Abstract
We present a new approach to static analysis for security vetting of Android apps and a general framework called Amandroid. Amandroid determines points-to information for all objects in an Android app component in a flow and context-sensitive (user-configurable) way and performs data flow and data dependence analysis for the component. Amandroid also tracks inter-component communication activities. It can stitch the component-level information into the app-level information to perform intra-app or inter-app analysis. In this article, (a) we show that the aforementioned type of comprehensive app analysis is completely feasible in terms of computing resources with modern hardware, (b) we demonstrate that one can easily leverage the results from this general analysis to build various types of specialized security analyses—in many cases the amount of additional coding needed is around 100 lines of code, and (c) the result of those specialized analyses leveraging Amandroid is at least on par and often exceeds prior works designed for the specific problems, which we demonstrate by comparing Amandroid’s results with those of prior works whenever we can obtain the executable of those tools. Since Amandroid’s analysis directly handles inter-component control and data flows, it can be used to address security problems that result from interactions among multiple components from either the same or different apps. Amandroid’s analysis is sound in that it can provide assurance of the absence of the specified security problems in an app with well-specified and reasonable assumptions on Android runtime system and its library.
- Google. 2017. Android documentation: Intent and intent filter. Retrieved from http://developer.android.com/guide/components/intents-filters.html.Google Scholar
- akka. 2016. Actors. Retrieved from http://wala.sourceforge.net/wiki/index.php/UserGuide:CallGraph.Google Scholar
- Kevin Allix, Tegawendé F. Bissyandé, Jacques Klein, and Yves Le Traon. 2016. AndroZoo: Collecting millions of android apps for the research community. In Proceedings of the MSR. Google ScholarDigital Library
- Andrew W. Appel. 1998. Modern Compiler Implementation in Java. Cambridge University Press. Google ScholarDigital Library
- Steven Arzt and Eric Bodden. 2016. StubDroid: Automatic inference of precise data-flow summaries for the android framework. In Proceedings of the IEEE ICSE. 725--735. Google ScholarDigital Library
- Steven Arzt, Siegfried Rasthofer, Christian Fritz, Eric Bodden, Alexandre Bartel, Jacques Klein, Yves Le Traon, Damien Octeau, and Patrick McDaniel. 2014. FlowDroid: Precise context, flow, field, object-sensitive and lifecycle-aware taint analysis for android apps. In Proceedings of the ACM PLDI. Google ScholarDigital Library
- Kathy Wain Yee Au, Yi Fan Zhou, Zhen Huang, and David Lie. 2012. PScout: Analyzing the android permission specification. In Proceedings of the ACM CCS. Google ScholarDigital Library
- Vitalii Avdiienko, Konstantin Kuznetsov, Alessandra Gorla, Andreas Zeller, Steven Arzt, Siegfried Rasthofer, and Eric Bodden. 2015. Mining apps for abnormal usage of sensitive data. In Proceedings of the IEEE ICSE. Google ScholarDigital Library
- Michael Backes, Sven Bugiel, and Erik Derr. 2016. Reliable third-party library detection in Android and its security applications. In Proceedings of the ACM CCS. Google ScholarDigital Library
- Ravi Bhoraskar, Seungyeop Han, Jinseong Jeon, Tanzirul Azim, Shuo Chen, Jaeyeon Jung, Suman Nath, Rui Wang, and David Wetherall. 2014. Brahmastra: Driving apps to test the security of third-party components. In Proceedings of the 23rd USENIX CSS. 1021--1036. Google ScholarDigital Library
- Hiroshi Lockheimer. 2012. Android and Security. Retrieved from http://googlemobile.blogspot.com/2012/02/android-and-security.html.Google Scholar
- Erika Chin, Adrienne Porter Felt, Kate Greenwood, and David Wagner. 2011. Analyzing inter-application communication in Android. In Proceedings of the ACM Mobisys. Google ScholarDigital Library
- Aske Christensen, Anders Møller, and Michael Schwartzbach. 2003. Precise analysis of string expressions. Static Analysis (2003), 1076--1076. Google ScholarDigital Library
- Cisco. 2014. Cisco 2014 Annual security report. Retrieved from http://www.cisco.com/web/offer/gist_ty2_asset/Cisco_2014_ASR.pdf.Google Scholar
- M. Conti, B. Crispo, E. Fernandes, and Y. Zhauniarovich. 2012. CRePE: A system for enforcing fine-grained context-related policies on android. IEEE Trans. Info. Forens. Secur. 7, 5 (2012), 1426--1438. Google ScholarDigital Library
- DroidBench. 2015. DroidBench 2.0. Retrieved from https://github.com/secure-software-engineering/DroidBench.Google Scholar
- Matthew B. Dwyer, John Hatcliff, Matthew Hoosier, Venkatesh Ranganath, Robby, and Todd Wallentine. 2006. Evaluating the effectiveness of slicing for model reduction of concurrent object-oriented programs. In Proceedings of the TACAS. Google ScholarDigital Library
- Manuel Egele, David Brumley, Yanick Fratantonio, and Christopher Kruegel. 2013. An empirical study of cryptographic misuse in Android applications. In Proceedings of the ACM CCS. Google ScholarDigital Library
- William Enck, Peter Gilbert, Byung-Gon Chun, Landon P. Cox, Jaeyeon Jung, Patrick McDaniel, and Anmol Sheth. 2010. TaintDroid: An information-flow tracking system for realtime privacy monitoring on smartphones. In Proceedings of the USENIX OSDI. Google ScholarDigital Library
- William Enck, Peter Gilbert, Byung-Gon Chun, Landon P. Cox, Jaeyeon Jung, Patrick McDaniel, and Anmol N. Sheth. 2014. TaintDroid: An information flow tracking system for real-time privacy monitoring on smartphones. Commun. ACM 57, 3 (2014), 99--106. Google ScholarDigital Library
- Sascha Fahl, Marian Harbach, Thomas Muders, Lars Baumgärtner, Bernd Freisleben, and Matthew Smith. 2012. Why eve and mallory love android: An analysis of android SSL (in) security. In Proceedings of the ACM CCS. Google ScholarDigital Library
- Adrienne Porter Felt, Matthew Finifter, Erika Chin, Steve Hanna, and David Wagner. 2011. A survey of mobile malware in the wild. In Proceedings of the ACM SPSM. Google ScholarDigital Library
- Stephen Fink and Julian Dolby. 2012. WALA--The TJ watson libraries for analysis. Retrieved from http://wala.sf.net/.Google Scholar
- Christian Fritz, Steven Arzt, Siegfried Rasthofer, Eric Bodden, Alexandre Bartel, Jacques Klein, Yves Le Traon, Damien Octeau, and Patrick McDaniel. 2013. Highly Precise Taint Analysis for Android Application. Technical Report. EC SPRIDE.Google Scholar
- Clint Gibler, Jonathan Crussell, Jeremy Erickson, and Hao Chen. 2012. AndroidLeaks: Automatically detecting potential privacy leaks in android applications on a large scale. In Proceedings of the TRUST. Google ScholarDigital Library
- Michael I. Gordon, Deokhwan Kim, Jeff H. Perkins, Limei Gilham, Nguyen Nguyen, and Martin C. Rinard. 2015. Information flow analysis of android applications in droidsafe. In Proceedings of the NDSS. Citeseer.Google Scholar
- Michael Grace, Yajin Zhou, Zhi Wang, and Xuxian Jiang. 2012. Systematic detection of capability leaks in stock android smartphones. In Proceedings of the NDSS.Google Scholar
- Michael C. Grace, Wu Zhou, Xuxian Jiang, and Ahmad Reza Sadeghi. 2012. Unsafe exposure analysis of mobile in-app advertisements. In Proceedings of the ACM WiSec. Google ScholarDigital Library
- John Hatcliff, Patrice Chalin, Jason Belt, and others. 2013. Explicating symbolic execution (xSymExe): An evidence-based verification framework. In Proceedings of the IEEE ICSE. 222--231. Google ScholarDigital Library
- ICC-Bench. 2017. Retrieved from https://github.com/fgwei/ICC-Bench.Google Scholar
- William Klieber, Lori Flynn, Amar Bhosale, Limin Jia, and Lujo Bauer. 2014. Android taint flow analysis for app sets. In Proceedings of the 3rd ACM SIGPLAN SOAP. 1--6. Google ScholarDigital Library
- Ondřej Lhoták and Laurie Hendren. 2003. Scaling java points-to analysis using spark. In Proceedings of the Compiler Construction. Google ScholarDigital Library
- Ding Li, Yingjun Lyu, Mian Wan, and William G. J. Halfond. 2015. String analysis for java and android applications. In Proceedings of the ACM FSE. 661--672. Google ScholarDigital Library
- Li Li, Alexandre Bartel, Tegawendé F. Bissyandé, Jacques Klein, Yves Le Traon, Steven Arzt, Siegfried Rasthofer, Eric Bodden, Damien Octeau, and Patrick Mcdaniel. 2015. IccTA: Detecting inter-component privacy leaks in android apps. In Proceedings of the IEEE ICSE. Google ScholarDigital Library
- Li Li, Tegawendé F. Bissyandé, Damien Octeau, and Jacques Klein. 2016. Droidra: Taming reflection to support whole-program analysis of android apps. In Proceedings of the ACM ISSTA. Google ScholarDigital Library
- Menghao Li, Wei Wang, Pei Wang, Shuai Wang, Dinghao Wu, Jian Liu, Rui Xue, and Wei Huo. 2017. Libd: Scalable and precise third-party library detection in Android markets. In Proceedings of the IEEE ICSE. Google ScholarDigital Library
- Long Lu, Zhichun Li, Zhenyu Wu, Wenke Lee, and Guofei Jiang. 2012. CHEX: Statically vetting Android apps for component hijacking vulnerabilities. In Proceedings of the ACM CCS. Google ScholarDigital Library
- Ziang Ma, Haoyu Wang, Yao Guo, and Xiangqun Chen. 2016. LibRadar: Fast and accurate detection of third-party libraries in Android apps. In Proceedings of the IEEE ICSE. Google ScholarDigital Library
- McAfee. 2017. Trojans, ghosts, and more mean bumps ahead for mobile and connected things. Retrieved from https://www.mcafee.com/us/resources/reports/rp-mobile-threat-report-2017.pdf.Google Scholar
- Flemming Nielson, Hanne R. Nielson, and Chris Hankin. 1999. Principles of Program Analysis. Springer. Google Scholar
- Damien Octeau, Somesh Jha, Matthew Dering, Patrick McDaniel, Alexandre Bartel, Li Li, Jacques Klein, and Yves Le Traon. 2016. Combining static analysis with probabilistic models to enable market-scale android inter-component analysis. In Proceedings of the ACM POPL, Vol. 51. 469--484. Google ScholarDigital Library
- Damien Octeau, Daniel Luchaup, Matthew Dering, Somesh Jha, and Patrick McDaniel. 2015. Composite constant propagation: Application to android inter-component communication analysis. In Proceedings of the IEEE ICSE. Google ScholarDigital Library
- Damien Octeau, Patrick McDaniel, Somesh Jha, Alexandre Bartel, Eric Bodden, Jacques Klein, and Yves Le Traon. 2013. Effective inter-component communication mapping in android with epicc: An essential step towards holistic security analysis. In Proceedings of the USENIX Security Symposium. Google ScholarDigital Library
- Machigar Ongtang, Stephen McLaughlin, William Enck, and Patrick McDaniel. 2012. Semantically rich application-centric security in Android. Secur. Commun. Networks 5, 6 (2012), 658--673. Google ScholarDigital Library
- Nicholas J. Percoco and Sean Schulte. 2012. Adventures in bouncerland. Black Hat USA.Google Scholar
- Sebastian Poeplau, Yanick Fratantonio, Antonio Bianchi, Christopher Kruegel, and Giovanni Vigna. 2014. Execute this! Analyzing unsafe and malicious dynamic code loading in Android applications. In Proceedings of the NDSS. 23--26.Google ScholarCross Ref
- Siegfried Rasthofer, Steven Arzt, Marc Miltenberger, and Eric Bodden. 2016. Harvesting runtime values in android applications that feature anti-analysis techniques. In Proceedings of the NDSS.Google ScholarCross Ref
- Thomas Reps, Susan Horwitz, and Mooly Sagiv. 1995. Precise interprocedural dataflow analysis via graph reachability. In Proceedings of the ACM POPL. Google ScholarDigital Library
- Mooly Sagiv, Thomas Reps, and Susan Horwitz. 1996. Precise interprocedural dataflow analysis with applications to constant propagation. Theoret. Comput. Sci. 167, 1 (1996), 131--170. Google ScholarDigital Library
- Stephen Smalley and Robert Craig. 2013. Security enhanced (SE) Android: Bringing flexible MAC to Android. In Proceedings of the NDSS.Google Scholar
- David Sounthiraraj, Justin Sahs, Garret Greenwood, Zhiqiang Lin, and Latifur Khan. 2014. SMV-HUNTER: Large scale, automated detection of SSL/TLS man-in-the-middle vulnerabilities in android apps. In Proceedings of the NDSS.Google ScholarCross Ref
- Symantec. 2017. Internet security threat report. Retrieved from https://www.symantec.com/content/dam/symantec/docs/reports/istr-22-2017-en.pdf.Google Scholar
- Kimberly Tam, Salahuddin J. Khan, Aristide Fattori, and Lorenzo Cavallaro. 2015. CopperDroid: Automatic reconstruction of android malware behaviors. In Proceedings of the NDSS.Google ScholarCross Ref
- Hariharan Thiagarajan, John Hatcliff, Jason Belt, and others. 2012. Bakar alir: Supporting developers in construction of information flow contracts in SPARK. In Proceedings of the IEEE SCAM. 132--137. Google ScholarDigital Library
- TrendMicro. 2017. In review: 2016’s mobile threat landscape brings diversity, scale, and scope. Retrieved from https://blog.trendmicro.com/trendlabs-security-intelligence/2016-mobile-threat-landscape/.Google Scholar
- Yutaka Tsutano, Shakthi Bachala, Witawas Srisa-an, Gregg Rothermel, and Jackson Dinh. 2017. An efficient, robust, and scalable approach for analyzing interacting android apps. In Proceedings of the IEEE ICSE. 324--334. Google ScholarDigital Library
- Raja Vallée-Rai, Etienne Gagnon, Laurie Hendren, Patrick Lam, Patrice Pominville, and Vijay Sundaresan. 2000. Optimizing java bytecode using the soot framework: Is it feasible? In Proceedings of the Compiler Construction. Google ScholarDigital Library
- Timothy Vidas, Jiaqi Tan, Jay Nahata, Chaur Lih Tan, Nicolas Christin, and Patrick Tague. 2014. A5: Automated analysis of adversarial android applications. In Proceedings of the SPSM. 39--50. Google ScholarDigital Library
- WALA. 2014. UserGuide:CallGraph. http://wala.sourceforge.net/wiki/index.php/UserGuide:CallGraph.Google Scholar
- Rui Wang, Luyi Xing, Xiao Feng Wang, and Shuo Chen. 2013. Unauthorized origin crossing on mobile platforms: Threats and mitigation. In Proceedings of the ACM CCS. Google ScholarDigital Library
- Fengguo Wei, Yuping Li, Sankardas Roy, Xinming Ou, and Wu Zhou. 2017. Deep ground truth analysis of current android malware. In Proceedings of the DIMVA. Springer, Bonn, Germany.Google ScholarCross Ref
- Fengguo Wei, Sankardas Roy, Xinming Ou, and Robby. 2014. Amandroid: A precise and general inter-component data flow analysis framework for security vetting of android apps. In Proceedings of the ACM CCS. Google ScholarDigital Library
- Wikipedia. 2016. Actor model. Retrieved from https://en.wikipedia.org/wiki/Actor_model. (2016).Google Scholar
- Rubin Xu, Hassen Saïdi, and Ross Anderson. 2012. Aurasium: Practical policy enforcement for android applications. In Proceedings of the USENIX Security Symposium. Google ScholarDigital Library
- Lok-Kwong Yan and Heng Yin. 2012. DroidScope: Seamlessly reconstructing the OS and dalvik semantic views for dynamic android malware analysis. In Proceedings of the USENIX Security Symposium. 569--584. Google ScholarDigital Library
- Yajin Zhou and Xuxian Jiang. 2012. Dissecting android malware: Characterization and evolution. In Proceedings of the IEEE SP. Google ScholarDigital Library
- Yajin Zhou, Zhi Wang, Wu Zhou, and Xuxian Jiang. 2012. Hey, you, get off of my market: Detecting malicious apps in official and alternative android markets. In Proceedings of the NDSS.Google Scholar
Index Terms
- Amandroid: A Precise and General Inter-component Data Flow Analysis Framework for Security Vetting of Android Apps
Recommendations
Amandroid: A Precise and General Inter-component Data Flow Analysis Framework for Security Vetting of Android Apps
CCS '14: Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications SecurityWe propose a new approach to conduct static analysis for security vetting of Android apps, and built a general framework, called Amandroid for determining points-to information for all objects in an Android app in a flow- and context-sensitive way ...
CHEX: statically vetting Android apps for component hijacking vulnerabilities
CCS '12: Proceedings of the 2012 ACM conference on Computer and communications securityAn enormous number of apps have been developed for Android in recent years, making it one of the most popular mobile operating systems. However, the quality of the booming apps can be a concern [4]. Poorly engineered apps may contain security ...
HybriDroid: static analysis framework for Android hybrid applications
ASE '16: Proceedings of the 31st IEEE/ACM International Conference on Automated Software EngineeringMobile applications (apps) have long invaded the realm of desktop apps, and hybrid apps become a promising solution for supporting multiple mobile platforms. Providing both platform-specific functionalities via native code like native apps and user ...
Comments