The impact of vendor customizations on Android security

Proceedings of the ACM Conference on Computer and Communications Security

Volumn , Issue , 2013, Pages 623-634

  Wu, Lei ^a   Grace, Michael ^a   Zhou, Yajin ^a   Wu, Chiachih ^a   Jiang, Xuxian ^a  

^a North Carolina State University   (United States)

Author keywords

android; customization; provenance; static analysis

Indexed keywords

ANDROID; CUSTOMIZATION; EVALUATION RESULTS; PRIVATE INFORMATION; PROVENANCE; PROVENANCE ANALYSIS; THREE-STAGE PROCESS; VULNERABILITY ANALYSIS;

ROBOTS; SIGNAL ENCODING; SMARTPHONES; STATIC ANALYSIS;

SECURITY OF DATA;

EID: 84889012971     PISSN: 15437221     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.1145/2508859.2516728     Document Type: Conference Paper

References (54)

1. J. Andrus, C. Dall, A. Van't Hof, O. Laadan, and J. Nieh. Cells: A Virtual Mobile Smartphone Architecture. In Proceedings of the 23rd ACM Symposium on Operating Systems Principles, SOSP '11, 2011.
2. K. W. Y. Au, Y. F. Zhou, Z. Huang, and D. Lie. PScout: Analyzing the Android Permission Specification. In Proceedings of the 19th ACM Conference on Computer and Communications Security, CCS '12, 2012.
3. D. Barrera, H. G. Kayacik, P. C. van Oorschot, and A. Somayaji. A Methodology for Empirical Analysis of Permission-Based Security Models and its Application to Android. In Proceedings of the 17th ACM Conference on Computer and Communications Security, CCS '10, 2010.
4. A. R. Beresford, A. Rice, N. Skehin, and R. Sohan. MockDroid: Trading Privacy for Application Functionality on Smartphones. In Proceedings of the 12th International Workshop on Mobile Computing Systems and Applications, HotMobile '11, 2011.
5. T. Book, A. Pridgen, and D. S. Wallach. Longitudinal Analysis of Android Ad Library Permissions. In IEEE Mobile Security Technologies, MoST '13, 2013.
6. S. Bugiel, L. Davi, A. Dmitrienko, T. Fischer, A.-R. Sadeghi, and B. Shastry. Towards Taming Privilege-Escalation Attacks on Android. In Proceedings of the 19th Annual Symposium on Network and Distributed System Security, NDSS '12, 2012.
7. S. Chakradeo, B. Reaves, P. Traynor, and W. Enck. MAST: Triage for Market-scale Mobile Malware Analysis. In Proceedings of the 6th ACM Conference on Security and Privacy in Wireless and Mobile Networks, WiSec '13, 2013.
8. E. Chin, A. P. Felt, K. Greenwood, and D. Wagner. Analyzing Inter-Application Communication in Android. In Proceedings of the 9th Annual International Conference on Mobile Systems, Applications, and Services, MobiSys '11, 2011.
9. J. Crussell, C. Gibler, and H. Chen. Attack of the Clones: Detecting Cloned Applications on Android Markets. In Proceedings of 17th European Symposium on Research in Computer Security, ESORICS '12, 2012.
10. L. Davi, A. Dmitrienko, M. Egele, T. Fischer, T. Holz, R. Hund, S. Nurnberger, and A.-R. Sadeghi. MoCFI: A Framework to Mitigate Control-Flow Attacks on Smartphones. In Proceedings of the 19th Annual Symposium on Network and Distributed System Security, NDSS '12, 2012.
11. Defuse. Use-define chain. http://en.wikipedia.org/wiki/Use-define-chain.
12. M. Dietz, S. Shekhar, Y. Pisetsky, A. Shu, and D. S. Wallach. QUIRE: Lightweight Provenance for Smart Phone Operating Systems. In Proceedings of the 20th USENIX Security Symposium, USENIX Security '11, 2011.
13. M. Egele, C. Kruegel, E. Kirda, and G. Vigna. PiOS: Detecting Privacy Leaks in iOS Applications. In Proceedings of the 18th Annual Symposium on Network and Distributed System Security, NDSS '11, 2011.
14. W. Enck, P. Gilbert, B.-G. Chun, L. P. Cox, J. Jung, P. McDaniel, and A. N. Sheth. TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones. In Proceedings of the 9th USENIX Symposium on Operating Systems Design and Implementation, USENIX OSDI '10, 2010.
15. W. Enck, D. Octeau, P. McDaniel, and S. Chaudhuri. A Study of Android Application Security. In Proceedings of the 20th USENIX Security Symposium, USENIX Security '11, 2011.
16. W. Enck, M. Ongtang, and P. McDaniel. On lightweight mobile phone application certification. In Proceedings of the 16th ACM Conference on Computer and Communications Security, CCS '09, 2009.
17. A. P. Felt, E. Chin, S. Hanna, D. Song, and D. Wagner. Android Permissions Demystified. In Proceedings of the 18th ACM Conference on Computer and Communications Security, CCS '11, 2011.
18. A. P. Felt, H. Wang, A. Moshchuk, S. Hanna, and E. Chin. Permission Re-Delegation: Attacks and Defenses. In Proceedings of the 20th USENIX Security Symposium, USENIX Security '11, 2011.
19. E. Fragkaki, L. Bauer, L. Jia, and D. Swasey. Modeling and Enhancing Android's Permission System. In Proceedings of 17th European Symposium on Research in Computer Security, ESORICS '12, 2012.
20. Gartner. Gartner Says Worldwide Smartphone Sales Soared in Fourth Quarter of 2011 With 47 Percent Growth. http://www.gartner.com/it/page.jsp?id=1924314.
21. Google. Intent. http://developer.android.com/reference/android/content/ Intent.html.
22. Google. Platform Versions. http://developer.android.com/about/dashboards/ index.html.
23. M. Grace, W. Zhou, X. Jiang, and A.-R. Sadeghi. Unsafe Exposure Analysis of Mobile In-App Advertisements. In Proceedings of the 5th ACM Conference on Security and Privacy in Wireless and Mobile Networks, WiSec '12, 2012.
24. M. Grace, Y. Zhou, Z. Wang, and X. Jiang. Systematic Detection of Capability Leaks in Stock Android Smartphones. In Proceedings of the 19th Annual Symposium on Network and Distributed System Security, NDSS '12, 2012.
25. M. Grace, Y. Zhou, Q. Zhang, S. Zou, and X. Jiang. RiskRanker: Scalable and Accurate Zero-day Android Malware Detection. In Proceedings of the 10th International Conference on Mobile Systems, Applications and Services, MobiSys '12, 2012.
26. Gsmarena. http://www.gsmarena.com/.
27. N. Hardy. The Confused Deputy: (or why capabilities might have been invented). ACM SIGOPS Operating Systems Review, 22, October 1988.
28. P. Hornyack, S. Han, J. Jung, S. Schechter, and D. Wetherall. These Aren't the Droids You're Looking For: Retrofitting Android to Protect Data from Imperious Applications. In Proceedings of the 18th ACM Conference on Computer and Communications Security, CCS '11, 2011.
29. X. Hu, T.-c. Chiueh, and K. G. Shin. Large-Scale Malware Indexing Using Function-Call Graphs. In Proceedings of the 16th ACM Conference on Computer and Communications Security, CCS '09, 2009.
30. IDC. Strong Demand for Smartphones and Heated Vendor Competition Characterize the Worldwide Mobile Phone Market at the End of 2012, IDC Says. https://www.idc.com/getdoc.jsp?containerId=prUS23916413#.UQIPbh0qaSp.
31. J. Koetsier. Android captured almost 70% global smartphone market share in 2012, Apple just under 20%. http://venturebeat. com/2013/01/28/android- captured-almost-70-global-smartphone-market-share-in-2012-apple-just-under- 20/.
32. C. Kruegel, E. Kirda, D. Mutz, W. Robertson, and G. Vigna. Polymorphic worm detection using structural information of executables. In Proceedings of 8th International Symposium on Recent Advances in Intrusion Detection, RAID '05, 2005.
33. M. Lange, S. Liebergeld, A. Lackorzynski, A. Warg, and M. Peter. L4Android: A Generic Operating System Framework for Secure Smartphones. In Proceedings of the 1st Workshop on Security and Privacy in Smartphones and Mobile Devices, CCS-SPSM '11, 2011.
34. L. Lu, Z. Li, Z. Wu, W. Lee, and G. Jiang. Chex: Statically vetting android apps for component hijacking vulnerabilities. In Proceedings of the 19th ACM Conference on Computer and Communications Security, CCS '12, 2012.
35. M. Nauman, S. Khan, and X. Zhang. Apex: Extending Android Permission Model and Enforcement with User-Defined Runtime Constraints. In Proceedings of the 5th ACM Symposium on Information, Computer and Communications Security, ASIACCS '10, 2010.
36. P. Pearce, A. P. Felt, G. Nunez, and D. Wagner. AdDroid: Privilege Separation for Applications and Advertisers in Android. In Proceedings of the 7th ACM Symposium on Information, Computer and Communications Security, ASIACCS '12, 2012.
37. H. Peng, C. Gates, B. Sarma, N. Li, Y. Qi, R. Potharaju, C. Nita-Rotaru, and I. Molloy. Using probabilistic generative models for ranking risks of android apps. In Proceedings of the 19th ACM Conference on Computer and Communications Security, CCS '12, 2012.
38. S. Rosen, Z. Qian, and Z. M. Mao. AppProfiler: A Flexible Method of Exposing Privacy-Related Behavior in Android Applications to End Users. In Proceedings of the 3nd ACM Conference on Data and Application Security and Privacy, CODASPY '13, 2013.
39. A. Russakovskii. http://www.androidpolice.com/2011/10/01/massive- security-vulnerability-in-htc-android-devices-evo-3d-4g-thunderbolt-others- exposes- phone-numbers-gps-sms-emails-addresses-much- more/.
40. B. Sarma, C. Gates, N. Li, R. Potharaju, C. Nita-Rotaru, and I. Molloy. Android Permissions: A Perspective Combining Risks and Benefits. In Proceedings of the 17th ACM Symposium on Access Control Models and Technologies, SACMAT '12, 2012.
41. S. Shekhar, M. Dietz, and D. S. Wallach. AdSplit: Separating smartphone advertising from applications. In Proceedings of the 21th USENIX Security Symposium, USENIX Security '12, 2012.
42. Smali. An assembler/disassembler for Android's dex format. http://code.google.com/p/smali/.
43. Y. Tang, P. Ames, S. Bhamidipati, A. Bijlani, R. Geambasu, and N. Sarda. CleanOS: Limiting Mobile Data Exposure With Idle Eviction. In Proceedings of the 11th USENIX Symposium on Operating Systems Design and Implementation, USENIX OSDI '12, 2012.
44. T. Vidas, N. Christin, and L. F. Cranor. Curbing Android permission creep. In Proceedings of the 2011 Web 2.0 Security and Privacy Workshop, W2SP '11, 2011.
45. Wiki. Samsung Galaxy S3. http://en.wikipedia.org/wiki/Samsung-Galaxy-S- III.
46. Z. Wu, X. Zhang, and X. Jiang. AppInk: Watermarking Android Apps for Repackaging Deterrence. In Proceedings of the 8th ACM Symposium on Information, Computer and Communications Security, ASIACCS '13, 2013.
47. R. Xu, H. Saidi, and R. Anderson. Aurasium: Practical Policy Enforcement for Android Applications. In Proceedings of the 21th USENIX Security Symposium, USENIX Security '12, 2012.
48. L. K. Yan and H. Yin. DroidScope: Seamlessly Reconstructing the OS and Dalvik Semantic Views for Dynamic Android Malware Analysis. In Proceedings of the 21th USENIX Security Symposium, USENIX Security '12, 2012.
49. W. Zhou, Y. Zhou, M. Grace, X. Jiang, and S. Zou. Fast, Scalable Detection of 'Piggybacked' Mobile Applications. In Proceedings of the 3nd ACM Conference on Data and Application Security and Privacy, CODASPY '13, 2013.
50. W. Zhou, Y. Zhou, X. Jiang, and P. Ning. DroidMOSS: Detecting Repackaged Smartphone Applications in Third-Party Android Marketplaces. In Proceedings of the 2nd ACM Conference on Data and Application Security and Privacy, CODASPY '12, 2012.
51. Y. Zhou and X. Jiang. Dissecting Android Malware: Characterization and Evolution. In Proceedings of the 33rd IEEE Symposium on Security and Privacy, IEEE Oakland '12, 2012.
52. Y. Zhou and X. Jiang. Detecting Passive Content Leaks and Pollution in Android Applications. In Proceedings of the 20th Annual Symposium on Network and Distributed System Security, NDSS '13, 2013.
53. Y. Zhou, Z. Wang, W. Zhou, and X. Jiang. Hey, You, Get off of My Market: Detecting Malicious Apps in Official and Alternative Android Markets. In Proceedings of the 19th Annual Symposium on Network and Distributed System Security, NDSS '12, 2012.
54. Y. Zhou, X. Zhang, X. Jiang, and V. W. Freeh. Taming Information-Stealing Smartphone Applications (on Android). In Proceedings of the 4th International Conference on Trust and Trustworthy Computing, TRUST '11, 2011.