Zhengyang Qu,Shahid Alam,Yan Chen,Xiaoyong Zhou,Wangjun Hong,Ryan Riley

DOI: https://doi.org/10.1109/dsn.2017.14

2017-01-01

Abstract:Android has provided dynamic code loading (DCL) since API level one. DCL allows an app developer to load additional code at runtime. DCL raises numerous challenges with regards to security and accountability analysis of apps. While previous studies have investigated DCL on Android, in this paper we formulate and answer three critical questions that are missing from previous studies: (1) Where does the loaded code come from (remotely fetched or locally packaged), and who is the responsible entity to invoke its functionality? (2) In what ways is DCL utilized to harden mobile apps, specifically, application obfuscation? (3) What are the security risks and implications that can be found from DCL in off-the-shelf apps? We design and implement DyDroid, a system which uses both dynamic and static analysis to analyze dynamically loaded code. Dynamic analysis is used to automatically exercise apps, capture DCL behavior, and intercept the loaded code. Static analysis is used to investigate malicious behavior and privacy leakage in that dynamically loaded code. We have used DyDroid to analyze over 46K apps with little manual intervention, allowing us to conduct a large-scale measurement to investigate five aspects of DCL, such as source identification, malware detection, vulnerability analysis, obfuscation analysis, and privacy tracking analysis. We have several interesting findings. (1) 27 apps are found to violate the content policy of Google Play by executing code downloaded from remote servers. (2) We determine the distribution, pros/cons, and implications of several common obfuscation methods, including DEX encryption/loading. (3) DCL's stealthiness enables it to be a channel to deploy malware, and we find 87 apps loading malicious binaries which are not detected by existing antivirus tools. (4) We found 14 apps that are vulnerable to code injection attacks due to dynamically loading code which is writable by other apps. (5) DCL is mainly used by third-party SDKs, meaning that app developers may not know what sort of sensitive functionality is injected into their apps.

Yajin Zhou,Xuxian Jiang

2013-01-01

Abstract:In this paper, we systematically study two vulnerabilities and their presence in existing Android applications (or “apps”). These two vulnerabilities are rooted in an unprotected Android component, i.e., content provider, inside vulnerable apps. Because of the lack of necessary access control enforcement, affected apps can be exploited to either passively disclose various types of private in-app data or inadvertently manipulate certain security-sensitive in-app settings or configurations that may subsequently cause serious system-wide side effects (e.g., blocking all incoming phone calls or SMS messages). To assess the prevalence of these two vulnerabilities, we analyze 62, 519 apps collected in February 2012 from various Android markets. Our results show that among these apps, 1, 279 (2.0%) and 871 (1.4%) of them are susceptible to these two vulnerabilities, respectively. In addition, we find that 435 (0.7%) and 398 (0.6%) of them are accessible from official Google Play and some of them are extremely popular with more than 10, 000, 000 installs. The presence of a large number of vulnerable apps in popular Android markets as well as the variety of private data for leaks and manipulation reflect the severity of these two vulnerabilities. To address them, we also explore and examine possible mitigation solutions.

Hongyi Chen,Ho-fung Leung,Biao Han,Jinshu Su

DOI: https://doi.org/10.1109/icc.2017.7996335

2017-01-01

Abstract:Android apps frequently leak private data off the device with or without intentions. Researchers have proposed a large number of methods, for example, static and dynamic analysis methods, to pick out the apps which tend to leak private data. However, they are only able to identify part of private data leakage vulnerabilities, due to the dynamic features in codes or code coverage problem. This paper presents a novel hybrid approach that can find out more private data leakages than the existing static or dynamic methods. The approach, realized in a tool, called HybriDroid, which employs both static and dynamic analysis methods to extract the models of each apps, and then refines the behavior model to a more adequate one according to the dynamic analysis result. As a consequence, HybriDroid inherits the advantages of both static and dynamic analysis methods, which not only achieves a high code coverage, but also can deal with the dynamic features in codes. The evaluation results show that HybriDroid is effective in detecting privacy leakages for both inter-and intra-app communication. Comparing with the existing methods, it can achieve considerable improvements in data leakage detection performance with a 97.8% precision and 90% recall on the selected apps from DroidBench 3.0 test suite.

Yue GAO,Ai-qun HU

DOI: https://doi.org/10.3969/j.issn.1671-1122.2014.02.005

2014-01-01

Abstract:Current dynamic detection method of private data on Android platform is inefifcient. To solve this problem, a novel dynamic detecting method based on permission analysis is designed and implemented. This method combines static permission analysis with dynamic taint detection. The taint types and privacy export types in dynamic detection are determined by the permissions application applies for. The detection options are set through Android system properties. The experimental results show that this method can improve the efficiency of dynamic taint detection without affecting effectiveness.

Yang Liu,Yan Yu

DOI: https://doi.org/10.3969/j.issn.1000-386x.2017.09.029

2017-01-01

Abstract:This study was motivated by privacy leakage existing in Android applications.Therefore,a privacy leakage detecting method based on dynamic taint analysis was proposed.We first added taint mark to user privacy data through Android framework source code instrumentation.Moreover,we modified execution engine (Dalvik virtual machine) of Android application to ensure that the taint mark can accurately be traced during the execution of the program.When data moves,dynamic taint analysis will check whether or not the taint marks is private data,which makes those applications more transparent.Thus,our approach can effectively detect user privacy leakage,so as to protect the user privacy.

YANG Guang-liang,GONG Xiao-rui,YAO Gang,HAN Xin-hui

DOI: https://doi.org/10.3969/j.issn.1000-3428.2012.23.001

2012-01-01

Abstract:To detect user’s privacy leakage in Android software,this paper proposes an automated detection system based on dynamic taint tracking,called TaintChaser.TaintChaser can detect behaviors of user’s data leakage in Android applications under test at a fine granularity,and the system also can analyze and test massive Android software in the automatic way.It uses TaintChaser to automatically analyze 28 369 popular Android applications and finds that 24.69% of them may leak user’s privacy.

Xu JIANG,Chang-sheng ZHANG,Da-meng DAI,Jing RUAN,De-jun MU

DOI: https://doi.org/10.3785/j.issn.1008-973X.2016.12.016

2016-01-01

Abstract:A multi-level detection method based on semi-lattice data flow analysis was proposed in order to solve the problem of Android privacy data leakage .For the applications without root privilege ,the fine-grained range of source functions was determined that generated privacy data and sink functions that leaked them ,according to the permissions for the application .If the source functions and the sink functions existed in the same application ,the detection system began to analyze data flow .When the two kinds of functions located in different components , the method could transform inter-component communication (ICC ) problem into inter-procedural distributive environment (IDE ) problem . Results show that the proposed method can detect the privacy data leakage not only for communication in the same component , but also for communication between different components .The accuracy of the proposed method reaches 91 .5% ,which can significantly save detection time compared with other state-of-the-art methods under the condition of similar precision and recall rate .

Yuhong Nan,Zhemin Yang,Xiaofeng Wang,Yuan Zhang,Donglai Zhu,Min Yang

DOI: https://doi.org/10.14722/ndss.2018.23092

2018-01-01

Abstract:A long-standing challenge in analyzing information leaks within mobile apps is to automatically identify the code operating on sensitive data. With all existing solutions relying on System APIs (e.g., IMEI, GPS location) or features of user interfaces (UI), the content from app servers, like user’s Facebook profile, payment history, fall through the crack. Finding such content is important given the fact that most apps today are web applications, whose critical data are often on the server side. In the meantime, operations on the data within mobile apps are often hard to capture, since all server-side information is delivered to the app in the same way, sensitive or not. A unique observation of our research is that in modern apps, a program is essentially a semantics-rich documentation carrying meaningful program elements such as method names, variables and constants that reveal the sensitive data involved, even when the program is under moderate obfuscation. Leveraging this observation, we develop a novel semantics-driven solution for automatic discovery of sensitive user data, including those from the server side. Our approach utilizes natural language processing (NLP) to automatically locate the program elements (variables, methods, etc.) of interest, and then performs a learning-based program structure analysis to accurately identify those indeed carrying sensitive content. Using this new technique, we analyzed 445,668 popular apps, an unprecedented scale for this type of research. Our work brings to light the pervasiveness of information leaks, and the channels through which the leaks happen, including unintentional over-sharing across libraries and aggressive data acquisition behaviors. Further we found that many high-profile apps and libraries are involved in such leaks. Our findings contribute to a better understanding of the privacy risk in mobile apps and also highlight the importance of data protection in today’s software composition.

Tao Liu,Zhushou Tang,Beijun Shen

DOI: https://doi.org/10.3969/j.issn.1000-386x.2015.03.070

2015-01-01

Abstract:When Android becomes the smartphone operating system with largest global market share,the malicious applications is booming on its platform.In particular,privacy leak problems in Android applications are getting worsening.With the development of technology,the concealment of privacy leaks in Android applications grows high increasingly,and its detection becomes more and more difficult as well,for instance,using reflection technique to hide the privacy leak operations.Facing such challenge,in this paper we detect and analyse the pseu-do-code of Android applications and propose a new analysis approach for detecting the reflection callings occurring in pseudo-code.Through re-constructing the reflection calling’s arguments and restoring it to the standard calling,we make the reflection calling explicit,so that those privacy leak behaviours which cannot be found and confirmed previously are detected.Based on this work,we design and implement a static detection tool for Android applications privacy leak.At last,the effectiveness of the proposed approach and tool is validated by the experi-ments and analyses on benign applications from Android market and the malicious applications collected from Internet.

Li Li,kevin allix,daoyuan li,alexandre bartel,Tegawendé F. Bissyandé,jacques klein

DOI: https://doi.org/10.1109/QRS.2015.36

2015-01-01

Abstract:We discuss the capability of a new feature set for malware detection based on potential component leaks (PCLs). PCLs are defined as sensitive data-flows that involve Android inter-component communications. We show that PCLs are common in Android apps and that malicious applications indeed manipulate significantly more PCLs than benign apps. Then, we evaluate a machine learning-based approach relying on PCLs. Experimental validations show high performance for identifying malware, demonstrating that PCLs can be used for discriminating malicious apps from benign apps.

Qian Luo,Yinbo Yu,Jiajia Liu,Abderrahim Benslimane

DOI: https://doi.org/10.1109/JIOT.2021.3109785

IF: 10.6

2022-01-01

IEEE Internet of Things Journal

Abstract:While providing significant convenience for people, mobile applications (Apps) bring serious privacy leakage and invasion threats over certain platforms (e.g., Android) due to privacy violations. To protect users from these threats, a lot of works related to privacy violation detection have been proposed. However, few of them particularly check the violations, including lacking privacy policy, collecting privacy before statement, lacking account cancelation service, and stubborn permission request. Toward this end, we design an automatic detection tool named PVDetector to detect these violations in Android Apps. We extract and construct relevant threat forms by statically and dynamically analyzing Apps' behaviors, and then fine tune these forms through threat-form-matching methods on problematic Apps. Finally, a comprehensive experiment is conducted to detect privacy violations on different Android application markets by PVDetector. Specifically, we detect 16 162 Android Apps (involving people's various aspects of life) collected from six popular official application markets and three special categories. The experiment results indicate that the situation that Apps contain privacy violations is greatly serious in these markets and categories. We also randomly check the experiment results of 385 Apps. The check results illustrate that the detection accuracy of PVDetector can reach 93%.

Guangwu Hu,Bin Zhang,Xi Xiao,Weizhe Zhang,Long Liao,Ying Zhou,Xia Yan

DOI: https://doi.org/10.3390/e23111489

2021-11-10

Abstract:Insecure applications (apps) are increasingly used to steal users' location information for illegal purposes, which has aroused great concern in recent years. Although the existing methods, i.e., static and dynamic taint analysis, have shown great merit for identifying such apps, which mainly rely on statically analyzing source code or dynamically monitoring the location data flow, identification accuracy is still under research, since the analysis results contain a certain false positive or true negative rate. In order to improve the accuracy and reduce the misjudging rate in the process of vetting suspicious apps, this paper proposes SAMLDroid, a combined method of static code analysis and machine learning for identifying Android apps with location privacy leakage, which can effectively improve the identification rate compared with existing methods. SAMLDroid first uses static analysis to scrutinize source code to investigate apps with location acquiring intentions. Then it exploits a well-trained classifier and integrates an app's multiple features to dynamically analyze the pattern and deliver the final verdict about the app's property. Finally, it is proved by conducting experiments, that the accuracy rate of SAMLDroid is up to 98.4%, which is nearly 20% higher than Apparecium.

Zhao-guo WANG,Cheng-long LI,Luo-shi ZHANG,Ji-bao ZHANG,Yi GUAN,Yi-bo XUE

DOI: https://doi.org/10.3969/j.issn.0372-2112.2015.09.011

2015-01-01

Abstract:The increasing presence of Android privacy leakages poses a significant privacy risk for Android smartphone users.This paper proposes a privacy leakage detection method based on behavior chain,which can achieve the fine-grained location of the source and points of the information leakage.With the WxShall algorithm,we can calculate the accessibility between the leak-age source and leakage points,and detect the transfer path of privacy in Android applications.The detections of 1259 Android appli-cations show that the accuracy of this algorithm reaches 95.1% and the complexity accounts for 5.45% of WarShall algorithm.The results of the experiments demonstrate that the method is better than Androgurad and Kirin.

Zhemin Yang,Min Yang

DOI: https://doi.org/10.1109/WCSE.2012.26

2012-01-01

Software Engineering

Abstract:With the growing popularity of Android platform, Android application market becomes a major distribution center where Android users download apps. Unlike most of the PC apps, Android apps manipulates personal information such as contract and SMS messages, and leakage of such information may cause great loss to the Android users. Thus, detecting information leakage on Android is in urgent need. However, till now, there is still no complete vetting process applied to Android markets. State-of-the-art approaches for detecting Android information leakage apply dynamic analysis on user site, thus they introduce large runtime overhead to the Android apps. This paper proposes a new approach called Leak Miner, which detects leakage of sensitive information on Android with static taint analysis. Unlike dynamic approaches, Leak Miner analyzes Android apps on market site. Thus, it does not introduce runtime overhead to normal execution of target apps. Besides, Leak Miner can detect information leakage before apps are distributed to users, so malicious apps can be removed from market before users download them. Our evaluation result shows that Leak Miner can detect 145 true information leakages inside a 1750 app set.

Jianjun Huang,Xiangyu Zhang,Lin Tan,Peng Wang,Bin Liang

DOI: https://doi.org/10.1145/2568225.2568301

2014-01-01

Abstract:Android smartphones are becoming increasingly popular. The open nature of Android allows users to install miscellaneous applications, including the malicious ones, from third-party marketplaces without rigorous sanity checks. A large portion of existing malwares perform stealthy operations such as sending short messages, making phone calls and HTTP connections, and installing additional malicious components. In this paper, we propose a novel technique to detect such stealthy behavior. We model stealthy behavior as the program behavior that mismatches with user interface, which denotes the user's expectation of program behavior. We use static program analysis to attribute a top level function that is usually a user interaction function with the behavior it performs. Then we analyze the text extracted from the user interface component associated with the top level function. Semantic mismatch of the two indicates stealthy behavior. To evaluate AsDroid, we download a pool of 182 apps that are potentially problematic by looking at their permissions. Among the 182 apps, AsDroid reports stealthy behaviors in 113 apps, with 28 false positives and 11 false negatives.

Songyang Wu,Yong Zhang,Bo Jin,Wei Cao

DOI: https://doi.org/10.1109/icct.2017.8359970

2017-01-01

Abstract:The permission model is an essential Android mechanism for resisting security threats: android malware can do very little if the user denies its requests for permissions. However, the recent literatures show that certain vulnerable applications with insufficiently enforced privileges may lead to critical permissions leakage via inter-application interaction. Malicious applications can trick these vulnerable applications to perform actions that are beyond their given privileges. This study proposes an efficient approach for the analysis of permission leakage vulnerabilities in Android inter-process communications; this approach identifies suspicious vulnerable paths based on an analysis of control-flow and dataflow. We handle the unsafe control flows over inter-component communication and asynchronous calls through Android callbacks, which is the major difference from previous related studies. The proposed system was evaluated using 550 real-world Android applications and the experiment result demonstrated the practicality of our method.

Mingyuan Xia,Lu Gong,Yuanhao Lyu,Zhengwei Qi,Xue Liu

DOI: https://doi.org/10.1109/sp.2015.60

2015-01-01

Abstract:Mobile applications can access both sensitive personal data and the network, giving rise to threats of data leaks. App auditing is a fundamental program analysis task to reveal such leaks. Currently, static analysis is the de facto technique which exhaustively examines all data flows and pinpoints problematic ones. However, static analysis generates false alarms for being over-estimated and requires minutes or even hours to examine a real app. These shortcomings greatly limit the usability of automatic app auditing.To overcome these limitations, we design AppAudit that relies on the synergy of static and dynamic analysis to provide effective real-time app auditing. AppAudit embodies a novel dynamic analysis that can simulate the execution of part of the program and perform customized checks at each program state. AppAudit utilizes this to prune false positives of an efficient but over-estimating static analysis. Overall, AppAudit makes app auditing useful for app market operators, app developers and mobile end users, to reveal data leaks effectively and efficiently.We apply AppAudit to more than 1,000 known malware and 400 real apps from various markets. Overall, AppAudit reports comparative number of true data leaks and eliminates all false positives, while being 8.3x faster and using 90% less memory compared to existing approaches. AppAudit also uncovers 30 data leaks in real apps. Our further study reveals the common patterns behind these leaks: 1) most leaks are caused by 3rd-party advertising modules; 2) most data are leaked with simple unencrypted HTTP requests. We believe AppAudit serves as an effective tool to identify data-leaking apps and provides implications to design promising runtime techniques against data leaks.

Xiaoyu Sun,Xiao Chen,Li Li,Haipeng Cai,John Grundy,Jordan Samhi,Tegawendé F. Bissyandé,Jacques Klein

DOI: https://doi.org/10.48550/arXiv.2210.10997

2022-10-20

Abstract:Security of Android devices is now paramount, given their wide adoption among consumers. As researchers develop tools for statically or dynamically detecting suspicious apps, malware writers regularly update their attack mechanisms to hide malicious behavior implementation. This poses two problems to current research techniques: static analysis approaches, given their over-approximations, can report an overwhelming number of false alarms, while dynamic approaches will miss those behaviors that are hidden through evasion techniques. We propose in this work a static approach specifically targeted at highlighting hidden sensitive operations, mainly sensitive data flows. The prototype version of HiSenDroid has been evaluated on a large-scale dataset of thousands of malware and goodware samples on which it successfully revealed anti-analysis code snippets aiming at evading detection by dynamic analysis. We further experimentally show that, with FlowDroid, some of the hidden sensitive behaviors would eventually lead to private data leaks. Those leaks would have been hard to spot either manually among the large number of false positives reported by the state of the art static analyzers, or by dynamic tools. Overall, by putting the light on hidden sensitive operations, HiSenDroid helps security analysts in validating potential sensitive data operations, which would be previously unnoticed.

Cryptography and Security,Software Engineering

Qiwei Jia,Lu Zhou,Huaxin Li,Ruoxu Yang,Suguo Du,Haojin Zhu

DOI: https://doi.org/10.1007/978-3-030-23597-0_11

2019-01-01

Abstract:The APPs running on smart devices have greatly enriched people's lives. However, they are collecting personally identifiable information (PII) secretly. The unrestricted collection, processing and unsafe transmission of PII will result in the disclosure of privacy, which cause losses to users. With the advent of laws and regulations about data privacy such as GDPR, the major APP vendors have become more and more cautious about collecting PII. However, the researches on detecting privacy leakage under GDPR framework still receive less attention. In this paper, we analyze the clauses of GDPR about privacy processing and propose a method for PII leakage detection based on Association Mining. This method assists us to find many hidden privacy leakages in traffic data. Moreover, we design and implement an automated system to detect whether the traffic data sent by the APPs reveals users' PII. We have tested 509 APPs of different categories in the Google Play Store. The result shows that 76.23% of the APPs would collect and transmit PII insecurely and 34.06% of them would send PII to third parties.

Yunhao Liu,Xiaohong Li,Zhiyong Feng,Jianye Hao

DOI: https://doi.org/10.1007/978-3-319-68690-5_19

2017-01-01

Abstract:Android applications can leak sensitive information through collusion, which gives the smartphone users a great security risk. We propose an Android collusion attack detection method based on control flow and data flow analysis. This method gives analysis of data propagation between different applications firstly. And then, a multi-apps program slice model based on both data and control flow are given. Last, the privacy data leakage paths of multi-apps are computed by reaching-definition analysis. Meanwhile, the criterions of mobile device information leakage edge are redefined according to the correlation of mobile devices. Based on the above principle, we implemented an Android collusion attack sensitive information leakage detection tools called CollusionDetector. Case study is carried out for typical collusion attack scenarios and it can obtain better results than existing tools and methods. Experiments show that the analysis of control flow can more accurately find the path of privacy propagation, and more effectively to identify collusion attacks.