Abstract
The openness and extensibility of Android have made it a popular platform for mobile devices and a strong candidate to drive the Internet-of-Things. Unfortunately, these properties also leave Android vulnerable, attracting attacks for profit or fun. To mitigate these threats, numerous issue-specific solutions have been proposed. With the increasing number and complexity of security problems and solutions, we believe this is the right moment to step back and systematically re-evaluate the Android security architecture and security practices in the ecosystem. We organize the most recent security research on the Android platform into two categories: the software stack and the ecosystem. For each category, we provide a comprehensive narrative of the problem space, highlight the limitations of the proposed solutions, and identify open problems for future research. Based on our collection of knowledge, we envision a blueprint for engineering a secure, next-generation Android ecosystem.
- Yousra Aafer, Wenliang Du, and Heng Yin. 2013. DroidAPIMiner: Mining API-level features for robust malware detection in android. In Proceedings of the 9th International Conference on Security and Privacy in Communication Networks (SecureComm). Springer, Sydney, NSW, Australia, 163--182.Google ScholarCross Ref
- Yousra Aafer, Nan Zhang, Zhongwen Zhang, Xiao Zhang, Kai Chen, XiaoFeng Wang, Xiaoyong Zhou, Wenliang Du, and Michael Grace. 2015. Hare hunting in the wild android: A study on the threat of hanging attribute references. In Proceedings of the 22nd ACM Conference on Computer and Communications Security (CCS). ACM Press, Denver, Colorado, 1248--1259. Google ScholarDigital Library
- Martín Abadi, Mihai Budiu, Ulfar Erlingsson, and Jay Ligatti. 2005. Control-flow integrity. In Proceedings of the 12th ACM Conference on Computer and Communications Security (CCS). ACM, 340--353. Google ScholarDigital Library
- Adobe Systems, Inc. 2016. PhoneGap. (Feb. 2016). http://phonegap.com.Google Scholar
- Vitor Afonso, Antonio Bianchi, Yanick Fratantonio, Adam Douṕe, Mario Polino, Paulo de Geus, Christopher Kruegel, and Giovanni Vigna. 2016. Going native: Using a large-scale analysis of android apps to create a practical native-code sandboxing policy. In Proceedings of the 2016 Annual Network and Distributed System Security Symposium (NDSS). The Internet Society, San Diego, CA, 51:1--51:15.Google ScholarCross Ref
- Ahmed Al-Haiqi, Mahamod Ismail, and Rosdiadee Nordin. 2013. On the best sensor for keystrokes inference attack on android. Procedia Technology 8 (2013), 947--953.Google Scholar
- Kevin Allix, Tegawendé François D. Assise Bissyande, Jacques Klein, and Yves Le Traon. 2014. Machine Learning-Based Malware Detection for Android Applications: History Matters! Technical Report. University of Luxembourg.Google Scholar
- Domenico Amalfitano, Anna Rita Fasolino, Porfirio Tramontana, Bryan Dzung Ta, and Atif M. Memon. 2015. MobiGUITAR: Automated model-based testing of mobile apps. IEEE Software 32, 5 (Sept. 2015), 53--59.Google ScholarDigital Library
- Android Developers. 2016a. Android—AccessibilityService. (Feb. 2016). http://developer.android.com/reference/android/accessibilityservice/AccessibilityService.html.Google Scholar
- Android Developers. 2016b. Android Security Overview. (Feb. 2016). https://source.android.com/security.Google Scholar
- Android Developers. 2016c. WebView. (Feb. 2016). http://developer.android.com/reference/android/webkit/WebView.html.Google Scholar
- Jeremy Andrus, Christoffer Dall, Alexander Van't Hof, Oren Laadan, and Jason Nieh. 2011. Cells: A virtual mobile smartphone architecture. In Proceedings of the 23rd ACM Symposium on Operating Systems Principles (SOSP). ACM, 173--187. Google ScholarDigital Library
- Appcelerator Inc. 2016. Appcelerator Titanium SDK. (Feb. 2016). http://www.appcelerator.com/titanium/titanium-sdk.Google Scholar
- Axelle Apvrille. 2014. New Drive-By Download Android Malware. (Oct. 2014). http://blog.fortinet.com/xbrk post/new-drive-by-download-Android-malware.Google Scholar
- Machiry Aravind, Tahiliani Rohan, and Mayur Naik. 2013. Dynodroid: An input generation system for android apps. In Proceedings of the 18th European Software Engineering Conference (ESEC)/21st ACM SIGSOFT Symposium on the Foundations of Software Engineering (FSE). ACM, 224--234. Google ScholarDigital Library
- Jeff Arnold and M. Frans Kaashoek. 2009. Ksplice: Automatic rebootless kernel updates. In Proceedings of the 4th European Conference on Computer Systems (EuroSys). ACM, 187--198. Google ScholarDigital Library
- Daniel Arp, Michael Spreitzenbarth, Malte Hubner, Hugo Gascon, and Konrad Rieck. 2014. Drebin: Efficient and explainable detection of android malware in your pocket. In Proceedings of the 19th Annual Network and Distributed System Security Symposium (NDSS). The Internet Society, San Diego, CA, 49:1--49:12.Google ScholarCross Ref
- Steven Arzt, Siegfried Rasthofer, Christian Fritz, Eric Bodden, Alexandre Bartel, Jacques Klein, Yves Le Traon, Damien Octeau, and Patrick McDaniel. 2014. FlowDroid: Precise context, flow, field, object-sensitive and lifecycle-aware taint analysis for android apps. In Proceedings of the 2014 ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI). ACM, 259--269. Google ScholarDigital Library
- Kathy Wain Yee Au, Yi Fan Zhou, Zhen Huang, and David Lie. 2012. Pscout: Analyzing the android permission specification. In Proceedings of the 19th ACM Conference on Computer and Communications Security (CCS). ACM Press, Raleigh, NC, 217--228. Google ScholarDigital Library
- Vitalii Avdiienko, Konstantin Kuznetsov, Alessandra Gorla, Andreas Zeller, Steven Arzt, Siegfried Rasthofer, and Eric Bodden. 2015. Mining apps for abnormal usage of sensitive data. In Proceedings of the 37th International Conference on Software Engineering (ICSE). IEEE Computer Society, Austin, TX, 426--436. Google ScholarDigital Library
- Adam J. Aviv, Benjamin Sapp, Matt Blaze, and Jonathan M. Smith. 2013. Practicality of accelerometer side channels on smartphones. In Proceedings of the 29th Annual Computer Security Applications Conference (ACSAC). ACM, 41--50. Google ScholarDigital Library
- AVO. 2011. KillingInTheNameOf ashmem. (Jan. 2011). http://androidvulnerabilities.org/vulnerabilities/KillingInTheNameOf%5Fpsneuter%5Fashmem.Google Scholar
- Ahmed Azab, Peng Ning, Jitesh Shah, Quan Chen, Rohan Bhutkar, Guruprasad Ganesh, Jia Ma, and Wenbo Shen. 2014. Hypervision across worlds: Real-time kernel protection from the ARM TrustZone secure world. In Proceedings of the 21st ACM Conference on Computer and Communications Security (CCS). ACM Press, Scottsdale, Arizona, 90--102. Google ScholarDigital Library
- Michael Backes, Sven Bugiel, Sebastian Gerling, and Philipp von Styp-Rekowsky. Android security framework: Extensible multi-layered access control on android. In Proceedings of the 30th Annual Computer Security Applications Conference (ACSAC'14). ACM, 46--55. Google ScholarDigital Library
- Michael Backes, Sven Bugiel, Christian Hammer, Oliver Schranz, and Philipp von Styp-Rekowsky. 2015. Boxify: Full-fledged app sandboxing for stock android. In Proceedings of the 24th USENIX Security Symposium (Security). USENIX Association, 691--706. Google ScholarDigital Library
- Endre Bangerter, David Gullasch, and Stephan Krenn. 2011. Cache games: Bringing access-based cache attacks on AES to practice. In Proceedings of the 32nd IEEE Symposium on Security and Privacy (Oakland). IEEE Computer Society, 490--505. Google ScholarDigital Library
- Anestis Bechtsoudis. 2015. Fuzzing Objects d'ART—Digging Into the New Android L Runtime Internals. (2015). https://census-labs.com/media/Fuzzing%5FObjects%5Fd%5FART %5Fhitbsecconf2015ams%5FWP.pdf.Google Scholar
- Ravi Bhoraskar, Seungyeop Han, Jinseong Jeon, Tanzirul Azim, Shuo Chen, Jaeyeon Jung, Suman Nath, Rui Wang, and David Wetherall. 2014. Brahmastra: Driving apps to test the security of third-party components. In Proceedings of the 23rd USENIX Security Symposium (Security). USENIX Association, San Diego, CA, 1021--1036. Google ScholarDigital Library
- Antonio Bianchi, Yanick Fratantonio, Christopher Kruegel, and Giovanni Vigna. 2015. NJAS: Sandboxing unmodified applications in non-rooted devices running stock android. In Proceedings of the 5th Annual ACM CCS Workshop on Security and Privacy in Smartphones and Mobile Devices (SPSM). ACM, 27--38. Google ScholarDigital Library
- Sven Bugiel, Lucas Davi, Alexandra Dmitrienko, Thomas Fischer, and Ahmad-Reza Sadeghi. 2011. XmAndroid: A New ANdroid Evolution to Mitigate Privilege Escalation Attacks. Technical Report TR-2011-04. Technische Universität Darmstadt.Google Scholar
- Sven Bugiel, Lucas Davi, Alexandra Dmitrienko, Thomas Fischer, Ahmad-Reza Sadeghi, and Bhargava Shastry. 2012. Towards taming privilege-escalation attacks on android. In Proceedings of the 19th Annual Network and Distributed System Security Symposium (NDSS). The Internet Society, San Diego, CA, 19:1--19:18.Google Scholar
- Sven Bugiel, Stephan Heuser, and Ahmad-Reza Sadeghi. 2013. Flexible and fine-grained mandatory access control on android for diverse security and privacy policies. In Proceedings of the 22th USENIX Security Symposium (Security). USENIX Association, Washington, DC, 131--146. Google ScholarDigital Library
- Yinzhi Cao, Yanick Fratantonio, Antonio Bianchi, Manuel Egele, Christopher Kruegel, Giovanni Vigna, and Yan Chen. 2015. EdgeMiner: Automatically detecting implicit control flow transitions through the android framework. In Proceedings of the 2015 Annual Network and Distributed System Security Symposium (NDSS). The Internet Society, San Diego, CA, 8:1--8:15.Google ScholarCross Ref
- Gopinath K. N. Hemant Chaskar. 2009. All You Wanted to Know About WiFi Rogue Access Points. (2009). http://www.rogueap.com/rogue-ap-docs/RogueAP-FAQ.pdf.Google Scholar
- Eric Chen, Yutong Pei, Shuo Chen, Yuan Tian, Robert Kotcher, and Patrick Tague. 2014a. OAuth demystified for mobile application developers. In Proceedings of the 21st ACM Conference on Computer and Communications Security (CCS). ACM Press, Scottsdale, Arizona, 892--903. Google ScholarDigital Library
- Kevin Zhijie Chen, Noah Johnson, Vijay D'Silva, Shuaifu Dai, Kyle MacNamara, Tom Magrino, Edward XueJun Wu, Martin Rinard, and Dawn Song. 2013. Contextual policy enforcement in android applications with permission event graphs. In Proceedings of the 19th Annual Network and Distributed System Security Symposium (NDSS). The Internet Society, San Diego, CA, 28:1--28:19.Google Scholar
- Qi Alfred Chen, Zhiyun Qian, and Z. Morley Mao. 2014b. Peeking into your app without actually seeing it: UI state inference and novel android attacks. In Proceedings of the 23rd USENIX Security Symposium (Security). USENIX Association, San Diego, CA, 1037--1052. Google ScholarDigital Library
- Shuo Chen, Jun Xu, Emre C. Sezer, Prachi Gauriar, and Ravishankar K. Iyer. 2005. Non-control-data attacks are realistic threats. In Proceedings of the 14th USENIX Security Symposium (Security). USENIX Association, 12--26. Google ScholarDigital Library
- Eric Chien. 2011. Motivations of Recent Android Malware. Technical Report. Symantec Corporation.Google Scholar
- Erika Chin and David Wagner. 2013. Bifocals: Analyzing webview vulnerabilities in android applications. In Proceedings of the 14th International Workshop on Information Security Applications (WISA). Springer, 138--159. Google ScholarDigital Library
- Allen Choong. 2012. Rooting Android Manually. (March 2012). https://allencch.wordpress.com/2012/03/14/rooting-android-manually/.Google Scholar
- Chromium Dev Community. 2012. Issue 166704: Security: Use a seccomp-bpf Sandbox on Android. (Dec. 2012). https://code.google.com/p/chromium/issues/detail?id=166704.Google Scholar
- Lucian Constantin. 2016. Malvertising Attack Silently Infects Old Android Devices with Ransomware. (2016). http://www.itworld.com/article/3060191/malvertising-attack-silently-infects-old-android-devices-with-ransomware.html.Google Scholar
- Mauro Conti, Vu Thien Nga Nguyen, and Bruno Crispo. 2010. CRePE: Context-related policy enforcement for android. In Proceedings of the 13th Information Security Conference (ISC). Springer, 331--345. Google ScholarDigital Library
- Corelan Team. 2014. State of the ART: Exploring the New Android KitKat Runtime. (2014). https://www.corelan.be/index.php/2014/05/29/hitb2014ams-day-1-state-of-the-art-exploring-the-new-android-kitkat-runtime/.Google Scholar
- Valerio Costamagna and Cong Zheng. 2016. ARTDroid: A virtual-method hooking framework on android ART runtime. In Proceedings of the 2016 Innovations in Mobile Privacy and Security (IMPS). Springer, 24--32.Google Scholar
- Jonathan Crussell, Clint Gibler, and Hao Chen. 2012. Attack of the clones: Detecting cloned applications on android markets. In Proceedings of the 17th European Symposium on Research in Computer Security (ESORICS). Springer, 37--54.Google ScholarCross Ref
- Jonathan Crussell, Clint Gibler, and Hao Chen. 2013a. AnDarwin: Scalable detection of semantically similar android applications. In Proceedings of the 18th European Symposium on Research in Computer Security (ESORICS). Springer, Egham, UK, 182--199.Google ScholarCross Ref
- Jonathan Crussell, Clint Gibler, and Hao Chen. 2013b. Scalable semantics-based detection of similar android applications. In Proceedings of the 18th European Symposium on Research in Computer Security (ESORICS). Springer, Egham, UK, 182--199.Google ScholarCross Ref
- Andrew Cunningham. 2014. Android's Update Woes. (Aug. 2014). http://arstechnica.com/gadgets/2014/08/to-solve-androids-update-woes-google-should-look-to-the-pc/.Google Scholar
- CyanogenMod Team. 2016. Cyanogenmod. (Feb. 2016). http://www.cyanogenmod.org.Google Scholar
- Lucas Davi, Alexandra Dmitrienko, Manuel Egele, Thomas Fischer, Thorsten Holz, Ralf Hund, Stefan Nürnberger, and Ahmad-Reza Sadeghi. 2012. MoCFI: A framework to mitigate control-flow attacks on smartphones. In Proceedings of the 19th Annual Network and Distributed System Security Symposium (NDSS). The Internet Society, San Diego, CA, 18:1--18:17.Google Scholar
- Lucas Davi, Ahmad-Reza Sadeghi, Daniel Lehmann, and Fabian Monrose. Stitching the gadgets: On the ineffectiveness of coarse-grained control-flow integrity protection. In Proceedings of the 23rd USENIX Conference on Security Symposium. USENIX Association, 401--416. Google ScholarDigital Library
- Guillaume Delugre. 2011. Reverse Engineering a Qualcomm Baseband. (2011). http://events.ccc.de/congress/2011/Fahrplan/attachments/2022%5F11-ccc-qcombbdbg.pdf.Google Scholar
- Soteris Demetriou, Xiaoyong Zhou, Muhammad Naveed, Yeonjoon Lee, Kan Yuan, XiaoFeng Wang, and Carl A. Gunter. 2015. What's in your dongle and bank account? Mandatory and discretionary protection of android external resources. In Proceedings of the 2015 Annual Network and Distributed System Security Symposium (NDSS). The Internet Society, San Diego, CA, 7:1--7:15.Google Scholar
- Luke Deshotels. 2014. Inaudible sound as a covert channel in mobile devices. In Proceedings of the 2014 USENIX Workshop on Offensive Technologies (WOOT). USENIX Association, 16:1--16:9. Google ScholarDigital Library
- Anthony Desnos. 2012. Android: Static analysis using similarity distance. In Proceedings of the 45th Hawaii International Conference on System Science (HICSS). IEEE Computer Society, 5394--5403. Google ScholarDigital Library
- Anthony Desnos and Geoffroy Gueguen. 2012. New “Open Source” Step in Android Application Analysis. (Nov. 2012). https://androguard.googlecode.com/files/pacsec2012.pdf.Google Scholar
- Michael Dietz, Shashi Shekhar, Yuliy Pisetsky, Anhei Shu, and Dan S. Wallach. QUIRE: Lightweight provenance for smart phone operating systems. In Proceedings of the 20th USENIX Conference on Security (SEC'11) USENIX Association, 23:1--23:16. Google ScholarDigital Library
- Jason A. Donenfeld. 2012. Linux Local Privilege Escalation via SUID /proc/pid/mem Write. (Jan. 2012). https://git.zx2c4.com/CVE-2012-0056/about/.Google Scholar
- Joshua Drake. 2015. Stagefright: Scary Code in the Heart of Android. (Aug. 2015).Google Scholar
- William Enck, Peter Gilbert, Byung gon Chun, Landon P. Cox, Jaeyeon Jung, Patrick McDaniel, and Anmol N. Sheth. 2010. TaintDroid: An information-flow tracking system for realtime privacy monitoring on smartphones. In Proceedings of the 9th USENIX Symposium on Operating Systems Design and Implementation (OSDI). USENIX Association, Vancouver, Canada, 393--407. Google ScholarDigital Library
- Raoul Estourgie and Erik Poll. 2013. Analysis of Android Authenticators. B.S. thesis. Radboud Universiteit Nijmegen.Google Scholar
- F-Secure. 2011a. Exploit Description Exploit:Android/GingerBreak. (April 2011). https://www.f-secure.com/v-descs/exploit%5Fandroid%5Fgingerbreak.shtml.Google Scholar
- F-Secure. 2011b. Exploit Description Exploit:Android/Zergrush. (Oct. 2011). https://www.f-secure.com/v-descs/exploit%5Fandroid%5Fzergrush.shtml.Google Scholar
- Sascha Fahl, Marian Harbach, Thomas Muders, Lars Baumgärtner, Bernd Freisleben, and Matthew Smith. 2012. Why eve and mallory love android: An analysis of android SSL (in)security. In Proceedings of the 19th ACM Conference on Computer and Communications Security (CCS). ACM Press, Raleigh, NC, 50--61. Google ScholarDigital Library
- Adrienne Porter Felt, Erika Chin, Steve Hanna, Dawn Song, and David Wagner. 2011a. Android permission demystified. In Proceedings of the 18th ACM Conference on Computer and Communications Security (CCS). ACM Press, Chicago, Illinois, 627--638. Google ScholarDigital Library
- Adrienne Porter Felt, Serge Egelman, Matthew Finifter, Devdatta Akhawe, David Wagner, and others. 2012a. How to ask for permission. In Proceedings of the 7th USENIX Conference on Hot Topics in Security (HotSec). USENIX Association, 7:1--7:6. Google ScholarDigital Library
- Adrienne Porter Felt, Kate Greenwood, and David Wagner. 2011b. The effectiveness of application permissions. In Proceedings of the 2nd USENIX Conference on Web Application Development (WebApps). USENIX Association, 7:1--7:12. Google ScholarDigital Library
- Adrienne Porter Felt, Elizabeth Ha, Serge Egelman, Ariel Haney, Erika Chin, and David Wagner. 2012b. Android permissions: User attention, comprehension, and behavior. In Proceedings of the 8th ACM Symposium on Usable Privacy and Security (SOUPS). ACM, 3:1--3:12. Google ScholarDigital Library
- Adrienne Porter Felt, Helen J. Wang, Alexander Moshchuk, Steve Hanna, and Erika Chin. 2011c. Permission re-delegation: Attacks and defenses. In Proceedings of the 20th USENIX Security Symposium (Security). USENIX Association, 22:1--22:16. Google ScholarDigital Library
- Dennis Fisher. 2015. Google Fixes Sandbox Escape in Chrome. (May 2015). https://threatpost.com/google-fixes-sandbox-escape-in-chrome/112899/.Google Scholar
- Jay Freeman. 2012. mempodroid Details. (Aug. 2012). https://github.com/saurik/mempodroid.Google Scholar
- Wade Gasior and Li Yang. 2012. Exploring covert channel in android platform. In 2012 International Conference on Cyber Security (CyberSecurity). IEEE Computer Society, 173--177. Google ScholarDigital Library
- geohot. 2014. towelroot by geohot. (June 2014). https://towelroot.com/.Google Scholar
- Enes Goktas, Elias Athanasopoulos, Herbert Bos, and Gerogios Portokalidis. 2014. Out of control: Overcoming control-flow integrity. In Proceedings of the 35th IEEE Symposium on Security and Privacy (Oakland). IEEE Computer Society, San Jose, CA, 575--589. Google ScholarDigital Library
- Google Inc. 2016c. ART and Dalvik. (Feb. 2016). https://source.android.com/devices/tech/dalvik.Google Scholar
- Google Inc. 2016a. Brillo. (Feb. 2016). https://developers.google.com/brillo.Google Scholar
- Google Inc. 2016b. Chrome Extension—Declare Permissions. (Feb. 2016). https://developer.chrome.com/extensions/declare%5Fpermissions.Google Scholar
- Google Inc. 2016d. Codenames, Tags, and Build Numbers. (Feb. 2016). https://source.android.com/source/build-numbers.html.Google Scholar
- Google Inc. 2016e. Put Android to work. (Feb. 2016). https://www.android.com/work.Google Scholar
- Michael I. Gordon, Deokhwan Kim, Jeff Perkins, Limei Gilham, Nguyen Nguyen, and Martin Rinard. 2015. Information-flow analysis of android applications in DroidSafe. In Proceedings of the 2015 Annual Network and Distributed System Security Symposium (NDSS). The Internet Society, San Diego, CA, 6:1--6:16.Google ScholarCross Ref
- Alessandra Gorla, Ilaria Tavecchia, Florian Gross, and Andreas Zeller. 2014. Checking app behavior against app descriptions. In Proceedings of the 36th International Conference on Software Engineering (ICSE). ACM Press, Hyderabad, India, 1025--1035. Google ScholarDigital Library
- Michael Grace, Yajin Zhou, Zhi Wang, and Xuxian Jiang. 2012. Systematic detection of capability leaks in stock android smartphones. In Proceedings of the 19th Annual Network and Distributed System Security Symposium (NDSS). The Internet Society, San Diego, CA, 20:1--20:15.Google Scholar
- Lion Gu. 2014. The Mobile Cybercriminal Underground Market in China. Technical Report. Trend Micro.Google Scholar
- Steve Hanna, Ling Huang, Edward Wu, Saung Li, Charles Chen, and Dawn Song. 2012. Juxtapp: A scalable system for detecting code reuse among android applications. In Proceedings of the 9th Conference on Detection of Intrusions and Malware and Vulnerability Assessment (DIMVA). Springer, 62--61. Google ScholarDigital Library
- Peng Hao, Gates Chris, Sarma Bhaskar, Li Ninghui, Qi Yuan, Rahul Potharaju, Nita-Rotaru Chrisina, and Molloy Ian. 2012. Using probabilistic generative models for ranking risks of android apps. In Proceedings of the 19th ACM Conference on Computer and Communications Security (CCS). ACM Press, Raleigh, NC, 241--252. Google ScholarDigital Library
- Stephan Heuser, Adwait Nadkarni, William Enck, and Ahmad-Reza Sadeghi. 2014. ASM: A programmable interface for extending android security. In Proceedings of the 23rd USENIX Security Symposium (Security). USENIX Association, San Diego, CA, 1005--1019. Google ScholarDigital Library
- Andrei Homescu, Stefan Brunthaler, Per Larsen, and Michael Franz. 2012. Librando: Transparent code randomization for just-in-time compilers. In Proceedings of the 19th ACM Conference on Computer and Communications Security (CCS). ACM Press, Raleigh, NC, 993--1004. Google ScholarDigital Library
- Peter Hornyack, Seungyeop Han, Jaeyeon Jung, Stuart Schechter, and David Wetherall. 2011. These aren't the droids you're looking for: Retrofitting android to protect data from imperious applications. In Proceedings of the 18th ACM Conference on Computer and Communications Security (CCS). ACM Press, Chicago, Illinois, 639--652. Google ScholarDigital Library
- HTC Corporation. 2016. HTCDev Unlock Bootloader. (Feb. 2016). http://www.htcdev.com/bootloader.Google Scholar
- Jianjun Huang, Xiangyu Zhang, Lin Tan, Peng Wang, and Bin Liang. 2014. AsDroid: Detecting stealthy behaviors in android applications by user interface and program behavior contradiction. In Proceedings of the 36th International Conference on Software Engineering (ICSE). ACM Press, Hyderabad, India, 1036--1046. Google ScholarDigital Library
- Ralf Hund, Carsten Willems, and Thorsten Holz. 2013. Practical timing side channel attacks against kernel space ASLR. In Proceedings of the 34th IEEE Symposium on Security and Privacy (Oakland). IEEE Computer Society, 191--205. Google ScholarDigital Library
- Intel Corporation. 2016. Intel Identity Protection Technology. (Feb. 2016). http://ipt.intel.com.Google Scholar
- Yeongjin Jang, Chengyu Song, Simon P. Chung, Tielei Wang, and Wenke Lee. 2014. A11y attacks: Exploiting accessibility in operating systems. In Proceedings of the 21st ACM Conference on Computer and Communications Security (CCS). ACM Press, Scottsdale, Arizona, 103--115. Google ScholarDigital Library
- Jinseong Jeon, Kristopher K. Micinski, Jeffrey A. Vaughan, Ari Fogel, Nikhilesh Reddy, Jeffrey S. Foster, and Todd Millstein. 2012. Dr. Android and Mr. Hide: Fine-grained permissions in android applications. In Proceedings of the 2nd Annual ACM CCS Workshop on Security and Privacy in Smartphones and Mobile Devices (SPSM). ACM Press, Raleigh, NC, 3--14. Google ScholarDigital Library
- Limin Jia, Jassim Aljuraidan, Elli Fragkaki, Lujo Bauer, Michael Stroucken, Kazuhide Fukushima, Shinsaku Kiyomoto, and Yutaka Miyake. 2013. Run-time enforcement of information-flow properties on android. In Proceedings of the 18th European Symposium on Research in Computer Security (ESORICS). Springer, Egham, UK, 775--792.Google ScholarCross Ref
- Michael Kassner. 2014. Droidpak: A Sneak Attack on Android Devices via PC Malware. (Feb. 2014). http://www.techrepublic.com/blog/it-security/droidpak-a-sneak-attack-on-android-devices-via-pc-malware/.Google Scholar
- Eunice Kim. 2015. Creating Better User Experiences on Google Play. (March 2015). http://android-developers.blogspot.com/2015/03/creating-better-user-experiences-on.html.Google Scholar
- Tam Kimberly, J. Khan Salahuddin, Fattori Aristide, and Cavallaro Lorenzo. 2015. CopperDroid: Automatic reconstruction of android malware behaviors. In Proceedings of the 2015 Annual Network and Distributed System Security Symposium (NDSS). The Internet Society, San Diego, CA, 9:1--9:15.Google Scholar
- Dhilung Kirat, Giovanni Vigna, and Christopher Kruegel. 2014. BareCloud: Bare-metal analysis-based evasive malware detection. In Proceedings of the 23rd USENIX Security Symposium (Security). USENIX Association, San Diego, CA, 287--301. Google ScholarDigital Library
- Krishan Kumar and Prabhpreet Kaur. 2015. Vulnerability detection of international mobile equipment identity number of smartphone and automated reporting of changed IMEI number. International Journal of Computer Science and Mobile Computing 4 (May 2015), 527--533.Google Scholar
- Nate Kushman and Dina Katabi. 2010. Enabling configuration-independent automation by non-expert users. In Proceedings of the 9th USENIX Symposium on Operating Systems Design and Implementation (OSDI). USENIX Association, Vancouver, Canada, 223--236. Google ScholarDigital Library
- Volodymyr Kuznetsov, László Szekeres, Mathias Payer, George Candea, R. Sekar, and Dawn Song. 2014. Code pointer integrity. In Proceedings of the 11th USENIX Symposium on Operating Systems Design and Implementation (OSDI). USENIX Association, 147--163. Google ScholarDigital Library
- Stephen Kyle, Hugh Leather, Björn Franke, Dave Butcher, and Stuart Monteith. 2015. Application of domain-aware binary fuzzing to aid android virtual machine testing. In Proceedings of the 2015 ACM SIGPLAN/SIGOPS International Conference on Virtual Execution Environments (VEE). ACM, 121--132. Google ScholarDigital Library
- Lingguang Lei, Yuewu Wang, Jian Zhou, Daren Zha, and Zhongwen Zhang. 2013. A threat to mobile cyber-physical systems: Sensor-based privacy theft attacks on android smartphones. In Proceedings of the 12th IEEE International Conference on Trust, Security and Privacy in Computing and Communications (TrustCom). IEEE Computer Society, 126--133. Google ScholarDigital Library
- Li Li, Alexandre Bartel, Tegawendé F. Bissyandé, Jacques Klein, Yves Le Traon, Steven Arzt, Siegfried Rasthofer, Eric Bodden, Damien Octeau, and Patrick McDaniel. 2015. IccTA: Detecting inter-component privacy leaks in android apps. In Proceedings of the 37th International Conference on Software Engineering (ICSE). IEEE Computer Society, Austin, TX, 280--291. Google ScholarDigital Library
- Martina Lindorfer, Stamatis Volanis, Alessandro Sisto Matthias Neugschwandtner, Elias Athanasopoulos, Federico Maggi, Christian Platzer, Stefano Zanero, and Sotiris Ioannidis. 2014. AndRadar: Fast discovery of android applications in alternative markets. In Proceedings of the 11th Conference on Detection of Intrusions and Malware and Vulnerability Assessment (DIMVA). Springer, 51--71.Google ScholarCross Ref
- Benjamin Livshits and Jaeyeon Jung. 2013. Automatic mediation of privacy-sensitive resource access in smartphone applications. In Proceedings of the 22th USENIX Security Symposium (Security). USENIX Association, Washington, DC, 113--130. Google ScholarDigital Library
- Lookout, Inc. 2012a. Security Alert: Hacked Websites Serve Suspicious Android Apps (NotCompatible). (May 2012). https://blog.lookout.com/blog/2012/05/02/security-alert-hacked-websites-serve-suspicious-Android-apps-noncompatible.Google Scholar
- Lookout, Inc. 2012b. State of Mobile Security 2012. Technical Report. Lookout, Inc.Google Scholar
- Kangjie Lu, Zhichun Li, Vasileios Kemerlis, Zhenyu Wu, Long Lu, Cong Zheng, Zhiyun Qian, Wenke Lee, and Guofei Jiang. 2015. Checking more and alerting less: Detecting privacy leakages via enhanced data-flow analysis and peer voting. In Proceedings of the 2015 Annual Network and Distributed System Security Symposium (NDSS). The Internet Society, San Diego, CA, 19:1--19:15.Google ScholarCross Ref
- Long Lu, Zhichun Li, Zhenyu Wu, Wenke Lee, and Guofei Jiang. 2012. CHEX: Statically vetting android apps for component hijacking vulnerabilities. In Proceedings of the 19th ACM Conference on Computer and Communications Security (CCS). ACM Press, Raleigh, NC, 229--240. Google ScholarDigital Library
- Long Lu, Roberto Perdisci, and Wenke Lee. 2011. SURF: Detecting and measuring search poisoning. In Proceedings of the 18th ACM Conference on Computer and Communications Security (CCS). ACM Press, Chicago, Illinois, 467--476. Google ScholarDigital Library
- Adrian Ludwig. 2013. Android: Practical Security from the Ground Up. (Oct. 2013). https://docs.google.com/presentation/d/1YDYUrD22Xq12nKkhBfwoJBfw2Q-OReMr0BrDfHyfyPw.Google Scholar
- Tongbo Luo, Hao Hao, Wenliang Du, Yifei Wang, and Heng Yin. 2011. Attacks on WebView in the android system. In Proceedings of the 27th Annual Computer Security Applications Conference (ACSAC). ACM, 343--352. Google ScholarDigital Library
- Tongbo Luo, Xing Jin, Ajai Ananthanarayanan, and Wenliang Du. 2012. Touchjacking attacks on web in android, iOS, and windows phone. In Proceedings of the 5th International Symposium on Foundations and Practice of Security (FPS). Springer, 227--243. Google ScholarDigital Library
- Riyadh Mahmood, Nariman Mirzaei, and Sam Malek. 2014. Evodroid: Segmented evolutionary testing of android apps. In Proceedings of the 22nd ACM SIGSOFT Symposium on the Foundations of Software Engineering (FSE). ACM, 599--609. Google ScholarDigital Library
- Claudio Marforio, Aurélien Francillon, Srdjan Capkun. 2011. Application Collusion Attack on the Permission-Based Security Model and Its Implications for Modern Smartphone Systems. Technical Report. ETH Zurich.Google Scholar
- Claudio Marforio, Hubert Ritzdorf, A. Francillon, and Srdjan Capkun. 2012. Analysis of the communication between colluding applications on modern smartphones. In Proceedings of the 28th Annual Computer Security Applications Conference (ACSAC). ACM, 51--60. Google ScholarDigital Library
- Charlie Miller. 2012. Exploring the NFC attack surface. (Aug. 2012).Google Scholar
- Emiliano Miluzzo, Alexander Varshavsky, Suhrid Balakrishnan, and Romit Roy Choudhury. 2012. TapPrints: Your finger taps have fingerprints. In Proceedings of the 10th ACM International Conference on Mobile Computing Systems (MobiSys). ACM, 323--336. Google ScholarDigital Library
- Bill Morrow. 2012. BYOD security challenges: Control and protect your most sensitive data. Network Security 2012, 12 (Dec. 2012), 5--8.Google ScholarCross Ref
- Adwait Pravin Nadkarni. 2012. Workflow Based Information Flow Control (IFC) in Modern Operating Systems. (2012).Google Scholar
- Ryan Naraine. 2012. Android Drive-by Download Attack via Phishing SMS. (Feb. 2012). http://www.zdnet.com/blog/security/Android-drive-by-download-attack-via-phishing-sms/10422.Google Scholar
- Mohammad Nauman, Sohail Khan, and Xinwen Zhang. 2010. Apex: Extending android permission model and enforcement with user-defined runtime constraints. In Proceedings of the 5th ACM Symposium on Information, Computer and Communications Security (ASIACCS). ACM, 328--332. Google ScholarDigital Library
- Muhammad Naveed, Xiaoyong Zhou, Soteris Demetriou, XiaoFeng Wang, and Carl A. Gunter. 2014. Inside job: Understanding and mitigating the threat of external device mis-bonding on android. In Proceedings of the 19th Annual Network and Distributed System Security Symposium (NDSS). The Internet Society, San Diego, CA, 15:1--15:14.Google Scholar
- Damien Octeau, Patrick McDaniel, Somesh Jha, Alexandre Bartel, Eric Bodden, Jacques Klein, and Yves Le Traon. 2013. Effective inter-component communication mapping in android with epicc: An essential step towards holistic security analysis. In Proceedings of the 22th USENIX Security Symposium (Security). USENIX Association, Washington, DC, 543--558. Google ScholarDigital Library
- Machigar Ongtang, Stephen McLaughlin, William Enck, and Patrick McDaniel. 2009. Semantically rich application-centric security in android. In Proceedings of the Annual Computer Security Applications Conference (ACSAC). IEEE Computer Society, 340--349. Google ScholarDigital Library
- Open Source Security, Inc. 2016. grsecurity features. (Feb. 2016). https://grsecurity.net/features.php.Google Scholar
- OpenSignal Inc. 2015. Android Fragmentation Report. (Aug. 2015). http://opensignal.com/reports/2015/08/android-fragmentation.Google Scholar
- Dan Page. 2005. Partitioned Cache Architecture as a Side-Channel Defence Mechanism. (2005). http://eprint.iacr.org/2005/280.Google Scholar
- Rahul Pandita, Xusheng Xiao, Wei Yang, William Enck, and Tao Xie. 2013. WHYPER: Towards automating risk assessment of mobile applications. In Proceedings of the 22th USENIX Security Symposium (Security). USENIX Association, Washington, DC, 527--542. Google ScholarDigital Library
- Adrienne Porter Felt Paul Pearce, Gabriel Nunez, and David Wagner. 2012. AdDroid: Privilege separation for applications and advertisers in android. In Proceedings of the 7th ACM Symposium on Information, Computer and Communications Security (ASIACCS). ACM, 71--72. Google ScholarDigital Library
- Andre Pereir, Manuel Eduardo Correia, and Pedro Branda. 2014. USB connection vulnerabilities on android smartphones: Default and vendors' customizations. In Proceedings of the 15th International Conference on Communications and Multimedia Security (CMS). Springer, 19--32.Google ScholarCross Ref
- Sebastian Poeplau, Yanick Fratantonio, Antonio Bianchi, Christopher Kruegel, and Giovanni Vigna. 2014. Execute this! Analyzing unsafe and malicious dynamic code loading in android applications. In Proceedings of the 19th Annual Network and Distributed System Security Symposium (NDSS). The Internet Society, San Diego, CA, 46:1--46:16.Google Scholar
- Rahul Potharaju, Andrew Newell, Cristina Nita-Rotaru, and Xiangyu Zhang. 2012. Plagiarizing smartphone applications: Attack strategies and defense techniques. In Proceedings of the 2012 International Symposium on Engineering Secure Software and Systems (ESSoS). Springer, 106--120. Google ScholarDigital Library
- Chenxiong Qian, Xiapu Luo, Yuru Shao, and Alvin T. S. Chan. 2014. On tracking information flows through JNI in android applications. In Proceedings of the 44th International Conference on Dependable Systems and Networks (DSN). IEEE Computer Society, 180--191. Google ScholarDigital Library
- Zhengyang Qu, Vaibhav Rastogi, Xinyi Zhang, Yan Chen, Tiantian Zhu, and Zhong Chen. 2014. AutoCog: Measuring the description-to-permission fidelity in android applications. In Proceedings of the 21st ACM Conference on Computer and Communications Security (CCS). ACM Press, Scottsdale, Arizona, 1354--1365. Google ScholarDigital Library
- Moheeb Abu Rajab, Lucas Ballard, Noé Lutz, Panayiotis Mavrommatis, and Niels Provos. 2013. CAMP: Content-agnostic malware protection. In Proceedings of the 19th Annual Network and Distributed System Security Symposium (NDSS). The Internet Society, San Diego, CA, 24:1--24:17.Google Scholar
- Siegfried Rasthofer, Steven Arzt, and Eric Bodden. 2014. A machine-learning approach for classifying and categorizing android sources and sinks. In Proceedings of the 19th Annual Network and Distributed System Security Symposium (NDSS). The Internet Society, San Diego, CA, 42:1--42:15.Google ScholarCross Ref
- Siegfried Rasthofer, Steven Arzt, Marc Miltenberger, and Eric Bodden. 2016. Harvesting runtime values in android applications that feature anti-analysis techniques. In Proceedings of the 2016 Annual Network and Distributed System Security Symposium (NDSS). The Internet Society, San Diego, CA, 55:1--55:15.Google ScholarCross Ref
- Vaibhav Rastogi, Yan Chen, and William Enck. 2013. AppsPlayground: Automatic security analysis of smartphone applications. In Proceedings of the ACM Conference on Data and Applications Security and Privacy (CODASPY). ACM Press, San Antonio, 209--220. Google ScholarDigital Library
- Paul Ratazzi, Yousra Aafer, Amit Ahlawat, Hao Hao, Yifei Wang, and Wenliang Du. 2014. A systematic security evaluation of android's multi-user framework. In Proceedings of the Mobile Security Technologies (MoST). IEEE Computer Society, 9:1--9:10.Google Scholar
- Simon Rockman. 2014. Google Nest, ARM, Samsung Pull Out Thread to Strangle ZigBee. (July 2014). http://www.theregister.co.uk/2014/07/15/google%5Fnest%5Fthread%5Fprotocol/.Google Scholar
- Franziska Roesner and Tadayoshi Kohno. 2013. Securing embedded user interfaces: Android and beyond. In Proceedings of the 22th USENIX Security Symposium (Security). USENIX Association, Washington, DC, 97--112. Google ScholarDigital Library
- Franziska Roesner, Tadayoshi Kohno, Alexander Moshchuk, Bryan Parno, Helen J. Wang, and Crispin Cowan. 2012. User-driven access control: Rethinking permission granting in modern operating systems. In Proceedings of the 33rd IEEE Symposium on Security and Privacy (Oakland). IEEE Computer Society, San Francisco, CA, 224--238. Google ScholarDigital Library
- Sankardas Roy, Jordan DeLoach, Yuping Li, Nic Herndon, Doina Caragea, and Xinming Ou. Experimental study with real-world data for android app security analysis using machine learning. ACM, 81--90.Google Scholar
- Paul Sabanal. 2015. Hiding Behind ART. (Aug. 2015).Google Scholar
- Samsung Electronics. 2014. White Paper: An Overview of Samsung KNOX 2.0. (March 2014). http://www.samsung.com/ca/business-images/resource/white-paper/2014/03/Samsung%5FKNOX %5Ftech%5Fwhitepaper%5FFinal%5F140220-0.pdf.Google Scholar
- Golam Sarwar, Olivier Mehani, Roksana Boreli, and Dali Kaafar. 2013. On the Effectiveness of Dynamic Taint Analysis for Protecting Against Private Information Leaks on Android-based Devices. Technical Report. NICTA.Google Scholar
- Anand Saswat, Naik Mayur, Jean Harrold Mary, and Yang Hongseok. 2012. Automated concolic testing of smartphone apps. In Proceedings of the 20th ACM SIGSOFT Symposium on the Foundations of Software Engineering (FSE). ACM, 59:1--59:15. Google ScholarDigital Library
- Roman Schlegel, Kehuan Zhang, Xiaoyong Zhou, Mehool Intwala, Apu Kapadia, and XiaoFeng Wang. 2011. Soundcomber: A stealthy and context-aware sound trojan for smartphones. In Proceedings of the 18th Annual Network and Distributed System Security Symposium (NDSS). The Internet Society, 1:1--1:17.Google Scholar
- Daniel Schreckling, Joachim Posegga, and Daniel Hausknecht. 2012. Constroid: Data-centric access control for android. In Proceedings of the 27th ACM Symposium on Applied Computing (SAC). ACM, 1478--1485. Google ScholarDigital Library
- Sebastian. 2011. Zimperlich Sources. (Feb. 2011). http://c-skills.blogspot.com/2011/02/zimperlich-sources.html.Google Scholar
- Jaeback Seo, Daehyeok Kim, Donghyun Cho, Taesoo Kim, and Insik Shin. 2016. FlexDroid: Enforcing in-app privilege separation in android. In Proceedings of the 2016 Annual Network and Distributed System Security Symposium (NDSS). The Internet Society, San Diego, CA, 53:1--53:15.Google ScholarCross Ref
- Yuru Shao, Xiapu Luo, and Chenxiong Qian. 2014a. RootGuard: Protecting rooted android phones. Computer 47 (June 2014), 32--40. Google ScholarDigital Library
- Yuru Shao, Xiapu Luo, Chenxiong Qian, Pengfei Zhu, and Lei Zhang. 2014b. Towards a scalable resource-driven approach for detecting repackaged android applications. In Proceedings of the 30th Annual Computer Security Applications Conference (ACSAC). ACM, 56--65. Google ScholarDigital Library
- Roy Choudhary Shauvik, Gorla Alessandra, and Alessandro (Alex) Orso. 2015. Automated test input generation for android: Are we there yet? In Proceedings of the 30th IEEE/ACM International Conference on Automated Software Engineering (ASE). IEEE Computer Society, 429--440.Google Scholar
- Shashi Shekhar, Michael Dietz, and Dan S. Wallach. AdSplit: Separating smartphone advertising from applications. In Proceedings of the 21st USENIX Conference on Security Symposium (Security'12) USENIX Association, 553--567. Google ScholarDigital Library
- Dongwan Shin, Huiping Yao, and Une Rosi. 2013. Supporting visual security cues for webview-based android apps. In Proceedings of the 28th ACM Symposium on Applied Computing (SAC). ACM, 1867--1876. Google ScholarDigital Library
- Hao Shuai, Liu Bin, Nath Suman, G. J. Halfond William, and Ramesh Govindan. 2014. PUMA: Programmable UI-automation for large-scale dynamic analysis of mobile apps. In Proceedings of the 12th ACM International Conference on Mobile Computing Systems (MobiSys). ACM, 204--217. Google ScholarDigital Library
- Silent Circle. 2016. Blackphone 2 and Silent OS. (Feb. 2016). https://www.silentcircle.com.Google Scholar
- David Silver, Suman Jana, Dan Boneh, Eric Chen, and Collin Jackson. 2014. Password managers: Attacks and defenses. In Proceedings of the 23rd USENIX Security Symposium (Security). USENIX Association, San Diego, CA, 449--464. Google ScholarDigital Library
- Stephen Smalley and Robert Craig. 2013. Security enhanced (SE) android: Bringing flexible MAC to android. In Proceedings of the 19th Annual Network and Distributed System Security Symposium (NDSS). The Internet Society, San Diego, CA, 9:1--9:18.Google Scholar
- Carlos A. Soto. 2005. A Menu of Bluetooth Attacks. (July 2005). http://gcn.com/articles/2005/07/20/a-menu-of-bluetooth-attacks.aspx.Google Scholar
- Mengtao Sun and Gang Tan. 2014. NativeGuard: Protecting android applications from third-party native libraries. In Proceedings of the ACM Conference on Security and Privacy in Wireless and Mobile Networks (WiSec). ACM Press, Oxford, UK, 165--176. Google ScholarDigital Library
- Xin Sun, Yibing Zhongyang, Zhi Xin, Bing Mao, and Li Xie. 2014. Detecting code reuse in android applications using component-based control flow graph. In Proceedings of the 29th International Conference on Systems Security and Privacy Protection (IFIPSEC). Springer, 142--155.Google ScholarCross Ref
- SUSE. 2016. Live Kernel Patching with kGraft. (Feb. 2016). https://www.suse.com/promo/kgraft.html.Google Scholar
- Vanja Svajcer. 2014. Sophos Mobile Security Threat Report 2014. Technical Report. Sophos, Ltd.Google Scholar
- Azim Tanzirul and Neamtiu Iulian. 2013. Targeted and depth-first exploration for systematic testing of android apps. In Proceedings of the 24th Annual ACM Conference on Object-Oriented Programming, Systems, Languages, and Applications (OOPSLA). ACM Press, Indianapolis, IN, 641--660. Google ScholarDigital Library
- Chengkai Tao. 2014. Android App Update Flaw Affects China-Based Users. Technical Report. Trendmicro.Google Scholar
- Root Genius Team. 2016. Root Genius. (Feb. 2016). http://www.shuame.com/en/root.Google Scholar
- The Apache Software Foundation. 2016. Apache Cordova. (Feb. 2016). http://cordova.apache.org.Google Scholar
- thesnkchrmr. 2011. RageAgainstTheCage. (March 2011). https://thesnkchrmr.wordpress.com/2011/03/24/rageagainstthecage/.Google Scholar
- Cody Toombs. 2014. {Lollipop Feature Spotlight} WebView Is Now Unbundled From Android And Free To Auto-Update From Google Play. (Oct. 2014). http://www.androidpolice.com/2014/10/19/lollipop-feature-spotlight-webview-now-unbundled-android-free-auto-update-google-play.Google Scholar
- Eran Tromer, Dag Arne Osvik, and Adi Shamir. 2010. Efficient cache attacks on AES, and countermeasures. Journal of Cryptology 23, 1 (2010), 37--71. Google ScholarCross Ref
- Ashee Vance. 2013. Behind the'Internet of Things' Is Android and It's Everywhere. (2013). http://www.businessweek.com/articles/2013-05-29/behind-the-internet-of-things-is-Android-and-its-everywhere.Google Scholar
- Timothy Vidas and Nicolas Christin. 2013. Sweetening android lemon markets: Measuring and combating malware in application marketplaces. In Proceedings of the ACM Conference on Data and Applications Security and Privacy (CODASPY). ACM Press, San Antonio, TX, 197--208. Google ScholarDigital Library
- Nicolas Viennot, Edward Garcia, and Jason Nieh. 2014. A measurement study of google play. In Proceedings of the 2014 ACM International Conference on Measurement and Modeling of Computer Systems (SIGMETRICS). ACM, 221--233. Google ScholarDigital Library
- VirusTotal Team. 2012. VirusTotal. (Sept. 2012). https://www.virustotal.com/en/documentation/.Google Scholar
- vuldb.com. 2013. Google Android 4.0 debug mode /data/local.prop privilege escalation. (June 2013). https://vuldb.com/?id.9059.Google Scholar
- Ruowen Wang, William Enck, Douglas Reeves, Xinwen Zhang, Peng Ning, Dingbang Xu, Wu Zhou, and Ahmed M. Azab. 2014a. EASEAndroid: Automatic policy analysis and refinement for security enhanced android via large-scale semi-supervised learning. In Proceedings of the 23rd USENIX Security Symposium (Security). USENIX Association, San Diego, CA, 351--366. Google ScholarDigital Library
- Yifei Wang, Srinivas Hariharan, Chenxi Zhao, Jiaming Liu, and Wenliang Du. 2014b. Compac: Enforce component-level access control in android. In Proceedings of the ACM Conference on Data and Applications Security and Privacy (CODASPY). ACM Press, San Antonio, TX, 25--36. Google ScholarDigital Library
- Takuya Watanabe, Mitsuaki Akiyama, Tetsuya Sakai, and Tatsuya Mori. 2015. Understanding the inconsistencies between text descriptions and the use of privacy-sensitive resources of mobile apps. In Proceedings of the 11th ACM Symposium on Usable Privacy and Security (SOUPS). USENIX Association, 241--255.Google Scholar
- Fengguo Wei, Sankardas Roy, Xinming Ou, and Robby. 2014. Amandroid: A precise and general inter-component data flow analysis framework for security vetting of android apps. In Proceedings of the 21st ACM Conference on Computer and Communications Security (CCS). ACM Press, Scottsdale, Arizona, 1329--1341. Google ScholarDigital Library
- Yang Wei, Xiao Xusheng, Andow Benjamin, Li Sihan, Xie Tao, and Enck William. 2015. AppContext: Differentiating malicious and benign mobile app behaviors using context. In Proceedings of the 37th International Conference on Software Engineering (ICSE). IEEE Computer Society, Austin, TX, 303--313. Google ScholarDigital Library
- Ralf-Philipp Weinmann. 2012. Baseband attacks: Remote exploitation of memory corruptions in cellular protocol stacks. In Proceedings of the 2012 USENIX Workshop on Offensive Technologies (WOOT). USENIX Association, 12--21. Google ScholarDigital Library
- Nathan Willis. 2013. Tizen Content Scanning and App Obfuscation. (June 2013). http://lwn.net/Articles/553676.Google Scholar
- Michelle Y. Wong and David Lie. 2016. IntelliDroid: A targeted input generator for the dynamic analysis of android malware In Proceedings of the 2016 Annual Network and Distributed System Security Symposium (NDSS). The Internet Society, San Diego, CA, 54:1--54:15.Google Scholar
- Choi Wontae, Necula George, and Sen Koushik. 2013. Guided GUI testing of android apps with minimal restart and approximate learning. In Proceedings of the 24th Annual ACM Conference on Object-Oriented Programming, Systems, Languages, and Applications (OOPSLA). ACM Press, Indianapolis, IN, 623--640. Google ScholarDigital Library
- Lei Wu, Michael Grace, Yajin Zhou, Chiachih Wu, and Xuxian Jiang. 2013. The impact of vendor customizations on android security. In Proceedings of the 20th ACM Conference on Computer and Communications Security (CCS). ACM Press, Berlin, Germany, 623--634. Google ScholarDigital Library
- Zhen Xie and Sencun Zhu. 2015. AppWatcher: Unveiling the underground market of trading mobile app reviews. In Proceedings of the ACM Conference on Security and Privacy in Wireless and Mobile Networks (WiSec). ACM, 10:1--10:11. Google ScholarDigital Library
- Luyi Xing, Xiaorui Pan, Rui Wang, Kan Yuan, and XiaoFeng Wang. 2014. Upgrading your android, elevating my malware: Privilege escalation through mobile OS updating. In Proceedings of the 35th IEEE Symposium on Security and Privacy (Oakland). IEEE Computer Society, San Jose, CA, 393--408. Google ScholarDigital Library
- Nan Xu, Fan Zhang, Yisha Luo, Weijia Jia, Dong Xuan, and Jin Teng. 2009. Stealthy video capturer: A new video-based spyware in 3G smartphones. In Proceedings of the 2nd ACM Conference on Wireless Network Security (WiSec'09). ACM, 69--78. Google ScholarDigital Library
- Rubin Xu, Hassen Saïdi, and Ross Anderson. 2012. Aurasium: Practical policy enforcement for android applications. In Proceedings of the 21st USENIX Security Symposium (Security). USENIX Association, Bellevue, WA, 539--552. Google ScholarDigital Library
- Yuanzhong Xu and Emmett Witchel. 2015. Maxoid: Transparently confining mobile applications with custom views of state. In Proceedings of the 10th European Conference on Computer Systems (EuroSys). ACM, 26:1--26:16. Google ScholarDigital Library
- Lok Kwong Yan and Heng Yin. 2012. DroidScope: Seamlessly reconstructing the OS and dalvik semantic views for dynamic android malware analysis. In Proceedings of the 21st USENIX Security Symposium (Security). USENIX Association, Bellevue, WA, 569--584. Google ScholarDigital Library
- Zhemin Yang, Min Yang, Yuan Zhang, Guofei Gu, Peng Ning, and X. Sean Wang. 2013. AppIntent: Analyzing sensitive data transmission in android for privacy leakage detection. In Proceedings of the 20th ACM Conference on Computer and Communications Security (CCS). ACM Press, Berlin, Germany, 1043--1054. Google ScholarDigital Library
- Jing Yu and Toshihiro Yamauchi. 2013. Access control to prevent attacks exploiting vulnerabilities of webview in android OS. In Proceedings of the 11th IEEE International Conference on Embedded and Ubiquitous Computing. IEEE Computer Society, 1628--1633.Google ScholarCross Ref
- Fangfang Zhang, Heqing Huang, Sencun Zhu, Dinghao Wu, and Peng Liu. 2014a. ViewDroid: Towards obfuscation-resilient mobile application repackaging detection. In Proceedings of the ACM Conference on Security and Privacy in Wireless and Mobile Networks (WiSec). ACM Press, Oxford, UK, 25--36. Google ScholarDigital Library
- Hang Zhang, Dongdong She, and Zhiyun Qian. 2015. Android root and its providers: A double-edged sword. In Proceedings of the 22nd ACM Conference on Computer and Communications Security (CCS). ACM Press, Denver, Colorado, 1093--1104. Google ScholarDigital Library
- Mu Zhang and Heng Yin. 2014. Efficient, context-aware privacy leakage confinement for android applications without firmware modding. In Proceedings of the 9th ACM Symposium on Information, Computer and Communications Security (ASIACCS). ACM Press, 259--270. Google ScholarDigital Library
- Yingqian Zhang, Michael K. Reiter, Ari Juels, and Thomas Ristenpart. 2012. Cross-VM side channels and their use to extract private keys. In Proceedings of the 19th ACM Conference on Computer and Communications Security (CCS). ACM Press, Raleigh, NC, 305--316. Google ScholarDigital Library
- Yuan Zhang, Min Yang, Bingquan Xu, Zhemin Yang, Guofei Gu, Peng Ning, X. Sean Wang, and Binyu Zang. 2013. Vetting undesirable behaviors in android apps with permission use analysis. In Proceedings of the 20th ACM Conference on Computer and Communications Security (CCS). ACM Press, Berlin, Germany, 611--622. Google ScholarDigital Library
- Zhongwen Zhang, Yuewu Wang, Jiwu Jing, Qiongxiao Wang, and Lingguang Lei. 2014b. Once root always a threat: Analyzing the security threats of android permission system. In Proceedings of the 19th Australasian Conference on Information Security and Privacy (ACISP). Springer, 354--369.Google ScholarCross Ref
- Mu Zhang, Yue Duan, Heng Yin, and Zhiruo Zhao. 2014c. Semantics-aware android malware classification using weighted contextual API dependency graphs. In Proceedings of the 21st ACM Conference on Computer and Communications Security (CCS). ACM Press, Scottsdale, Arizona, 1105--1116. Google ScholarDigital Library
- Cong Zheng, Shixiong Zhu, Shuaifu Dai, Guofei Gu, Xiaorui Gong, Xinhui Han, and Wei Zou. 2012. SmartDroid: An automatic system for revealing UI-based trigger conditions in android applications. In Proceedings of the 2nd Annual ACM CCS Workshop on Security and Privacy in Smartphones and Mobile Devices (SPSM). The Internet Society, Raleigh, NC, 93--104. Google ScholarDigital Library
- Wu Zhou, Zhi Wang, Yajin Zhou, and Xuxian Jiang. 2014b. DIVILAR: Diversifying intermediate language for anti-repackaging on android platform. In Proceedings of the ACM Conference on Data and Applications Security and Privacy (CODASPY). ACM Press, San Antonio, TX, 199--210. Google ScholarDigital Library
- Wu Zhou, Xinwen Zhang, and Xuxian Jiang. 2013a. AppInk: Watermarking android apps for repackaging deterrence. In Proceedings of the 8th ACM Symposium on Information, Computer and Communications Security (ASIACCS). ACM Press, Hangzhou, China, 1--12. Google ScholarDigital Library
- Wu Zhou, Yajin Zhou, Michael Grace, Xuxian Jiang, and Shihong Zou. 2013b. Fast, scalable detection of piggybacked mobile applications. In Proceedings of the ACM Conference on Data and Applications Security and Privacy (CODASPY). ACM Press, San Antonio, TX, 185--196. Google ScholarDigital Library
- Wu Zhou, Yajin Zhou, Xuxian Jiang, and Peng Ning. 2012. Detecting repackaged smartphone applications in third-party android marketplaces. In Proceedings of the ACM Conference on Data and Applications Security and Privacy (CODASPY). ACM, 317--326. Google ScholarDigital Library
- Xiaoyong Zhou, Soteris Demetriou, Dongjing He, Muhammad Naveed, Xiaorui Pan, XiaoFeng Wang, Carl A. Gunter, and Klara Nahrstedt. 2013. Identity, location, disease and more: Inferring your secrets from android public resources. In Proceedings of the 20th ACM Conference on Computer and Communications Security (CCS). ACM Press, Berlin, Germany, 1017--1028. Google ScholarDigital Library
- Xiaoyong Zhou, Yeonjoon Lee, Nan Zhang, Muhammad Naveed, and XiaoFeng Wang. 2014a. The peril of fragmentation: Security hazards in android device driver customizations. In Proceedings of the 35th IEEE Symposium on Security and Privacy (Oakland). IEEE Computer Society, San Jose, CA, 409--423. Google ScholarDigital Library
- Yajin Zhou and Xuxian Jiang. 2012. Dissecting android malware: Characterization and evolution. In Proceedings of the 33rd IEEE Symposium on Security and Privacy (Oakland). IEEE Computer Society, San Francisco, CA, 95--109. Google ScholarDigital Library
Index Terms
- Toward Engineering a Secure Android Ecosystem: A Survey of Existing Techniques
Recommendations
Enforcing fine-grained security and privacy policies in an ecosystem within an ecosystem
MobileDeLi 2015: Proceedings of the 3rd International Workshop on Mobile Development LifecycleSmart home automation and IoT promise to bring many advantages but they also expose their users to certain security and privacy vulnerabilities. For example, leaking the information about the absence of a person from home or the medicine somebody is ...
Android: Changing the Mobile Landscape
The mobile phone landscape changed last year with the introduction of smart phones running Android, a platform marketed by Google. Android phones are the first credible threat to the iPhone market. Not only did Google target the same consumers as iPhone,...
Secure Containers in Android: The Samsung KNOX Case Study
SPSM '16: Proceedings of the 6th Workshop on Security and Privacy in Smartphones and Mobile DevicesBring Your Own Device (BYOD) is a growing trend among enterprises, aiming to improve workers' mobility and productivity via their smartphones. The threats and dangers posed by the smartphones to the enterprise are also ever-growing. Such dangers can be ...
Comments