Amandroid: A precise and general inter-component data flow analysis framework for security vetting of Android apps

Proceedings of the ACM Conference on Computer and Communications Security

Volumn , Issue , 2014, Pages 1329-1341

  Wei, Fengguo ^a   Roy, Sankardas ^a   Ou, Xinming ^a   Robby, ^a  

^a Sunflower Networking Group   (United States)

Author keywords

Android application; ICC (inter component communication); Information leakage; Malware; Points to analysis; Security vetting; Vulnerable app

Indexed keywords

ANDROID (OPERATING SYSTEM); C (PROGRAMMING LANGUAGE); DATA FLOW ANALYSIS; MALWARE; STATIC ANALYSIS; DATA TRANSFER;

ANDROID APPLICATIONS; ICC (INTER-COMPONENT COMMUNICATION); INFORMATION LEAKAGE; POINTS-TO ANALYSIS; SECURITY VETTING;

MOBILE SECURITY;

EID: 84910617173     PISSN: 15437221     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.1145/2660267.2660357     Document Type: Conference Paper

References (37)

1. Android documentation: Activity. http://developer.android.com/reference/android/app/Activity.html.
2. Android documentation: Intent and Intent Filter. http://developer.android.com/guide/components/intents-lters.html.
3. Google Bouncer. http://googlemobile.blogspot.com /2012/02/android-and-security.html.
4. WALA documentation: CallGraph. http://wala.sourceforge.net/wiki/index.php/UserGuide:CallGraph.
5. A. W. Appel. Modern Compiler Implementation in Java. Cambridge University Press, 1998.
6. S. Arzt, S. Rasthofer, C. Fritz, E. Bodden, A. Bartel, J. Klein, Y. l. Traon, D. Octeau, and P. McDaniel. FlowDroid: Precise context, flow, field, object-sensitive and lifecycle-aware taint analysis for Android apps. In Proceedings of the ACM PLDI, 2014.
7. K. W. Y. Au, Y. F. Zhou, Z. Huang, and D. Lie. PScout: Analyzing the Android permission specification. In Proceedings of the ACM CCS, 2012.
8. E. Chin, A. P. Felt, K. Greenwood, and D. Wagner. Analyzing inter-application communication in Android. In Proceedings of the ACM Mobisys, 2011.
9. M. Conti, B. Crispo, E. Fernandes, and Y. Zhauniarovich. CRePE: A system for enforcing fine-grained context-related policies on Android. Information Forensics and Security, IEEE Transactions on, 7(5):1426-1438, 2012.
10. M. B. Dwyer, J. Hatcliff, M. Hoosier, V. Ranganath, Robby, and T. Wallentine. Evaluating the effectiveness of slicing for model reduction of concurrent object-oriented programs. In Proceedings of the TACAS, 2006.
11. M. Egele, D. Brumley, Y. Fratantonio, and C. Kruegel. An empirical study of cryptographic misuse in Android applications. In Proceedings of the ACM CCS, 2013.
12. W. Enck, P. Gilbert, B.-G. Chun, L. P. Cox, J. Jung, P. McDaniel, and A. Sheth. TaintDroid: An information-ow tracking system for realtime privacy monitoring on smartphones. In Proceedings of the USENIX OSDI, 2010.
13. ENISA. Smartphone secure development guidelines. http://www.enisa.europa.eu/activities/Resilience-and-CIIP/critical-applications/smartphone-security-1/smartphone-secure-development-guidelines, 2011.
14. S. Fahl, M. Harbach, T. Muders, L. Baumgärtner, B. Freisleben, and M. Smith. Why Eve and Mallory love Android: An analysis of Android SSL (in) security. In Proceedings of the ACM CCS, 2012.
15. A. P. Felt, M. Finifter, E. Chin, S. Hanna, and D. Wagner. A survey of mobile malware in the wild. In Proceedings of the ACM Workshop on Security and Privacy in Smartphones and Mobile Devices, 2011.
16. S. Fink and J. Dolby. WALA-The TJ Watson Libraries for Analysis. http://wala.sf.net/, 2012.
17. C. Fritz, S. Arzt, S. Rasthofer, E. Bodden, A. Bartel, J. Klein, Y. le Traon, D. Octeau, and P. McDaniel. Highly precise taint analysis for Android application. Technical report, EC SPRIDE, 2013.
18. C. Gibler, J. Crussell, J. Erickson, and H. Chen. AndroidLeaks: Automatically detecting potential privacy leaks in Android applications on a large scale. In Proceedings of the International Conference on Trust and Trustworthy Computing, 2012.
19. M. Grace, Y. Zhou, Z. Wang, and X. Jiang. Systematic detection of capability leaks in stock Android smartphones. In Proceedings of the NDSS, 2012.
20. M. C. Grace, W. Zhou, X. Jiang, and A. R. Sadeghi. Unsafe exposure analysis of mobile in-app advertisements. In Proceedings of the ACM Conference on Security and Privacy in Wireless and Mobile Networks, 2012.
21. D. Hardt. The OAuth 2.0 authorization framework. 2012.
22. O. Lhotffak and L. Hendren. Scaling Java points-to analysis using Spark. In Proceedings of the Compiler Construction, 2003.
23. L. Lu, Z. Li, Z. Wu, W. Lee, and G. Jiang. CHEX: Statically vetting Android apps for component hijacking vulnerabilities. In Proceedings of the ACM CCS, 2012.
24. F. Nielson, H. R. Nielson, and C. Hankin. Principles of program analysis. Springer, 1999.
25. D. Octeau, P. McDaniel, S. Jha, A. Bartel, E. Bodden, J. Klein, and Y. Le Traon. Effective inter-component communication mapping in Android with Epicc: An essential step towards holistic security analysis. In Proceedings of the USENIX Security Symposium, 2013.
26. M. Ongtang, S. McLaughlin, W. Enck, and P. McDaniel. Semantically rich application-centric security in Android. Security and Communication Networks, 5(6):658-673, 2012.
27. N. J. Percoco and S. Schulte. Adventures in Bouncerland. Black Hat USA, 2012.
28. T. Reps, S. Horwitz, and M. Sagiv. Precise interprocedural dataow analysis via graph reachability. In Proceedings of the ACM Symposium on Principles of Programming Languages, 1995.
29. M. Sagiv, T. Reps, and S. Horwitz. Precise interprocedural dataow analysis with applications to constant propagation. Theoretical Computer Science, 167(1):131-170, 1996.
30. S. Smalley and R. Craig. Security enhanced (SE) Android: Bringing exible MAC to Android. In Proceedings of the NDSS, 2013.
31. D. Sounthiraraj, J. Sahs, G. Greenwood, Z. Lin, and L. Khan. SMV-HUNTER: Large scale, automated detection of SSL/TLS man-in-the-middle vulnerabilities in Android apps. In Proceedings of the NDSS, 2014.
32. R. Vallfiee-Rai, E. Gagnon, L. Hendren, P. Lam, P. Pominville, and V. Sundaresan. Optimizing Java bytecode using the Soot framework: Is it feasible? In Proceedings of the Compiler Construction, 2000.
33. N. Viennot, E. Garcia, and J. Nieh. A measurement study of Google Play. In Proceedings of the ACM SIGMETRICS, 2014.
34. R. Wang, L. Xing, X. Wang, and S. Chen. Unauthorized origin crossing on mobile platforms: Threats and mitigation. In Proceedings of the 2013 ACM CCS, 2013.
35. R. Xu, H. Saffdi, and R. Anderson. Aurasium: Practical policy enforcement for Android applications. In Proceedings of the USENIX Security Symposium, 2012.
36. Y. Zhou and X. Jiang. Dissecting Android malware: Characterization and evolution. In Proceedings of the IEEE SP, 2012.
37. Y. Zhou, Z. Wang, W. Zhou, and X. Jiang. Hey, you, get off of my market: Detecting malicious apps in official and alternative Android markets. In Proceedings of the NDSS, 2012.