Yajin Zhou,Xuxian Jiang

2013-01-01

Abstract:In this paper, we systematically study two vulnerabilities and their presence in existing Android applications (or “apps”). These two vulnerabilities are rooted in an unprotected Android component, i.e., content provider, inside vulnerable apps. Because of the lack of necessary access control enforcement, affected apps can be exploited to either passively disclose various types of private in-app data or inadvertently manipulate certain security-sensitive in-app settings or configurations that may subsequently cause serious system-wide side effects (e.g., blocking all incoming phone calls or SMS messages). To assess the prevalence of these two vulnerabilities, we analyze 62, 519 apps collected in February 2012 from various Android markets. Our results show that among these apps, 1, 279 (2.0%) and 871 (1.4%) of them are susceptible to these two vulnerabilities, respectively. In addition, we find that 435 (0.7%) and 398 (0.6%) of them are accessible from official Google Play and some of them are extremely popular with more than 10, 000, 000 installs. The presence of a large number of vulnerable apps in popular Android markets as well as the variety of private data for leaks and manipulation reflect the severity of these two vulnerabilities. To address them, we also explore and examine possible mitigation solutions.

Weili Han,Chang Cao,Hao Chen,Dong Li,Zheran Fang,Wenyuan Xu,X. Sean Wang

DOI: https://doi.org/10.1109/tdsc.2017.2768536

2020-01-01

Abstract:Sensors are widely used in modern mobile devices (e.g., smartphones, watches) and may gather abundant information from environments as well as about users, e.g., photos, sounds and locations. The rich set of sensor data enables various applications (e.g., health monitoring) and personalized apps as well. However, the powerful sensing abilities provide opportunities for attackers to steal both personal sensitive data and commercial secrets like never before. Unfortunately, the current design of smart devices only provides a coarse access control on sensors and does not have the capability to audit sensing. We argue that knowing how often the sensors are accessed and how much sensor data are collected is the first-line defense against sensor data breach. Such an ability is yet to be designed. In this paper, we propose a framework that allows users to acquire sensor data usages. In particular, we leverage a hook-based track method to track sensor accesses. Thus, with no need to change the source codes of the Android system and applications, we can intercept sensing operations to graphic sensors, audio sensors, location sensors, and standard sensors, and audit them from four aspects: flow audit, frequency audit, duration audit and invoker audit. Then, we implement a prototype, referred to as senDroid, which visually shows the quantitative usages of these sensors in real time at a performance overhead of [0.04-8.05] percent. senDroid allows Android users to audit the applications even when they bypass the Android framework via JNI invocations or when the malicious codes are dynamically loaded from the server side. Our empirical study on 1,489 popular apps in three well-known Android app markets shows that 26.32 percent apps access sensors when the apps are launched, and 11.01 percent apps access sensors while the apps run in the background. Furthermore, we analyze the relevance between sensor usage patterns and third-party libraries, and reverse-engineering on suspicious third-party libraries shows that 77.27 percent apps access sensors via third-party libraries. Our results call attentions to address the users' privacy concerns caused by sensor access.

Mike Grace,Yajin Zhou,Zhi Wang,Xuxian Jiang

2011-01-01

Abstract:Recent years have witnessed increased popularity and adoption of smartphones partially due to the functionalities and convenience offered to their users (e.g., the ability to run third-party applications). To manage the amount of access given to smartphone applications, Android provides a permission-based security model, which requires each application to explicitly request permissions before it can be installed to run. In this paper, we systematically analyze eight flagship Android smartphones from leading manufacturers, including HTC, Motorola, and Samsung and found out that the stock phone images do not properly enforce the permission model. Several privileged permissions that protect the access to sensitive user data and dangerous features on the phones are unsafely exposed to other applications which do not need to request them for the actual use, a security violation termed capability leak in this paper. To facilitate identifying these capability leaks, we take a static analysis approach and have accordingly developed a system called Woodpecker. Our results with eight phone images show that among 13 privileged permissions examined so far, 11 were leaked, with individual phones leaking up to eight permissions. By exploiting these leaked capabilities, an untrusted application can manage to wipe out the user data, send out SMS messages (e.g., to premium numbers), record user conversation, or obtain user geo-locations on the affected phones – all without the need of asking for any permission.

Michael C. Grace,Yajin Zhou,Zhi Wang,Xuxian Jiang

2012-01-01

Abstract:Recent years have witnessed a meteoric increase in the adoption of smartphones. To manage information and features on such phones, Android provides a permission-based security model that requires each application to explicitly request permissions before it can be installed to run. In this paper, we analyze eight popular Android smartphones and discover that the stock phone images do not properly enforce the permission model. Several privileged permissions are unsafely exposed to other applications which do not need to request them for the actual use. To identify these leaked permissions or capabilities, we have developed a tool called Woodpecker. Our results with eight phone images show that among 13 privileged permissions examined so far, 11 were leaked, with individual phones leaking up to eight permissions. By exploiting them, an untrusted application can manage to wipe out the user data, send out SMS messages, or record user conversation on the affected phones – all without asking for any permission.

Hao Zhou,Haoyu Wang,Yajin Zhou,Xiapu Luo,Yutian Tang,Lei Xue,Ting Wang

DOI: https://doi.org/10.1145/3324884.3416637

2020-01-01

Abstract:Smartphone vendors are using multiple methods to kill processes of Android apps to reduce the battery consumption. This motivates developers to find ways to extend the liveness time of their apps, hence the name diehard apps in this paper. Although there are blogs and articles illustrating methods to achieve this purpose, there is no systematic research about them. What's more important, little is known about the prevalence of diehard apps in the wild. In this paper, we take a first step to systematically investigate diehard apps by answering the following research questions. First, why and how can they circumvent the resource-saving mechanisms of Android? Second, how prevalent are they in the wild? In particular, we conduct a semi -automated analysis to illustrate insights why existing methods to kill app processes could be evaded, and then systematically present 12 diehard methods. After that, we develop a system named DiehardDetector to detect diehard apps in a large scale. The experimental result of applying DiehardDetector to more than 80k Android apps downloaded from Google Play showed that around 21 % of apps adopt various diehard methods. Moreover, our system can achieve high precision and recall.

Zhuo Chen,Jie Liu,Yuxia Hu,Lei Wu,Yajin Zhou,Xianhao Liao,Ke Wang

DOI: https://doi.org/10.48550/arxiv.2209.01317

2022-01-01

Abstract:This paper focuses on mobile apps serving the underground economy by providing illegal services in the mobile system (e.g., gambling, porn, scam). These apps are named as underground economy apps, or UEware for short. As most UEware do not have malicious payloads, traditional malware detection approaches are ineffective to perform the detection. To address this problem, we propose a novel approach to effectively and efficiently detect UEware by considering the transition orders of the user interfaces (UIs), which determine the usage scenarios of these apps. Based on the proposed approach, we design a system named DeUEDroid to detect the UEware via scene graph. To evaluate DeUEDroid, we collect 26, 591 apps to evaluate DeUEDroid and build up the first large-scale ground-truth UEware dataset (1, 720 underground economy apps and 831 legitimate apps). The evaluation result shows that DeUEDroid can construct scene graph accurately, and achieve the accuracy scores of 77.70% on the five-classification task (i.e., gambling game, porn, financial scam, miscellaneous, and legitimate apps), reaching obvious improvements over the SOTA approaches. Running further on 24, 017 apps, DeUEDroid performs well in the real-world scenario to mitigate the threat. Specifically, by using DeUEDroid, we found that UEware are prevalent, i.e., 61% apps in the wild and 21% apps in the app stores are UEware (with over 72% accuracy after the manual investigation). We will release our dataset and system to engage the community after been accepted.

Ma Jun,Liu Sheng,Yue Shengtao,Tao Xianping,Lu Jian

DOI: https://doi.org/10.1109/compsac.2017.161

2017-01-01

Abstract:Memory leak, one of the most common problems threatening android apps, might drain the limited memory of mobile devices, cause unexpected delays, no-responses or even crashes to apps. Activity/Fragment Leak is one of the most common and serious causes of memory leaks and has a vast influence on the Android app market. Existing work to identify leaked activities/fragments either depend highly on the experience of developers, or require app's source code and manual interactions. In this paper, we propose an automatic tool named LeakDAF for detecting leaked activities/fragments automatically without manual intervention. LeakDAF makes use of UI testing technique to execute automatically the app under test, and applies memory analysis technique to inspect dumped heap files to identify leaked activities and fragments based on Android's mechanisms for managing them. To evaluate the effectiveness of LeakDAF, we successfully applied it to 35 open source and 64 commercial apps, and we detected at least one leaked activity or fragment for 10 open source apps and 35 commercial apps.

Yajin Zhou,Lei Wu,Zhi Wang,Xuxian Jiang

DOI: https://doi.org/10.1145/2766498.2766499

2015-01-01

Abstract:ABSTRACTDevelopers often integrate third-party services into their apps. To access a service, an app must authenticate itself to the service with a credential. However, credentials in apps are often not properly or adequately protected, and might be easily extracted by attackers. A leaked credential could pose serious privacy and security threats to both the app developer and app users. In this paper, we propose CredMiner to systematically study the prevalence of unsafe developer credential uses in Android apps. CredMiner can programmatically identify and recover (obfuscated) developer credentials unsafely embedded in Android apps. Specifically, it leverages data flow analysis to identify the raw form of the embedded credential, and selectively executes the part of the program that builds the credential to recover it. We applied CredMiner to 36,561 apps collected from various Android markets to study the use of free email services and Amazon AWS. There were 237 and 196 apps that used these two services, respectively. CredMiner discovered that 51.5% (121/237) and 67.3% (132/196) of them were vulnerable. In total, CredMiner recovered 302 unique email login credentials and 58 unique Amazon AWS credentials, and verified that 252 and 28 of these credentials were still valid at the time of the experiments, respectively.

Wu Zhou,Yajin Zhou,Michael C. Grace,Xuxian Jiang,Shihong Zou

DOI: https://doi.org/10.1145/2435349.2435377

2013-01-01

Abstract:Mobile applications (or apps) are rapidly growing in number and variety. These apps provide useful features, but also bring certain privacy and security risks. For example, malicious authors may attach destructive payloads to legitimate apps to create so-called "piggybacked" apps and advertise them in various app markets to infect unsuspecting users. To detect them, existing approaches typically employ pair-wise comparison, which unfortunately has limited scalability. In this paper, we present a fast and scalable approach to detect these apps in existing Android markets. Based on the fact that the attached payload is not an integral part of a given app's primary functionality, we propose a module decoupling technique to partition an app's code into primary and non-primary modules. Also, noticing that piggybacked apps share the same primary modules as the original apps, we develop a feature fingerprint technique to extract various semantic features (from primary modules) and convert them into feature vectors. We then construct a metric space and propose a linearithmic search algorithm (with O(n log n) time complexity) to efficiently and scalably detect piggybacked apps. We have implemented a prototype and used it to study 84,767 apps collected from various Android markets in 2011. Our results show that the processing of these apps takes less than nine hours on a single machine. In addition, among these markets, piggybacked apps range from 0.97% to 2.7% (the official Android Market has 1%). Further investigation shows that they are mainly used to steal ad revenue from the original developers and implant malicious payloads (e.g., for remote bot control). These results demonstrate the effectiveness and scalability of our approach.

Xiaoyu Sun,Xiao Chen,Kui Liu,Sheng Wen,Li Li,John Grundy

DOI: https://doi.org/10.1109/issre52982.2021.00058

2021-10-01

Abstract:While extremely valuable to achieve advanced functions, mobile phone sensors can be abused by attackers to implement malicious activities in Android apps, as experimentally demonstrated by many state-of-the-art studies. There is hence a strong need to regulate the usage of mobile sensors so as to keep them from being exploited by malicious attackers. However, despite the fact that various efforts have been put in achieving this, i.e., detecting privacy leaks in Android apps, we have not yet found approaches to automatically detect sensor leaks in Android apps. To fill the gap, we designed and implemented a novel prototype tool, Seeker, that extends the famous FlowDroid tool to detect sensor-based data leaks in Android apps. Seeker conducts sensor-focused static taint analyses directly on the Android apps' bytecode and reports not only sensor-triggered privacy leaks but also the sensor types involved in the leaks. Experimental results using over 40,000 real-world Android apps show that Seeker is effective in detecting sensor leaks in Android apps, and malicious apps are more interested in leaking sensor data than benign apps.

Yepang Liu,Jue Wang,Lili Wei,Chang Xu,Shing-Chi Cheung,Tianyong Wu,Jun Yan,Jian Zhang

DOI: https://doi.org/10.1007/s10664-019-09715-8

IF: 3.762

2019-01-01

Empirical Software Engineering

Abstract:Resource leaks in Android apps are pervasive. They can cause serious performance degradation and system crashes. In recent years, many resource leak detection techniques have been proposed to help Android developers correctly manage system resources. Yet, there exist no common databases of real-world bugs for effectively comparing such techniques to understand their strengths and limitations. This paper describes our effort towards constructing such a bug database named DroidLeaks. To extract real resource leak bugs, we mined 124,215 code revisions of 34 popular open-source Android apps. After automated filtering and manual validation, we successfully found 292 fixed resource leak bugs, which cover a diverse set of resource classes, from 32 analyzed apps. To understand these bugs, we conducted an empirical study, which revealed the characteristics of resource leaks in Android apps and common patterns of resource management mistakes made by developers. To further demonstrate the usefulness of our work, we evaluated eight resource leak detectors from both academia and industry on DroidLeaks and performed a detailed analysis of their performance. We release DroidLeaks for public access to support future research.

Zhemin Yang,Min Yang

DOI: https://doi.org/10.1109/WCSE.2012.26

2012-01-01

Software Engineering

Abstract:With the growing popularity of Android platform, Android application market becomes a major distribution center where Android users download apps. Unlike most of the PC apps, Android apps manipulates personal information such as contract and SMS messages, and leakage of such information may cause great loss to the Android users. Thus, detecting information leakage on Android is in urgent need. However, till now, there is still no complete vetting process applied to Android markets. State-of-the-art approaches for detecting Android information leakage apply dynamic analysis on user site, thus they introduce large runtime overhead to the Android apps. This paper proposes a new approach called Leak Miner, which detects leakage of sensitive information on Android with static taint analysis. Unlike dynamic approaches, Leak Miner analyzes Android apps on market site. Thus, it does not introduce runtime overhead to normal execution of target apps. Besides, Leak Miner can detect information leakage before apps are distributed to users, so malicious apps can be removed from market before users download them. Our evaluation result shows that Leak Miner can detect 145 true information leakages inside a 1750 app set.

Yepang Liu,Lili Wei,Chang Xu,Shing-Chi Cheung

DOI: https://doi.org/10.48550/arXiv.1611.08079

2016-11-24

Software Engineering

Abstract:Resource leak bugs in Android apps are pervasive and can cause serious performance degradation and system crashes. In recent years, several resource leak detection techniques have been proposed to assist Android developers in correctly managing system resources. Yet, there exist no common bug benchmarks for effectively and reliably comparing such techniques and quantitatively evaluating their strengths and weaknesses. This paper describes our initial contribution towards constructing such a benchmark. To locate real resource leak bugs, we mined 124,215 code revisions of 34 large-scale open-source Android apps. We successfully found 298 fixed resource leaks, which cover a diverse set of resource classes, from 32 out of the 34 apps. To understand the characteristics of these bugs, we conducted an empirical study, which revealed the root causes of frequent resource leaks in Android apps and common patterns of faults made by developers. With our findings, we further implemented a static checker to detect a common pattern of resource leaks in Android apps. Experiments showed that the checker can effectively locate real resource leaks in popular Android apps, confirming the usefulness of our work.

Yufei Yang,Wenbo Luo,Yu Pei,Minxue Pan,Tian Zhang

DOI: https://doi.org/10.1109/compsac.2019.00029

2019-01-01

Abstract:Mobile apps often need to collect and/or access sensitive user information to fulfill their purposes, but they may also leak such information either intentionally or accidentally, causing financial and/or emotional damages to users. In the past few years, researchers have developed various techniques to detect privacy leakage in mobile apps, however, such detection remains a challenging task when privacy leakage is implemented via dynamic class loading (DCL). In this work, we propose the DL2 technique that enhances static analysis with dynamic app execution to effectively detect privacy leakage implemented via DCL in Android apps. To evaluate DL2, we construct a benchmark of 88 subject apps with 2578 injected privacy leaks and apply DL2 to the apps. DL 2 was able to detect 1073, or 42%, of the leaks, significantly outperforming existing state-of-the-art privacy leakage detection tools.

Hongyi Chen,Ho-fung Leung,Biao Han,Jinshu Su

DOI: https://doi.org/10.1109/icc.2017.7996335

2017-01-01

Abstract:Android apps frequently leak private data off the device with or without intentions. Researchers have proposed a large number of methods, for example, static and dynamic analysis methods, to pick out the apps which tend to leak private data. However, they are only able to identify part of private data leakage vulnerabilities, due to the dynamic features in codes or code coverage problem. This paper presents a novel hybrid approach that can find out more private data leakages than the existing static or dynamic methods. The approach, realized in a tool, called HybriDroid, which employs both static and dynamic analysis methods to extract the models of each apps, and then refines the behavior model to a more adequate one according to the dynamic analysis result. As a consequence, HybriDroid inherits the advantages of both static and dynamic analysis methods, which not only achieves a high code coverage, but also can deal with the dynamic features in codes. The evaluation results show that HybriDroid is effective in detecting privacy leakages for both inter-and intra-app communication. Comparing with the existing methods, it can achieve considerable improvements in data leakage detection performance with a 97.8% precision and 90% recall on the selected apps from DroidBench 3.0 test suite.

Li Lyna Zhang,Chieh-Jan Mike Liang,Yunxin Liu,Enhong Chen

DOI: https://doi.org/10.1109/ase.2017.8115613

2017-01-01

Abstract:Contrary to popular belief, mobile apps can spend a large fraction of time running "hidden" as background services. And, bugs in services can translate into crashes, energy depletion, device slow-down, etc. Unfortunately, without necessary testing tools, developers can only resort to telemetries from user devices in the wild. To this end, Snowdrop is a testing framework that systematically identifies and automates background services in Android apps. Snowdrop realizes a service-oriented approach that does not assume all inter-component communication messages are explicitly coded in the app bytecode. Furthermore, to improve the completeness of test inputs generated, Snowdrop infers field values by exploiting the similarity in how developers name variables. We evaluate Snowdrop by testing 848 commercially available mobile apps. Empirical results show that Snowdrop can achieve 20.91% more code path coverage than pathwise test input generators, and 64.11% more coverage than random test input generators.

Xiaoyu Sun,Xiao Chen,Li Li,Haipeng Cai,John Grundy,Jordan Samhi,Tegawendé F. Bissyandé,Jacques Klein

DOI: https://doi.org/10.48550/arXiv.2210.10997

2022-10-20

Abstract:Security of Android devices is now paramount, given their wide adoption among consumers. As researchers develop tools for statically or dynamically detecting suspicious apps, malware writers regularly update their attack mechanisms to hide malicious behavior implementation. This poses two problems to current research techniques: static analysis approaches, given their over-approximations, can report an overwhelming number of false alarms, while dynamic approaches will miss those behaviors that are hidden through evasion techniques. We propose in this work a static approach specifically targeted at highlighting hidden sensitive operations, mainly sensitive data flows. The prototype version of HiSenDroid has been evaluated on a large-scale dataset of thousands of malware and goodware samples on which it successfully revealed anti-analysis code snippets aiming at evading detection by dynamic analysis. We further experimentally show that, with FlowDroid, some of the hidden sensitive behaviors would eventually lead to private data leaks. Those leaks would have been hard to spot either manually among the large number of false positives reported by the state of the art static analyzers, or by dynamic tools. Overall, by putting the light on hidden sensitive operations, HiSenDroid helps security analysts in validating potential sensitive data operations, which would be previously unnoticed.

Cryptography and Security,Software Engineering

YANG Guang-liang,GONG Xiao-rui,YAO Gang,HAN Xin-hui

DOI: https://doi.org/10.3969/j.issn.1000-3428.2012.23.001

2012-01-01

Abstract:To detect user’s privacy leakage in Android software,this paper proposes an automated detection system based on dynamic taint tracking,called TaintChaser.TaintChaser can detect behaviors of user’s data leakage in Android applications under test at a fine granularity,and the system also can analyze and test massive Android software in the automatic way.It uses TaintChaser to automatically analyze 28 369 popular Android applications and finds that 24.69% of them may leak user’s privacy.

Nai-Wei Lo,Kuo-Hui Yeh,Chuan-Yen Fan

DOI: https://doi.org/10.1109/jsyst.2014.2364202

IF: 4.802

2016-12-01

IEEE Systems Journal

Abstract:How to identify and manage information leakage of user privacy is a very crucial and sensitive topic for handheld mobile device manufacturers, telecommunication companies, and mobile device users. As the success of a financial fraud usually requires possessing a victim's private information, new types of personal identity theft and private information acquirement attack are developed and deployed along with various Apps in order to steal personal private information from mobile device users. With more than 50% of smartphone market share, Android-based mobile phone vendors and Internet service providers have to face the new challenge on user privacy management. In this paper, we present a user privacy analysis framework for an Android platform called LRPdroid. The goals of LRPdroid are to achieve information leakage detection, user privacy disclosure evaluation, and privacy risk assessment for Apps installed on Android-based mobile devices. With a formally defined user privacy model, LRPdroid can effectively support mobile users to manage their own privacy risks on targeted Apps. In addition, new privacy analysis viewpoints such as user perception and leakage awareness are introduced in LRPdroid. Two general App usage scenarios are evaluated with our system prototype to show the feasibility and practicability of the LRPdroid framework on user privacy management.

computer science, information systems,telecommunications,engineering, electrical & electronic,operations research & management science

Shengtao Yue,Weizan Feng,Jun Ma,Yanyan Jiang,Xianping Tao,Chang Xu,Jian Lu

DOI: https://doi.org/10.1109/ICPC.2017.16

2017-01-01

Abstract:In recent years, with the explosive growth of mobile smart phonesnes, the number of Android applications (apps) increases rapidly. Attackers usually leverage the popumobile smart phoneslarity of Android apps by inserting malwares, modifying the original apps, repackaging and releasing them for their own illegal purposes. To avoid repackaged apps from being detected, they usually use sorts of obfuscation and encryption tools. As a result, it's important to detect which apps are repackaged. People often intuitively judge whether two apps are a repackaged pair by executing them and observing their runtime user interface (UI) traces. Hence, we propose layout group graph (LGG) built from UI trances to model those UI behaviors and use LGG as the birthmark of Android apps for identification. Based on LGG, we also implement a dynamic repackaging detection tool, RepDroid. Since our method does not require the apps' source code, it is resilient to app obfuscation and encryption. We conducted an experiment with two data sets. The first set contains 98 pairs of repackaged apps. The original apps and repackaged ones are compared and we can detect all of these repackaged pairs. The second set contains 125 commercial apps. We compared them pair-wisely and the false positive rate was 0.08%.