Hao Zhou,Shuohan Wu,Xiapu Luo,Ting Wang,Yajin Zhou,Chao Zhang,Haipeng Cai

DOI: https://doi.org/10.1145/3533767.3534410

2022-01-01

Abstract:More and more Android apps implement their functionalities in native code, so does malware. Although various approaches have been designed to analyze the native code used by apps, they usually generate incomplete and biased results due to their limitations in obtaining and analyzing high-fidelity execution traces and memory data with low overheads. To fill the gap, in this paper, we propose and develop a novel hardware-assisted analyzer for native code in apps. We leverage ETM, a hardware feature of ARM platform, and eBPF, a kernel component of Android system, to collect real execution traces and relevant memory data of target apps, and design new methods to scrutinize native code according to the collected data. To show the unique capability of NCScope, we apply it to four applications that cannot be accomplished by existing tools, including systematic studies on self-protection and anti-analysis mechanisms implemented in native code of apps, analysis of memory corruption in native code, and identification of performance differences between functions in native code. The results uncover that only 26.8% of the analyzed financial apps implement self-protection methods in native code, implying that the security of financial apps is far from expected. Meanwhile, 78.3% of the malicious apps under analysis have anti-analysis behaviors, suggesting that NCScope is very useful to malware analysis. Moreover, NCScope can effectively detect bugs in native code and identify performance differences.

Liang Liu,Tianzhi Ma,Li Li,Yanjie Zhao

DOI: https://doi.org/10.1109/ASE56229.2023.00134

2023-09-11

Abstract:HarmonyOS is an operating system boasting a substantial global user base and provides multiple versions of its SDK. Various open-source applications continue to utilize older versions, leading to compatibility issues arising from system constraints. These prevalent issues can substantially affect the user experience. Although numerous solutions have been suggested for addressing compatibility issues in Android, the subject remains largely unexplored within the context of HarmonyOS. To bridge this gap, we investigate the evolution of APIs in HarmonyOS to pinpoint those potentially causing compatibility issues. Based on these insights, we implement CiD4HMOS, a tool designed to detect and categorize compatibility issues in HarmonyOS. We evaluate the feasibility of CiD4HMOS with open-source apps and subsequently apply it to commercially released apps, highlighting its effectiveness in accurately identifying HarmonyOS compatibility issues. The experimental results uncover that CiD4HMOS is effective in detecting compatibility issues in HarmonyOS apps, achieving an accuracy rate of 86.8 % in open-source apps. And, developers of commercially released apps have significantly endorsed our reports. Our research emphasizes the necessity of continuous exploration into compatibility issues within HarmonyOS, underlining the significant role tools like CiD4HMOS play in enhancing the overall user experience.

Computer Science

Alyaa A Hamza,Islam Tharwat Abdel Halim,Mohamed A Sobh,Ayman M Bahaa-Eldin

DOI: https://doi.org/10.3390/s22031079

2022-01-29

Abstract:Established Internet of Things (IoT) platforms suffer from their inability to determine whether an IoT app is secure or not. A security analysis system (SAS) is a protective shield against any attack that breaks down data privacy and security. Its main task focuses on detecting malware and verifying app behavior. There are many SASs implemented in various IoT applications. Most of them build on utilizing static or dynamic analysis separately. However, the hybrid analysis is the best for obtaining accurate results. The SAS provides an effective outcome according to many criteria related to the analysis process, such as analysis type, characteristics, sensitivity, and analysis techniques. This paper proposes a new hybrid (static and dynamic) SAS based on the model-checking technique and deep learning, called an HSAS-MD analyzer, which focuses on the holistic analysis perspective of IoT apps. It aims to analyze the data of IoT apps by (1) converting the source code of the target applications to the format of a model checker that can deal with it; (2) detecting any abnormal behavior in the IoT application; (3) extracting the main static features from it to be tested and classified using a deep-learning CNN algorithm; (4) verifying app behavior by using the model-checking technique. HSAS-MD gives the best results in detecting malware from malicious smart Things applications compared to other SASs. The experimental results of HSAS-MD show that it provides 95%, 94%, 91%, and 93% for accuracy, precision, recall, and F-measure, respectively. It also gives the best results compared with other analyzers from various criteria.

Fengguo Wei,Xingwei Lin,Xinming Ou,Ting Chen,Xiaosong Zhang

DOI: https://doi.org/10.1145/3243734.3243835

2018-01-01

Abstract:Android allows application developers to use native language (C/C++) to implement a part or the complete program. Recent research and our own statistics show that native payloads are commonly used in both benign and malicious apps. Current state-of-the-art Android static analysis tools, such as Amandroid, FlowDroid, DroidSafe, IccTA, and CHEX avoid handling native method invocation and apply conservative models for their data-flow behavior. None of those tools have capability to capture the inter-language dataflow. We propose a new approach to conduct inter-language dataflow analysis for security vetting of Android apps, and build an analysis framework, called JN-SAF to compute flow and context-sensitive inter-language points-to information in an efficient way. We show that: 1) Precise and efficient inter-language dataflow analysis is completely feasible with support of a summary-based bottom-up dataflow analysis (SBDA) algorithm, 2) A comprehensive model of Java Native Interface (JNI) and Native Development Kit (NDK) for binary analysis is essential as none of the existing binary analysis frameworks is able to handle Android binaries, 3) JN-SAF is capable of capturing inter-language security issues in real-world Android apps as demonstrated by our evaluation result.

Xiaoyu Sun,Xiao Chen,Li Li,Haipeng Cai,John Grundy,Jordan Samhi,Tegawendé F. Bissyandé,Jacques Klein

DOI: https://doi.org/10.48550/arXiv.2210.10997

2022-10-20

Abstract:Security of Android devices is now paramount, given their wide adoption among consumers. As researchers develop tools for statically or dynamically detecting suspicious apps, malware writers regularly update their attack mechanisms to hide malicious behavior implementation. This poses two problems to current research techniques: static analysis approaches, given their over-approximations, can report an overwhelming number of false alarms, while dynamic approaches will miss those behaviors that are hidden through evasion techniques. We propose in this work a static approach specifically targeted at highlighting hidden sensitive operations, mainly sensitive data flows. The prototype version of HiSenDroid has been evaluated on a large-scale dataset of thousands of malware and goodware samples on which it successfully revealed anti-analysis code snippets aiming at evading detection by dynamic analysis. We further experimentally show that, with FlowDroid, some of the hidden sensitive behaviors would eventually lead to private data leaks. Those leaks would have been hard to spot either manually among the large number of false positives reported by the state of the art static analyzers, or by dynamic tools. Overall, by putting the light on hidden sensitive operations, HiSenDroid helps security analysts in validating potential sensitive data operations, which would be previously unnoticed.

Cryptography and Security,Software Engineering

Li Chen,Hao Sun

DOI: https://doi.org/10.54691/sjt.v5i4.4736

2023-04-20

Abstract:Intelligent security systems is significant to protect properties. An intelligent security system is designed based on Hi3861 chip. The system is developed using Harmony OS. Sensors are used to detect different information like temperature, light intensity, suspicious object and combustible gas. A light supplement led, motor fan, and buzzer are also used for early warning and effective adjustment. After debugging, the system can realize intelligent security.

Computer Science,Engineering

Yupeng Hu,Zhe Jin,Wenjia Li,Yang Xiang,Jiliang Zhang

DOI: https://doi.org/10.48550/arXiv.2006.12831

2020-06-23

Abstract:In this paper, we present the design and implementation of a Systematic Inter-Component Communication Analysis Technology (SIAT) consisting of two key modules: \emph{Monitor} and \emph{Analyzer}. As an extension to the Android operating system at framework layer, the \emph{Monitor} makes the first attempt to revise the taint tag approach named TaintDroid both at method-level and file-level, to migrate it to the app-pair ICC paths identification through systemwide tracing and analysis of taint in intent both at the data flow and control flow. By taking over the taint logs offered by the \emph{Monitor}, the \emph{Analyzer} can build the accurate and integrated ICC models adopted to identify the specific threat models with the detection algorithms and predefined rules. Meanwhile, we employ the models' deflation technology to improve the efficiency of the \emph{Analyzer}. We implement the SIAT with Android Open Source Project and evaluate its performance through extensive experiments on well-known datasets and real-world apps. The experimental results show that, compared to state-of-the-art approaches, the SIAT can achieve about 25\%$\sim$200\% accuracy improvements with 1.0 precision and 0.98 recall at the cost of negligible runtime overhead. Moreover, the SIAT can identify two undisclosed cases of bypassing that prior technologies cannot detect and quite a few malicious ICC threats in real-world apps with lots of downloads on the Google Play market.

Cryptography and Security

Yu Su,Yan Yu,Yu Qiu,Anmin Fu

DOI: https://doi.org/10.1145/3026724.3026731

2016-01-01

Abstract:Android system has a large number of users and application markets, but its security situation is worrying. Unlike most of the PC apps, Android apps manipulates private information such as contacts and SMS messages, and leakage of such information may cause great loss to the Android users. Thus, detecting privacy leakage on Android is in urgent need. In this paper, we propose a new approach called SymFinder, which detects privacy leakage vulnerabilities on Android with reverse symbolic execution technology. Unlike dynamic approaches, SymFinder analyzes applications without the need of code execution. Thus, it has a higher coverage and less false negative rate of vulnerabilities, and can avoid the path explosion problem in dynamic analysis. Besides, SymFinder can increase accuracy of vulnerability analysis and reduce false positive rate by recognizing invalid and inaccessible sensitive paths. Experimental results show that, SymFinder can detect the existence of 14 real privacy leakages from a 100 provided application set.

Xusheng Xiao,Nikolai Tillmann,Manuel Fahndrich,Jonathan de Halleux,Michal Moskal,Tao Xie

DOI: https://doi.org/10.1007/s10515-014-0166-y

IF: 1.677

2014-01-01

Automated Software Engineering

Abstract:Applications in mobile-marketplaces may leak private user information without notification. Existing mobile platforms provide little information on how applications use private user data, making it difficult for experts to validate applications and for users to grant applications access to their private data. We propose a user-aware privacy control approach, which reveals how private information is used inside applications. We compute static information flows and classify them as safe/unsafe based on a tamper analysis that tracks whether private data is obscured before escaping through output channels. This flow information enables platforms to provide default settings that expose private data only for safe flows, thereby preserving privacy and minimizing decisions required from users. We built our approach into TouchDevelop, an application-creation environment that allows users to write scripts on mobile devices and install scripts published by other users. We evaluate our approach by studying 546 scripts published by 194 users.

Hongyi Chen,Ho-fung Leung,Biao Han,Jinshu Su

DOI: https://doi.org/10.1109/icc.2017.7996335

2017-01-01

Abstract:Android apps frequently leak private data off the device with or without intentions. Researchers have proposed a large number of methods, for example, static and dynamic analysis methods, to pick out the apps which tend to leak private data. However, they are only able to identify part of private data leakage vulnerabilities, due to the dynamic features in codes or code coverage problem. This paper presents a novel hybrid approach that can find out more private data leakages than the existing static or dynamic methods. The approach, realized in a tool, called HybriDroid, which employs both static and dynamic analysis methods to extract the models of each apps, and then refines the behavior model to a more adequate one according to the dynamic analysis result. As a consequence, HybriDroid inherits the advantages of both static and dynamic analysis methods, which not only achieves a high code coverage, but also can deal with the dynamic features in codes. The evaluation results show that HybriDroid is effective in detecting privacy leakages for both inter-and intra-app communication. Comparing with the existing methods, it can achieve considerable improvements in data leakage detection performance with a 97.8% precision and 90% recall on the selected apps from DroidBench 3.0 test suite.

Zehui Zhang,Futai Zou,Jianan Hong,Libo Chen,Ping Yi

DOI: https://doi.org/10.1109/jiot.2024.3400858

IF: 10.6

2024-01-01

IEEE Internet of Things Journal

Abstract:At present, there is less research on the detection of broken access control vulnerabilities in the Internet of Things (IoT) systems, mostly using state machines to analyse abnormal state transitions and no systematic tools have been developed. The main challenges include the inaccessibility of communication messages, a lack of effective detection for broken access control vulnerabilities, and excessive manual involvement. Moreover, due to the existence of encryption, signatures, and other fields, it is challenging to directly port the Web-based detection tools to IoT. In response to these challenges, we propose a framework for detecting broken access control vulnerabilities based on the interaction between the applications and cloud platforms. The framework employs man-in-the-middle techniques to obtain communication messages between the two entities, enabling fast and effective fuzz testing through the keyword extraction, database-guided fuzzing, and response-based detection algorithms. In addition, a combination of dynamic and static reverse analysis techniques are used to overcome anti-tampering measures, such as encryption and signatures. Following the detection framework, we implemented the semi-automated broken access control detector (BACDetector) system and tested it on six applications from four manufacturers. BACDetector discovered nine broken access control vulnerabilities, including risks of device hijacking and privacy leakage. This validated its effectiveness in detecting vulnerabilities in IoT.

Amr Amin,Amgad Eldessouki,Menna Tullah Magdy,Nouran Abdeen,Hanan Hindy,Islam Hegazy

DOI: https://doi.org/10.3390/info10100326

2019-10-22

Information

Abstract:The security of mobile applications has become a major research field which is associated with a lot of challenges. The high rate of developing mobile applications has resulted in less secure applications. This is due to what is called the “rush to release” as defined by Ponemon Institute. Security testing—which is considered one of the main phases of the development life cycle—is either not performed or given minimal time; hence, there is a need for security testing automation. One of the techniques used is Automated Vulnerability Detection. Vulnerability detection is one of the security tests that aims at pinpointing potential security leaks. Fixing those leaks results in protecting smart-phones and tablet mobile device users against attacks. This paper focuses on building a hybrid approach of static and dynamic analysis for detecting the vulnerabilities of Android applications. This approach is capsuled in a usable platform (web application) to make it easy to use for both public users and professional developers. Static analysis, on one hand, performs code analysis. It does not require running the application to detect vulnerabilities. Dynamic analysis, on the other hand, detects the vulnerabilities that are dependent on the run-time behaviour of the application and cannot be detected using static analysis. The model is evaluated against different applications with different security vulnerabilities. Compared with other detection platforms, our model detects information leaks as well as insecure network requests alongside other commonly detected flaws that harm users’ privacy. The code is available through a GitHub repository for public contribution.

Zicong Gao,Chao Zhang,Hangtian Liu,Wenhou Sun,Zhizhuo Tang,Liehui Jiang,Jianjun Chen,Yong Xie

DOI: https://doi.org/10.14722/ndss.2024.24346

2024-01-01

Abstract:IoT devices are often found vulnerable, i.e., untrusted inputs may trigger potential vulnerabilities and flow to sensitive operations in the firmware, which could cause severe damage.As such vulnerabilities are in general taint-style, a promising solution to find them is static taint analysis.However, existing solutions have limited efficiency and effectiveness.In this paper, we propose a new efficient and effective taint analysis solution, namely HermeScan, to discover such vulnerabilities, which utilizes reaching definition analysis (RDA) to conduct taint analysis and gets much fewer false negatives, false positives, and time costs.We have implemented a prototype of HermeScan and conducted a thorough evaluation on two datasets, i.e., one 0-day dataset with 30 latest firmware and one N-day dataset with 98 older firmware, and compared with two state-of-theart (SOTA) solutions, i.e., KARONTE and SaTC.In terms of effectiveness, HermeScan, SaTC, and KARONTE find 163, 32, and 0 vulnerabilities in the 0-day dataset respectively.In terms of accuracy, the true positive rates of HermeScan, SaTC, and KARONTE are 81%, 42%, and 0% in the 0-day dataset.In terms of efficiency, HermeScan is 7.5X and 3.8X faster than SaTC and KARONTE on average in finding 0-day vulnerabilities.

Ziyi Zhou,Xuangan Xiao,Tianxiao Hou,Yikun Hu,Dawu Gu

DOI: https://doi.org/10.1007/978-3-031-51482-1_13

2024-01-01

Abstract:To provide a tamper-proof mechanism for mobile apps to check the integrity of the device and their own code/data, Android phone manufacturers have introduced Manufacturer-provided Android Remote Attestation (MARA) frameworks. The MARA framework helps an app conduct a series of integrity checks, signs the check results, and sends them to remote servers for a remote attestation. Nonetheless, we observe that real-world MARA frameworks often adopt two implementations of integrity check (hardware-based and software-based) for compatibility consideration, and this allows an attacker to easily conduct a downgrade attack to force the app to utilize the software-based integrity check and forge checking results, even if the Android device is able to employ hardware-supported remote attestation securely. We demonstrate our MARA bypass approach against MARA frameworks (i.e., Google SafetyNet and Huawei SafetyDetect) on real Android devices, and design an automated measurement pipeline to analyze 35,245 popular Android apps, successfully attacking all 104 apps that use these MARA services, including well-known apps and games such as TikTok Lite, Huawei Wallet, and Pok ' emon GO. Our study reveals the significant risks against MARA frameworks in use.

Jianfei Tang,Hui Zhao

DOI: https://doi.org/10.3233/jifs-220567

2022-09-22

Journal of Intelligent & Fuzzy Systems

Abstract:The focus of a large amount of research on malware detection is currently working on proposing and improving neural network structures, but with the constant updates of Android, the proposed detection methods are more like a race against time. Through the analysis of these methods, we found that the basic processes of these detection methods are roughly the same, and these methods rely on professional reverse engineering tools for malware analysis and feature extraction. These tools generally have problems such as high time-space cost consumption, difficulty in achieving concurrent analysis of a large number of Apk, and the output results are not convenient for feature extraction. Is it possible to propose a general malware detection process implementation platform that optimizes each process of existing malware detection methods while being able to efficiently extract various features on malware datasets with a large number of APK? To solve this problem, we propose an automated platform, AmandaSystem, that highly integrates the various processes of deep learning-based malware detection methods. At the same time, the problem of over privilege due to the openness of Android system and thus the problem of excessive privileges has always required the accurate construction of mapping relationships between privileges and API calls, while the current methods based on function call graphs suffer from inefficiency and low accuracy. To solve this problem, we propose a new bottom-up static analysis method based on AmandaSystem to achieve an efficient and complete tool for mapping relationships between Android permissions and API calls, PerApTool. Finally, we conducted tests on three publicly available malware datasets, CICMalAnal2017, CIC-AAGM2017, and CIC-InvesAndMal2019, to evaluate the performance of AmandaSystem in terms of time efficiency of APK parsing, space occupancy, and comprehensiveness of extracted features, respectively, compared with existing methods were compared.

Yu-Tsung Lee,Hayawardh Vijayakumar,Zhiyun Qian,Trent Jaeger

2024-07-16

Abstract:Filesystem vulnerabilities persist as a significant threat to Android systems, despite various proposed defenses and testing techniques. The complexity of program behaviors and access control mechanisms in Android systems makes it challenging to effectively identify these vulnerabilities. In this paper, we present PathSentinel, which overcomes the limitations of previous techniques by combining static program analysis and access control policy analysis to detect three types of filesystem vulnerabilities: path traversals, hijacking vulnerabilities, and luring vulnerabilities. By unifying program and access control policy analysis, PathSentinel identifies attack surfaces accurately and prunes many impractical attacks to generate input payloads for vulnerability testing. To streamline vulnerability validation, PathSentinel leverages large language models (LLMs) to generate targeted exploit code based on the identified vulnerabilities and generated input payloads. The LLMs serve as a tool to reduce the engineering effort required for writing test applications, demonstrating the potential of combining static analysis with LLMs to enhance the efficiency of exploit generation and vulnerability validation. Evaluation on Android 12 and 14 systems from Samsung and OnePlus demonstrates PathSentinel's effectiveness, uncovering 51 previously unknown vulnerabilities among 217 apps with only 2 false positives. These results underscore the importance of combining program and access control policy analysis for accurate vulnerability detection and highlight the promising direction of integrating LLMs for automated exploit generation, providing a comprehensive approach to enhancing the security of Android systems against filesystem vulnerabilities.

Cryptography and Security

Zhihui Han,Liang Cheng,Yang Zhang,Shuke Zeng,Yi Deng,Xiaoshan Sun

DOI: https://doi.org/10.1109/TrustCom.2014.56

2014-01-01

Abstract:Android is a modern and popular software platform for smart phones. To manage information and features on smart phones, Android employs intent-based mechanism for inter-application or intra-application communication and provides a permission-based security model that requires each application to explicitly request permissions in its manifest file. However, misconfiguration defined in manifest files and that embedded in application code may result in vulnerabilities due to developer confusion and general misuse of the features provided by Android. In this paper, we propose a logic-programming-based approach to analyze smart phones and discover misconfiguration vulnerabilities in Android manifest file and application code. To enable misconfiguration vulnerability analysis and detection, we develop a static technique to extract security related information from application code, and employ logic predicates to describe various vulnerabilities. Based on this approach, we developed a tool called SADroid to systematically analyze and detect misconfiguration vulnerabilities in Android smart phones. Our results with two representative phones show that the inherent weakness of Android permission model and developers' programming errors make Android vulnerable to some attacks.

Francisco Handrick da Costa,Ismael Medeiros,Thales Menezes,João Victor da Silva,Ingrid Lorraine da Silva,Rodrigo Bonifácio,Krishna Narasimhan,Márcio Ribeiro

DOI: https://doi.org/10.48550/arXiv.2109.06613

2021-09-14

Abstract:The Android mining sandbox approach consists in running dynamic analysis tools on a benign version of an Android app and recording every call to sensitive APIs. Later, one can use this information to (a) prevent calls to other sensitive APIs (those not previously recorded) or (b) run the dynamic analysis tools again in a different version of the app -- in order to identify possible malicious behavior. Although the use of dynamic analysis for mining Android sandboxes has been empirically investigated before, little is known about the potential benefits of combining static analysis with the mining sandbox approach for identifying malicious behavior. As such, in this paper we present the results of two empirical studies: The first is a non-exact replication of a previous research work from Bao et al., which compares the performance of test case generation tools for mining Android sandboxes. The second is a new experiment to investigate the implications of using taint analysis algorithms to complement the mining sandbox approach in the task to identify malicious behavior. Our study brings several findings. For instance, the first study reveals that a static analysis component of DroidFax (a tool used for instrumenting Android apps in the Bao et al. study) contributes substantially to the performance of the dynamic analysis tools explored in the previous work. The results of the second study show that taint analysis is also practical to complement the mining sandboxes approach, improve the performance of the later strategy in at most 28.57%.

Cryptography and Security,Software Engineering

Erzhou Zhu,Haibing Guan,Alei Liang,Rongbin Xu,Xuejian Li,Feng Liu

DOI: https://doi.org/10.1007/978-3-642-38715-9_28

2013-01-01

Abstract:For the purpose of discovering security flaws in software, many dynamic and static taint analyzing techniques have been proposed. The dynamic techniques can precisely find the security flaws of the software; but it suffers from substantial runtime overhead. On the other hand, the static techniques require no runtime overhead; but it is often not accurate enough. In this paper, we propose HYBit, a novel hybrid framework which integrates dynamic and static taint analysis to diagnose the security flaws for binary programs. In the framework, the source binary is first analyzed by the dynamic taint analyzer; then, with the runtime information provided by its dynamic counterpart, the static taint analyzer can process the unexecuted part of the target program easily. Furthermore, a taint behavior filtration mechanism is proposed to optimize the performance of the framework. We evaluate our framework from three perspectives: efficiency, coverage, and effectiveness, and the results are encouraging. © 2013 Springer-Verlag Berlin Heidelberg.

Wei Zhang,Yan Meng,Yugeng Liu,Xiaokuan Zhang,Yinqian Zhang,Haojin Zhu

DOI: https://doi.org/10.1145/3243734.3243820

2018-01-01

Abstract:Smart home is an emerging technology for intelligently connecting a large variety of smart sensors and devices to facilitate automation of home appliances, lighting, heating and cooling systems, and security and safety systems. Our research revolves around Samsung SmartThings, a smart home platform with the largest number of apps among currently available smart home platforms. The previous research has revealed several security flaws in the design of SmartThings, which allow malicious smart home apps (or SmartApps) to possess more privileges than they were designed and to eavesdrop or spoof events in the SmartThings platform. To address these problems, this paper leverages side-channel inference capabilities to design and develop a system, dubbed HoMonit, to monitor SmartApps from encrypted wireless traffic. To detect anomaly, HoMonit compares the SmartApps activities inferred from the encrypted traffic with their expected behaviors dictated in their source code or UI interfaces. To evaluate the effectiveness of HoMonit, we analyzed 181 official SmartApps and performed evaluation on 60 malicious SmartApps, which either performed over-privileged accesses to smart devices or conducted event-spoofing attacks. The evaluation results suggest that HoMonit can effectively validate the working logic of SmartApps and achieve a high accuracy in the detection of SmartApp misbehaviors.