Traon Y (2013) Effective inter-component communication mapping in android with epicc: an essential step towards holistic security analysis. In: Proceedings of the 22Nd USENIX Conference on security, SEC’13. USENIX Association, pp 543–558

Ravitch T, Creswick ER, Tomb A, Foltzer A, Elliott T, Casburn L (2014) Multi-app security analysis with FUSE: statically detecting android app collusion. In: Proceedings of the 4th Program protection and reverse engineering workshop, PPREW-4. ACM, New Orleans pp 4:1–4:10. https://doi.org/10.1145/2689702.2689705

Rosner N, Siddiqui JH, Aguirre N, Khurshid S, Frias MF (2013) Ranger: parallel analysis of alloy models by range partitioning. In: Proceeding of the 28th IEEE/ACM International conference on automated software engineering (ASE). pp 147–157

Sadeghi A, Bagheri H, Garcia J, Malek S (2017) A taxonomy and qualitative comparison of program analysis techniques for security assessment of android software. IEEE Trans Software Eng 43(6):492–530. https://doi.org/10.1109/TSE.2016.2615307CrossRef

Sadeghi A, Bagheri H, Malek S (2015) Analysis of android inter-app security vulnerabilities using COVERT. In: Bertolino A, Canfora G, Elbaum SG (eds) 37th IEEE/ACM International conference on software engineering, ICSE 2015, Florence, Italy, May 16-24, 2015, vol 2. IEEE Computer Society, pp 725–728. https://doi.org/10.1109/ICSE.2015.233

Sadeghi A, Jabbarvand R, Ghorbani N, Bagheri H, Malek S (2018) A temporal permission analysis and enforcement framework for android. In: Proceedings of the 40th International conference on software engineering, ICSE’18. pp 846–857

Schmerl BR, Gennari J, Sadeghi A, Bagheri H, Malek S, Cámara J, Garlan D (2016) Architecture modeling and analysis of security in android systems. In: Tekinerdogan B, Zdun U, Babar MA (eds) Software architecture - 10th european conference, ECSA 2016, Copenhagen, Denmark, November 28 - December 2, 2016, Proceedings, Lecture Notes in Computer Science, vol 9839. pp 274–290. https://doi.org/10.1007/978-3-319-48992-6_21

Seneviratne S, Seneviratne A, Mohapatra P, Mahanti A (2014) Predicting user traits from a snapshot of apps installed on a Smartphone. ACM SIGMOBILE Mobil Comput Commun Rev 18(2):1–8CrossRef

Smith E, Coglio A (2015) Android platform modeling and android app verification in the ACL2 theorem prover. In: Proceedings of the 7th International conference on verified software: theories, tools, and experiments, VSTTE’15, pp 183–201

Taghdiri M (2004) Inferring specifications to detect errors in code. In: Proceedings of the 19th IEEE International conference on automated software engineering, ASE ’04. https://doi.org/10.1109/ASE.2004.42. IEEE Computer Society, Washington, pp 144–153

Torlak E (2009) A constraint solver for software engineering: finding models and cores of large relational specifications. PhD thesis, MIT. http://alloy.mit.edu/kodkod/

Uzuncaova E, Khurshid S (2007) Kato: A Program Slicing Tool for Declarative Specifications. In: Proceedings of international conference on software engineering, ICSE’07, pp 767–770

Uzuncaova E, Khurshid S (2008) Constraint prioritization for efficient analysis of declarative models. In: Proceedings of international symposium on formal methods, FM’08

Wei F, Roy S, Ou X (2014) Robby: Amandroid: a precise and general inter-component data flow analysis framework for security vetting of android apps. In: Proceedings of the 2014 ACM SIGSAC conference on computer and communications security, CCS ’14. https://doi.org/10.1145/2660267.2660357. ACM, Scottsdale, pp 1329–1341

Zheng G, Bagheri H, Rothermel G, Wang J (2020) Platinum: Reusing Constraint Solutions in Bounded Analysis of Relational Logic. In: Wehrheim H, Cabot J (eds) Fundamental approaches to software engineering - 23rd international conference, FASE 2020, Held as part of the european joint conferences on theory and practice of software, ETAPS 2020, Dublin, Ireland, April 25-30, 2020, Proceedings, Lecture Notes in Computer Science, vol 12076. Springer, pp 29–52

Title: Flair: efficient analysis of Android inter-component vulnerabilities in response to incremental changes
Authors: Hamid Bagheri
Jianghao Wang
Jarod Aerts
Negar Ghorbani
Sam Malek
Publication date: 01-05-2021
Publisher: Springer US
Published in: Empirical Software Engineering / Issue 3/2021
Print ISSN: 1382-3256
Electronic ISSN: 1573-7616
DOI: https://doi.org/10.1007/s10664-020-09932-6

Springer Professional

Abstract

Please log in to get access to your license.

Dont have a licence yet? Then find out more about our products and how to get one now:

Springer Professional "Wirtschaft"

Springer Professional "Technik"

Springer Professional "Wirtschaft+Technik"

Other articles of this Issue 3/2021

Improving energy-efficiency by recommending Java collections

An empirical study on changing leadership in agile teams

A privacy and security analysis of early-deployed COVID-19 contact tracing Android apps

The nature of build changes

Revisiting the VCCFinder approach for the identification of vulnerability-contributing commits

Correction to: An empirical assessment of baseline feature location techniques

Premium Partner