Effective inter-component communication mapping in android with epicc: An essential step towards holistic security analysis

Proceedings of the 22nd USENIX Security Symposium

Volumn , Issue , 2013, Pages 543-558

  Octeau, Damien ^a   McDaniel, Patrick ^a   Jha, Somesh ^b   Bartel, Alexandre ^c   Bodden, Eric ^d   Klein, Jacques ^c   Le Traon, Yves ^c  

^a PENNSYLVANIA STATE UNIVERSITY   (United States)

^b University of Wisconsin Madison   (United States)

^c UNIVERSITY OF LUXEMBOURG   (Luxembourg)

^d DARMSTADT UNIVERSITY OF TECHNOLOGY   (Germany)

Author keywords

[No Author keywords available]

Indexed keywords

ANDROID (OPERATING SYSTEM); SECURITY SYSTEMS; SMARTPHONES; STATIC ANALYSIS;

ANALYSIS TECHNIQUES; ANDROID PLATFORMS; APPLICATION COMPONENTS; DISTRIBUTIVE ENVIRONMENT; INTER-APPLICATION COMMUNICATIONS; INTER-PROCEDURAL; SECURITY ANALYSIS; SINGLE COMPONENTS;

MOBILE SECURITY;

EID: 85075955161     PISSN: None     EISSN: None     Source Type: Conference Proceeding    
DOI: None     Document Type: Conference Paper

References (36)

1. ARTHUR, C. Feature phones dwindle as android powers ahead in third quarter. The Guardian, Nov. 2012. Available at http://www.guardian.co.uk/technology/2012/nov/15/smartphones-market-android-feature-phones.
2. BARRERA, D., and KAYACIK., H. G., VAN OORSHOT, P. C., AND SOMAYAJI, A. A Methodology for Empirical Analysis of Permission-Based Security Models and its Application to Android. In Proceedings of the ACM Conference on Computer and Communications Security (Oct. 2010).
3. BODDEN, E. Inter-procedural data-flow analysis with ifds/ide and soot. In Proceedings of the ACM SIGPLAN International Workshop on State of the Art in Java Program analysis (2012). Available from http://sable.github.com/heros/.
4. BUGIEL, S., DAVI, L., DMITRIENKO, A., FISCHER, T., AND SADEGHI, A.-R. XManDroid: A New Android Evolution to Mitigate Privilege Escalation Attacks. Tech. Rep. TR-2011-04, Technische Universitat Darmstadt, Germany, Apr. 2011.
5. BUGIEL, S., DAVI, L., DMITRIENKO, A., FISCHER, T., SADEGHI, A.-R., AND SHASTRY, B. Towards taming privilege-escalation attacks on Android. In Proceedings of the 19th Annual Network & Distributed System Security Symposium (Feb. 2012).
6. CHIN, E., and FELT., A. P., GREENWOOD, K., and WAGNER, D. Analyzing Inter-Application Communication in Android. In Proceedings of the 9th Annual International Conference on Mobile Systems, Applications, and Services (MobiSys) (2011).
7. CHRISTENSEN, A. S., MØLLER, A., and SCHWARTZBACH, M. I. Precise analysis of string expressions. In Proc. 10th International Static Analysis Symposium (SAS) (June 2003), Vol. 2694 of LNCS, Springer-Verlag, pp. 1-18. Available from http://www.brics.dk/JSA/.
8. DAVI, L., DMITRIENKO, A., SADEGHI, A.-R., and WINANDY, M. Privilege Escalation Attacks on Android. In Proc. of the 13th Information Security Conference (ISC) (Oct. 2010).
9. DIETZ, M., SHEKHAR, S., PISETSKY, Y., SHU, A., AND WALLACH, D. S. Quire: Lightweight Provenance for Smart Phone Operating Systems. In 20th USENIX Security Symposium (2011).
10. ENCK, W. Defending users against smartphone apps: Techniques and future directions. In ICISS (2011), pp. 49-70.
11. ENCK, W., GILBERT, P., CHUN, B.-G., and COX., L. P., JUNG, J., MCDANIEL, P., and SHETH, A. N. TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones. In Proc. of the 9th USENIX Symp. on Operating Systems Design and Implementation (OSDI) (2010).
12. ENCK, W., OCTEAU, D., MCDANIEL, P., and CHAUDHURI, S. A Study of Android Application Security. In Proceedings of the 20th USENIX Security Symposium (August 2011).
13. ENCK, W., ONGTANG, M., and MCDANIEL, P. On Lightweight Mobile Phone Application Certification. In Proceedings of the 16th ACM Conference on Computer and Communications Security (CCS) (Nov. 2009).
14. ENCK, W., ONGTANG, M., and MCDANIEL, P. Understanding Android Security. IEEE Security & Privacy Magazine 7, 1 (January/February 2009), 50-57.
15. FELT, A. P., CHIN, E., HANNA, S., SONG, D., and WAGNER, D. Android Permissions Demystified. In Proc. of the ACM Conf. on Computer and Communications Security (CCS) (2011).
16. FELT, A. P., GREENWOOD, K., and WAGNER, D. The Effectiveness of Application Permissions. In Proc. of the USENIX Conference on Web Application Development (WebApps) (2011).
17. FELT, A. P., and WANG., H. J., MOSHCHUK, A., HANNA, S., and CHIN, E. Permission Re-Delegation: Attacks and Defenses. In Proc. of the 20th USENIX Security Symp. (August 2011).
18. GILBERT, P., CHUN, B.-G., and COX., L. P., and JUNG, J. Vision: Automated Security Validation of Mobile Apps at App Markets. In Proceedings of the International Workshop on Mobile Cloud Computing and Services (MCS) (2011).
19. GRACE, M., ZHOU, Y., WANG, Z., and JIANG, X. Systematic Detection of Capability Leaks in Stock Android Smartphones. In NDSS '12 (2012).
20. GRACE, M. C., ZHOU, W., JIANG, X., and SADEGHI, A.-R. Unsafe exposure analysis of mobile in-app advertisements. In Proceedings of the fifth ACM conference on Security and Privacy in Wireless and Mobile Networks (2012), WISEC '12, ACM.
21. HARDY, N. The confused deputy: (or why capabilities might have been invented). SIGOPS Oper. Syst. Rev. 22, 4 (Oct. 1988).
22. HORNYACK, P., HAN, S., JUNG, J., SCHECHTER, S., and WETHERALL, D. These Aren't the Droids You're Looking For: Retrofitting Android to Protect Data from Imperious Applications. In Proceedings of the ACM Conference on Computer and Communications Security (CCS) (2011).
23. KIM, J., YOON, Y., and YI, K. Scandal: Static analyzer for detecting privacy leaks in android applications. In MoST 2012: Workshop on Mobile Security Technologies 2012 (2012).
24. LHOTÁK, O., AND HENDREN, L. Scaling java points-to analysis using spark. In Proceedings of the 12th international conference on Compiler construction (2003), CC'03, Springer-Verlag.
25. LU, L., LI, Z., WU, Z., LEE, W., and JIANG, G. Chex: statically vetting android apps for component hijacking vulnerabilities. In Proc. of the 2012 ACM conference on Computer and communications security (2012), CCS '12, ACM, pp. 229-240.
26. MCDANIEL, P., and ENCK, W. Not So Great Expectations: Why Application Markets Haven't Failed Security. IEEE Security & Privacy Magazine 8, 5 (September/October 2010), 76-78.
27. MLOT, S. Google's bouncer malware tool hacked. PC Magazine, June 2012. Available from http://www.pcmag.com/article2/0,2817,2405358,00.asp.
28. OCTEAU, D., ENCK, W., and MCDANIEL, P. The ded Decompiler. Tech. Rep. NAS-TR-0140-2010, Network and Security Research Center, Pennsylvania State University, USA, Sept. 2010. Available from http://siis.cse.psu.edu/ded/.
29. OCTEAU, D., JHA, S., and MCDANIEL, P. Retargeting android applications to java bytecode. In Proceedings of the 20th International Symposium on the Foundations of Software Engineering (November 2012). Available from http://siis.cse.psu.edu/dare/.
30. ONGTANG, M., MCLAUGHLIN, S., ENCK, W., and MC-DANIEL, P. Semantically Rich Application-Centric Security in Android. In Proceedings of the 25th Annual Computer Security Applications Conference (ACSAC) (Dec. 2009), pp. 340-349.
31. ROSENBERG, J. Google play hits 25 billion downloads. Android - Official blog, Sept. 2012. Available at http://officialandroid.blogspot.com/2012/09/google-play-hits-25-billion-downloads.html.
32. SAGIV, M., REPS, T., and HORWITZ, S. Precise interprocedu-ral dataflow analysis with applications to constant propagation. Theor. Comput. Sci. 167, 1-2 (Oct. 1996), 131-170.
33. SECURITY, N. Malware controls 620, 000 phones, sends costly messages. Help Net Security, January 2013. Available from http://www.net-security.org/malware_news.php?id=2391.
34. VALLÉE-RAI, R., GAGNON, E., HENDREN, L. J., LAM, P., POMINVILLE, P., AND SUNDARESAN, V. Optimizing java bytecode using the soot framework: Is it feasible? In Proc. of the 9th International Conf. on Compiler Construction (2000), CC '00.
35. ZHENG, C., ZHU, S., DAI, S., GU, G., GONG, X., HAN, X., and ZOU, W. Smartdroid: an automatic system for revealing ui-based trigger conditions in android applications. In Proceedings of the second ACM workshop on Security and privacy in smart-phones and mobile devices (2012), ACM, pp. 93-104.
36. ZHOU, Y., WANG, Z., ZHOU, W., and JIANG, X. Hey, You, Get off of My Market: Detecting Malicious Apps in Official and Alternative Android Markets. In Proceedings of the Network and Distributed System Security Symposium (Feb. 2012).