Xin Zhou,Kaidong Wu,Huaqian Cai,Shuai Lou,Ying Zhang,Gang Huang

DOI: https://doi.org/10.1007/s11432-017-9354-x

2018-01-01

Science China Information Sciences

Abstract:>Dear editor,Android is a popular mobile operating system that is accounted for more than 87%of all smartphone sales in the second quarter of 2017.The number of available apps hosted in Google play store has reached to 3.5 M at the end of 2017 and is still.In developing apps,developers usually use log messages for debugging and diagnosing their apps in order to fix bugs or locate the performance bottlenecks[1,2].At release stage,the logging messages should be muted for security consideration and higher performance.However,

Hao Zhou,Haoyu Wang,Yajin Zhou,Xiapu Luo,Yutian Tang,Lei Xue,Ting Wang

DOI: https://doi.org/10.1145/3324884.3416637

2020-01-01

Abstract:Smartphone vendors are using multiple methods to kill processes of Android apps to reduce the battery consumption. This motivates developers to find ways to extend the liveness time of their apps, hence the name diehard apps in this paper. Although there are blogs and articles illustrating methods to achieve this purpose, there is no systematic research about them. What's more important, little is known about the prevalence of diehard apps in the wild. In this paper, we take a first step to systematically investigate diehard apps by answering the following research questions. First, why and how can they circumvent the resource-saving mechanisms of Android? Second, how prevalent are they in the wild? In particular, we conduct a semi -automated analysis to illustrate insights why existing methods to kill app processes could be evaded, and then systematically present 12 diehard methods. After that, we develop a system named DiehardDetector to detect diehard apps in a large scale. The experimental result of applying DiehardDetector to more than 80k Android apps downloaded from Google Play showed that around 21 % of apps adopt various diehard methods. Moreover, our system can achieve high precision and recall.

Yajin Zhou,Xuxian Jiang

2013-01-01

Abstract:In this paper, we systematically study two vulnerabilities and their presence in existing Android applications (or “apps”). These two vulnerabilities are rooted in an unprotected Android component, i.e., content provider, inside vulnerable apps. Because of the lack of necessary access control enforcement, affected apps can be exploited to either passively disclose various types of private in-app data or inadvertently manipulate certain security-sensitive in-app settings or configurations that may subsequently cause serious system-wide side effects (e.g., blocking all incoming phone calls or SMS messages). To assess the prevalence of these two vulnerabilities, we analyze 62, 519 apps collected in February 2012 from various Android markets. Our results show that among these apps, 1, 279 (2.0%) and 871 (1.4%) of them are susceptible to these two vulnerabilities, respectively. In addition, we find that 435 (0.7%) and 398 (0.6%) of them are accessible from official Google Play and some of them are extremely popular with more than 10, 000, 000 installs. The presence of a large number of vulnerable apps in popular Android markets as well as the variety of private data for leaks and manipulation reflect the severity of these two vulnerabilities. To address them, we also explore and examine possible mitigation solutions.

Lingfeng Bao,David Lo,Xin Xia,Xinyu Wang,Cong Tian

DOI: https://doi.org/10.1145/2901739.2901748

2016-01-01

Abstract:As Android platform becomes more and more popular, a large amount of Android applications have been developed. When developers design and implement Android applications, power consumption management is an important factor to consider since it affects the usability of the applications. Thus, it is important to help developers adopt proper strategies to manage power consumption. Interestingly, today, there is a large number of Android application repositories made publicly available in sites such as GitHub. These repositories can be mined to help crystalize common power management activities that developers do. These in turn can be used to help other developers to perform similar tasks to improve their own Android applications.In this paper, we present an empirical study of power management commits in Android applications. Our study extends that of Moura et al. who perform an empirical study on energy aware commits; however they do not focus on Android applications and only a few of the commits that they study come from Android applications. Android applications are often different from other applications (e.g., those running on a server) due to the issue of limited battery life and the use of specialized APIs. As subjects of our empirical study, we obtain a list of open source Android applications from F-Droid and crawl their commits from Github. We get 468 power management commits after we filter the commits using a set of keywords and by performing manual analysis. These 468 power management commits are from 154 different Android applications and belong to 15 different application categories. Furthermore, we use open card sort to categorize these power management commits and we obtain 6 groups which correspond to different power management activities. Our study also reveals that for different kinds ofAndroid application (e.g., Games, Connectivity, Navigation, Internet, Phone 6 SMS, Time, etc.), the dominant power management activities differ. For example, the percentage of power management commits belonging to Power Adaptation activity is larger for Navigation applications than those belonging to other categories.

Yutian Tang,Xian Zhan,Hao Zhou,Xiapu Luo,Zhou Xu,Yajin Zhou,Qiben Yan

DOI: https://doi.org/10.1109/ase.2019.00069

2019-01-01

Abstract:Since the performance issues of apps can influence users' experience, developers leverage application performance management (APM) tools to locate the potential performance bottleneck of their apps. Unfortunately, most developers do not understand how APMs monitor their apps during the runtime and whether these APMs have any limitations. In this paper, we demystify APMs by inspecting 25 widely-used APMs that target on Android apps. We first report how these APMs implement 8 key functions as well as their limitations. Then, we conduct a large-scale empirical study on 500,000 Android apps from Google Play to explore the usage of APMs. This study has some interesting observations about existing APMs for Android, including 1) some APMs still use deprecated permissions and approaches so that they may not always work properly; 2) some app developers use APMs to collect users' privacy information.

Wu Zhou,Yajin Zhou,Xuxian Jiang,Peng Ning

DOI: https://doi.org/10.1145/2133601.2133640

2012-01-01

Abstract:Recent years have witnessed incredible popularity and adoption of smartphones and mobile devices, which is accompanied by large amount and wide variety of feature-rich smartphone applications. These smartphone applications (or apps), typically organized in different application marketplaces, can be conveniently browsed by mobile users and then simply clicked to install on a variety of mobile devices. In practice, besides the official marketplaces from platform vendors (e.g., Google and Apple), a number of third-party alternative marketplaces have also been created to host thousands of apps (e.g., to meet regional or localization needs). To maintain and foster a hygienic smartphone app ecosystem, there is a need for each third-party marketplace to offer quality apps to mobile users. In this paper, we perform a systematic study on six popular Android-based third-party marketplaces. Among them, we find a common "in-the-wild" practice of repackaging legitimate apps (from the official Android Market) and distributing repackaged ones via third-party marketplaces. To better understand the extent of such practice, we implement an app similarity measurement system called DroidMOSS that applies a fuzzy hashing technique to effectively localize and detect the changes from app-repackaging behavior. The experiments with DroidMOSS show a worrisome fact that 5% to 13% of apps hosted on these studied marketplaces are repackaged. Further manual investigation indicates that these repackaged apps are mainly used to replace existing in-app advertisements or embed new ones to "steal" or re-route ad revenues. We also identify a few cases with planted backdoors or malicious payloads among repackaged apps. The results call for the need of a rigorous vetting process for better regulation of third-party smartphone application marketplaces.

PENG Zhi-jun,ZHANG Yuan,YANG Min

DOI: https://doi.org/10.3969/j.issn.1000-1220.2013.06.016

2013-01-01

Abstract:Compared to the traditional computing platforms,mobile computing platforms usually contain plenty of private information of users.As the increasing popularity of Android and Android Markets,privacy protection on mobile computing platforms has become a growing concern.However,this paper found the existing Android Logging System is vulnerable to the privacy leakage.To detect such security risk,LogMiner is proposed for Android Markets,which is based on static information flow analysis.The experiment results show that 23 of 200 Android applications log the user sensitive data into the Logging System,and prove that some real-world Android applications do have the logging security risk.Finally,this paper gives some advices to improve the existing Android Logging System to get rid of this risk.

Fuqi Lin,Haoyu Wang,Liu Wang,Xuanzhe Liu

DOI: https://doi.org/10.1145/3442381.3449990

2021-01-01

Abstract:ABSTRACTTo improve app quality and nip the potential threats in the bud, modern app markets have released strict guidelines along with app vetting process before app publishing. However, there has been growing evidence showing the ineffectiveness of app vetting, making potentially harmful and policy-violation apps sneak into the market from time to time. Therefore, app removal is a common practice, and market maintainers have to remove undesired apps from the market periodically in a reactive manner. Although a number of reports and news media have mentioned removed apps, our research community still lacks the comprehensive understanding of the landscape of this kind of apps. To fill the void, in this paper, we present a large-scale and longitudinal study of removed apps in iOS app store. We first make great efforts to record daily snapshot of iOS app store continuously in a span of 1.5 years. By comparing each two consecutive snapshots, we have collected the information of over 1 million removed apps with their accurate removed date. This comprehensive dataset enables us to characterize the overall landscape of removed apps. We observe that, although most of the removed apps are low-quality apps (e.g., outdated and abandoned), a number of the removed apps are quite popular. We further investigate the practical reasons leading to the removal of such popular apps, and observe several interesting reasons, including ranking fraud, fake description, and content issues, etc. More importantly, most of these mis-behaviors can be reflected on app meta information including app description, app review, and ASO keywords. It motivates us to design an automated approach to flagging the removed apps. Experiment result suggests that, even without accessing to the bytecode of mobile apps, we can identify the removed apps with good performance (F1=83%). Furthermore, we are able to flag the removed apps in advance as long as their inappropriate behaviors appear in their metadata. We believe our approach can work as a whistle blower that pinpoints policy-violation behaviors timely, which will be quite effective in improving the app maintenance process.

Shaokun Zhang,Hanwen Lei,Yuanpeng Wang,Ding Li,Yao Guo,Xiangqun Chen

DOI: https://doi.org/10.1109/ase56229.2023.00141

2024-01-01

Abstract:The Data Minimization Principle is crucial for protecting individual privacy. However, existing Android runtime permissions do not guarantee this principle. Moreover, the lack of an automatic enforcement mechanism leads to uncertainty as to whether apps strictly comply with this principle. To bridge this gap, we conduct the first systematic empirical study on violations of the Data Minimization Principle and design a new enforcement tool called GUIMind to detect them. GUIMind first utilizes a reinforcement learning model to explore app activities and monitor access to sensitive APIs that require sensitive permissions, and then it leverages an existing tool to detect such violations. We evaluate the performance of GUIMind using 120 real-world Android apps. The results indicate that GUIMind can achieve a detection accuracy of 96.1%, effectively accelerating the empirical study. Our empirical research is mainly focused on the prevalence of violations, the responses of administrators to violations, and the potential factors and characteristics that lead to violations, such as typical violations, app categories, and personal data types. Our study reveals that 83.5% of apps contain at least one privacy violation, with health apps being the most severe. In addition, telephony information is the most commonly leaked personal data type, accounting for 71.1%. Finally, we randomly selected 60 non-compliant apps for reporting to the administrator, whose responses confirm the effectiveness of our approach.

Shuai Li,Zhemin Yang,Nan Hua,Peng Liu,Xiaohan Zhang,Guangliang Yang,Min Yang

DOI: https://doi.org/10.1145/3548606.3559371

2022-01-01

Abstract:ABSTRACTRecent years have witnessed the interesting trend that modern mobile apps perform more and more likely as user-to-user platforms, where app users can be freely and conveniently connected. Upon these platforms, rich and diverse data is often delivered across users, which brings users great conveniences and plentiful services, but also introduces privacy security concerns. While prior work has primarily studied illegitimate personal data collection problems in mobile apps, few paid little attention to the security of this emerging user-to-user platform feature, thus providing a rather limited understanding of the privacy risks in this aspect. In this paper, we focus on the security of the user-to-user platform feature and shed light on its caused insufficiently-studied but critical privacy risk, which is brought forward by cross-user personal data over-delivery (denoted as XPO). For the first time, this paper reveals the landscape of such XPO risk in wild, along with prevalence and severity assessment. To achieve this, we design a novel automated risk detection framework, named XPOChecker, that leverages the advantages of machine learning and program analysis to extensively and precisely identify potential privacy risks during user-to-user connections, and regulate whether the delivered data is legitimate or not. By applying XPOChecker on 13,820 real-world popular Android apps, we find that XPO is prevalent in practice, with 1,902 apps (13.76%) being affected. In addition to the mere exposure of diverse private user data which causes serious and broad privacy infringement, we demonstrate that the XPO exploits can invalidate privacy preservation mechanisms, leak business secrets, and even restore the sensitive membership of victims which potentially poses personal safety threats. Furthermore, we also confirm the existence of XPO risks in iOS apps for the first time. Last, to help understand and prevent XPO, we have responsibly launched two notification campaigns to inform the developers of the affected apps, with the conclusion of five underlying lessons from developers' feedback. We hope our work can make up for the deficiency of the understandings of XPO, help developers avoid XPO, and motivate further researches.

Zhaoyi Meng,Yan Xiong,Wenchao Huang,Fuyou Miao,Jianmeng Huang

DOI: https://doi.org/10.1109/tifs.2020.3044867

IF: 7.231

2021-01-01

IEEE Transactions on Information Forensics and Security

Abstract:Android users are now suffering severe threats from unwanted behaviors of various apps. The analysis of apps' audit logs is one of the essential methods for the security analysts of various companies to unveil the underlying maliciousness within apps. We propose and implement AppAngio, a novel system that reveals contextual information in Android app behaviors by API-level audit logs. Our goal is to help security analysts understand how the target apps worked and facilitate the identification of the maliciousness within apps. The key module of AppAngio is identifying the path matched with the logs on the app's control-flow graphs (CFGs). The challenge, however, is that the limited-quantity logs may incur high computational complexity in the log matching, where there are a large number of candidates caused by the coupling relation of successive logs. To address the challenge, we propose a divide and conquer strategy that precisely positions the nodes matched with log records on the corresponding CFGs and connects the nodes with as few backtracks as possible. Our experiments show that AppAngio reveals contextual information of behaviors in real-world apps. Moreover, the revealed results assist the analysts in identifying the maliciousness of app behaviors and complement existing analysis schemes. Meanwhile, AppAngio incurs negligible performance overhead on the real device in the experiments.

computer science, theory & methods,engineering, electrical & electronic

Qinge Xie,Qingyuan Gong,Xinlei He,Yang Chen,Xin Wang,Haitao Zheng,Ben Y. Zhao,Heather Zheng,Ben Zhao

DOI: https://doi.org/10.1109/tmc.2021.3088121

IF: 6.075

2021-01-01

IEEE Transactions on Mobile Computing

Abstract:Despite continuous efforts to build and update mobile network infrastructure, mobile devices in developing regions continue to be constrained by limited bandwidth. Unfortunately, this coincides with a period of unprecedented growth in the sizes of mobile applications. Thus it is becoming prohibitively expensive for users in developing regions to download and update mobile apps critical to their economic and educational development. Unchecked, these trends can further contribute to a large and growing global digital divide. Our goal is to better understand the source of this rapid growth in mobile app code size, whether it is reflective of new functionality, and identify steps that can be taken to make existing mobile apps more friendly to bandwidth constrained mobile networks. We hypothesize that much of this growth in mobile apps is due to poor resource/code management, and do not reflect proportional increases in functionality. Our hypothesis is partially validated by mini-programs, apps with extremely small footprints gaining popularity in Chinese mobile platforms. Here, we use functionally equivalent pairs of mini-programs and Android apps to identify potential sources of "bloat," i.e., inefficient uses of code or resources that contribute to large package sizes. We analyze a large sample of popular Android apps and quantify instances of code and resource bloat. We develop techniques for automated code and resource trimming, and successfully validate them on a large set of Android apps. We hope our results will lead to continued efforts to streamline mobile apps, making them easier to access and maintain for users in developing regions.

computer science, information systems,telecommunications

Shuaifu Dai,Tao Wei,Wei Zou

2012-01-01

Abstract:As the mobile devices increased rapidly in recent years, mobile malware is becoming a severe threat to users. Traditional malware detection uses signature-based methods, but these methods can be evaded by obfuscation or polymorphism. So the behavior-based detection techniques were proposed recently. To capture the apps' behavior, previous works either use OS level tool such as strace to capture system call, or intercept high level API by modifying the virtual machine. However, the information retrieved from the former method is too difficult to understand the program's behavior, and the technique used in latter method requires to modify the emulator, which it is not compatible when the Android version upgrade. In this paper, we proposed a new light-weight method to understand the applications' behavior by logging program's API and corresponding arguments. We build the logging system DroidLogger, which instruments the logging code into the application binary, and prints out the API usage information at run time. We analyzed several malware and show DroidLogger can reveal the malicious behavior effectively.

tao jin,weidong liu,jiaxing song

DOI: https://doi.org/10.1007/978-3-642-55038-6_33

2014-01-01

Abstract:Google Android allows developers to easily distribute their applications by the various software marketplaces and end users to readily install them. However, without strict inspection and audit, some serious security concerns are inevitable such as the abuse of permissions. The existing security mechanism in Android cannot differentiate between the actually useful permissions and the unused permissions. In this paper, we present a reinforced Android framework model which is capable of purifying permissions automatically according to actual operations at runtime and supporting users to selectively customize the actual useful permissions of applications by imposing fine-grained constraints on the usage of resources. Experimental results show the automatic process can slim third-party applications efficiently.

Saad Sajid Hashmi,Nazar Waheed,Gioacchino Tangari,Muhammad Ikram,Stephen Smith

DOI: https://doi.org/10.48550/arXiv.2106.10035

2021-07-28

Abstract:Contemporary mobile applications (apps) are designed to track, use, and share users' data, often without their consent, which results in potential privacy and transparency issues. To investigate whether mobile apps have always been (non-)transparent regarding how they collect information about users, we perform a longitudinal analysis of the historical versions of 268 Android apps. These apps comprise 5,240 app releases or versions between 2008 and 2016. We detect inconsistencies between apps' behaviors and the stated use of data collection in privacy policies to reveal compliance issues. We utilize machine learning techniques for the classification of the privacy policy text to identify the purported practices that collect and/or share users' personal information, such as phone numbers and email addresses. We then uncover the data leaks of an app through static and dynamic analysis. Over time, our results show a steady increase in the number of apps' data collection practices that are undisclosed in the privacy policies. This behavior is particularly troubling since privacy policy is the primary tool for describing the app's privacy protection practices. We find that newer versions of the apps are likely to be more non-compliant than their preceding versions. The discrepancies between the purported and the actual data practices show that privacy policies are often incoherent with the apps' behaviors, thus defying the 'notice and choice' principle when users install apps.

Cryptography and Security

Huoran Li,Wei Ai,Xuanzhe Liu,Qiaozhu Mei,Feng Feng

DOI: https://doi.org/10.1145/2740908.2742771

2015-01-01

Abstract:Smartphone users adopt an increasing number of mobile applications (a.k.a., apps) in the recent years. Investigating how people manage mobile apps in their everyday lives creates a unique opportunity to understand the behaviors and preferences of mobile users. Existing literature provides very limited understanding about app management activities, due to the lack of user behavioral data at scale. This paper analyzes a very large collection of app management log of the users of a leading Android app marketplace in China. The data set covers one month of detailed activities of how users download, update, and uninstall the apps on their smart devices, involving 8,306,181 anonymized users and 394,661 apps. We characterize how these users manage the apps on their devices and identify behavioral patterns that correlate with users' online ratings of the apps.

Zikan Dong,Hongxuan Liu,Liu Wang,Xiapu Luo,Yao Guo,Guoai Xu,Xusheng Xiao,Haoyu Wang

DOI: https://doi.org/10.1145/3540250.3558969

2022-01-01

Abstract:Commercial Android packers have been widely used by developers as a way to protect their apps from being tampered with. However, app packer is usually provided as an online service developed by security vendors, and the packed apps are well protected. It is thus hard to know what exactly is packed in the app, and few existing studies in the community have systematically analyzed the behaviors of commercial app packers. In this paper, we propose PackDiff, a dynamic analysis system to inspect the fine-grained behaviors of commercial packers. By instrumenting the Android system, PackDiff records the runtime behaviors of Android apps (e.g., Linux system call invocations, Java API calls, Binder interactions, etc.), which are further processed to pinpoint the additional sensitive behaviors introduced by packers. By applying PackDiff to roughly 200 apps protected by seven commercial packers, we observe the disappointing facts of existing commercial packers. Most app packers have introduced unnecessary behaviors (e.g., accessing sensitive data), serious performance and compatibility issues, and they can even be abused to create evasive malware and repackaged apps, which contradicts with their design purposes.

Xiaoyin Liu,Wenzhi Li,Qinsheng Hou,Shishuai Yang,Lingyun Ying,Wenrui Diao,Yanan Li,Shanqing Guo,Hai-Xin Duan

DOI: https://doi.org/10.1145/3589334.3645320

2024-01-01

Abstract:Private browsing is a common feature of web browsers on desktop platforms. This feature protects the privacy of users browsing the Internet and, therefore, is widely welcomed by users. In recent years, with the popularity of smartphones, the private browsing mode has been introduced into mobile browsers. However, its deployment on mobile platforms has not been well evaluated. To bridge the gap, in this work, we systemically studied the private browsing modes of Android browser apps. Specifically, we proposed six private rules for mobile browsers to follow by combining the mobile browsing features with the previous research on private browsing. Furthermore, we designed an automated analysis framework, BroDroid, to detect whether mobile browsers violate these rules. Also, with BroDroid, we evaluated 49 popular browser apps crawled from Google Play. Finally, BroDroid successfully identified 58 violations, some of which come from the promised capabilities of the browser. We reported our discovered issues to the corresponding developers, and four of them (Yandex Browser, Mint Browser, Web Explorer, and Net Fast Web Browser) have acknowledged our findings. Our observation may be the tip of the iceberg, and more efforts should be put into improving the privacy protections of mobile browsers.

Guoping Rong,Shenghui Gu,He Zhang,Dong Shao,Wanggen Liu

DOI: https://doi.org/10.1109/aswec.2018.00031

2018-01-01

Abstract:Background: Logs are the footprints that software systems produce during runtime, which can be used to understand the dynamic behavior of these software systems. To generate logs, logging practice is accepted by developers to place logging statements in the source code of software systems. Compared to the great number of studies on log analysis, the research on logging practice is relatively scarce, which raises a very critical question, i.e. as the original intention, can current logging practice support capturing the behavior of software systems effectively? Aims: To answer this question, we first need to understand how logging practices are implemented these software projects. Method: In this paper, we carried out an empirical study to explore the logging practice in open source software projects so as to establish a basic understanding on how logging practice is applied in real world software projects. The density, log level (what to log?) and context (where to log?) are measured for our study. Results: Based on the evidence we collected in 28 top open source projects, we find the logging practice is adopted highly inconsistently among different developers both across projects and even within one project in terms of the density and log levels of logging statements. However, the choice of what context the logging statements to place is consistent to a fair degree. Conclusion: Both the inconsistency in density and log level and the convergence of context have forced us to question whether it is a reliable means to understand the runtime behavior of software systems via analyzing the logs produced by the current logging practice.

Xuanzhe Liu,Wei Ai,Huoran Li,Jian Tang,Gang Huang,Feng,Qiaozhu Mei

DOI: https://doi.org/10.1145/3015462

2017-01-01

Abstract:App marketplaces host millions of mobile apps that are downloaded billions of times. Investigating how people manage mobile apps in their everyday lives creates a unique opportunity to understand the behavior and preferences of mobile device users, infer the quality of apps, and improve user experience. Existing literature provides very limited knowledge about app management activities, due to the lack of app usage data at scale. This article takes the initiative to analyze a very large app management log collected through a leading Android app marketplace. The dataset covers 5 months of detailed downloading, updating, and uninstallation activities, which involve 17 million anonymized users and 1 million apps. We present a surprising finding that the metrics commonly used to rank apps in app stores do not truly reflect the users’ real attitudes. We then identify behavioral patterns from the app management activities that more accurately indicate user preferences of an app even when no explicit rating is available. A systematic statistical analysis is designed to evaluate machine learning models that are trained to predict user preferences using these behavioral patterns, which features an inverse probability weighting method to correct the selection biases in the training process.