Detecting Passive Content Leaks and Pollution in Android Applications

20th Annual Network and Distributed System Security Symposium, NDSS 2013

Volumn , Issue , 2013, Pages

  Zhou, Yajin ^a   Jiang, Xuxian ^a  

^a North Carolina State University   (United States)

Author keywords

[No Author keywords available]

Indexed keywords

ACCESS CONTROL; COMMERCE; MOBILE SECURITY; SENSITIVE DATA;

ACCESS CONTROL ENFORCEMENTS; ANDROID APPLICATIONS; ANDROID MARKETS; BLOCKINGS; CONTENT PROVIDERS; GOOGLE PLAYS; PHONE CALLS; PRIVATE DATA; SIDE EFFECT; SMS MESSAGES;

ANDROID (OPERATING SYSTEM);

EID: 85102224279     PISSN: None     EISSN: None     Source Type: Conference Proceeding    
DOI: None     Document Type: Conference Paper

References (46)

1. Android 4.2 APIs. http://developer.android.com/about/versions/android-4.2.html.
2. App Store (iOS). http://en.wikipedia.org/wiki/App_Store_(iOS).
3. Gartner Says Worldwide Smartphone Sales Soared in Fourth Quarter of 2011 With 47 Percent Growth. http://www.gartner.com/it/page.jsp?id=1924314.
4. Google Play. http://en.wikipedia.org/wiki/Google_Play.
5. Java PathFinder. http://babelfish.arc.nasa.gov/trac/jpf.
6. Number of Web users in China Hits 513 Million. http://latimesblogs.latimes.com/technology/2012/01/chinese-web-users-grow-to-513-million.html.
7. Sina Weibo. http://en.wikipedia.org/wiki/Sina_Weibo.
8. The Risk You Carry in Your Pocket. https://media.blackhat.com/bh-ad-10/Nils/Black-HatAD-2010-android-sandcastle-slides.pdf.
9. Your Apps Are Watching You. http://online.wsj.com/article/SB10001424052748704694004576020083703574602. html.
10. ZeuS-in-the-Mobile - Facts and Theories. http://www.securelist.com/en/analysis/204792194/ZeuS_in_the_Mobile_Facts_and_Theories.
11. J. Andrus, C. Dall, A. Van't Hof, O. Laadan, and J. Nieh. Cells: A Virtual Mobile Smartphone Architecture. In Proceedings of the 23rd ACM Symposium on Operating Systems Principles, SOSP, 2011.
12. T. Avgerinos, S. K. Cha, B. L. T. Hao, and D. Brumley. AEG: Automatic Exploit Generation. In Proceedings of the 18th Annual Symposium on Network and Distributed System Security, NDSS, 2011.
13. A. R. Beresford, A. Rice, N. Skehin, and R. Sohan. MockDroid: Trading Privacy for Application Functionality on Smartphones. In Proceedings of the 12th International Workshop on Mobile Computing System and Applications, HotMobile, 2011.
14. D. Brumley, J. Newsome, and D. Song. Sting: an end-to-end self-healing system for defending against internet worms. In Book chapter in”Malware Detection and Defense”, Editors Christodorescu, Jha, Maughn, Song, 2007.
15. S. Bugiel, L. Davi, A. Dmitrienko, T. Fischer, A.-R. Sadeghi, and B. Shastry. Towards Taming Privilege-Escalation Attacks on Android. In Proceedings of the 19th Annual Symposium on Network and Distributed System Security, NDSS, 2012.
16. C. Cadar, D. Dunbar, and D. Engler. KLEE: Unassisted and Automatic Generation of High-Coverage Tests for Complex Systems Programs. In Proceedings of the 8th USENIX Symposium on Operating Systems Design and Implementation, OSDI, 2008.
17. E. Chin, A. P. Felt, K. Greenwood, and D. Wagner. Analyzing Inter-Application Communication in Android. In Proceedings of the 9th Annual International Conference on Mobile Systems, Applications, and Services, MobiSys, 2011.
18. L. Davi, A. Dmitrienko, M. Egele, T. Fischer, T. Holz, R. Hund, S. Nurnberger, and A.-R. Sadeghi. MoCFI: A Framework to Mitigate Control-Flow Attacks on Smartphones. In Proceedings of the 19th Annual Symposium on Network and Distributed System Security, NDSS, 2012.
19. L. Davi, A. Dmitrienko, A.-R. Sadeghi, and M. Winandy. Privilege escalation attacks on android. In Proceedings of the 13th international conference on Information security, ISC, 2010.
20. M. Dietz, S. Shekhar, Y. Pisetsky, A. Shu, and D. S. Wallach. QUIRE: Lightweight Provenance for Smart Phone Operating Systems. In Proceedings of the 20th USENIX Security Symposium, USENIX Security, 2011.
21. M. Egele, C. Kruegel, E. Kirda, and G. Vigna. PiOS: Detecting Privacy Leaks in iOS Applications. In Proceedings of the 18th Annual Symposium on Network and Distributed System Security, NDSS, 2011.
22. W. Enck, P. Gilbert, B.-g. Chun, L. P. Cox, J. Jung, P. McDaniel, and A. N. Sheth. TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones. In Proceedings of the 9th USENIX Symposium on Operating Systems Design and Implementation, USENIX OSDI, 2010.
23. W. Enck, D. Octeau, P. McDaniel, and S. Chaudhuri. A Study of Android Application Security. In Proceedings of the 20th USENIX Security Symposium, USENIX Security, 2011.
24. A. P. Felt, E. Chin, S. Hanna, D. Song, and D. Wagner. Android Permissions Demystified. In Proceedings of the 18th ACM Conference on Computer and Communications Security, CCS, 2011.
25. A. P. Felt, H. J. Wang, A. Moshchuk, S. Hanna, and E. Chin. Permission Re-Delegation: Attacks and Defenses. In Proceedings of the 20th USENIX Security Symposium, USENIX Security, 2011.
26. M. Grace, W. Zhou, X. Jiang, and A.-R. Sadeghi. Unsafe Exposure Analysis of Mobile In-App Advertisements. In Proceedings of the 5th ACM Conference on Security and Privacy in Wireless and Mobile Networks, WiSec, 2012.
27. M. Grace, Y. Zhou, Z. Wang, and X. Jiang. Systematic Detection of Capability Leaks in Stock Android Smartphones. In Proceedings of the 19th Annual Symposium on Network and Distributed System Security, NDSS, 2012.
28. M. Grace, Y. Zhou, Q. Zhang, S. Zou, and X. Jiang. RiskRanker: Scalable and Accurate Zero-day Android Malware Detection. In Proceedings of the 10th International Conference on Mobile Systems, Applications and Services, MobiSys, 2012.
29. N. Hardy. The Confused Deputy: (or why capabilities might have been invented). ACM SIGOPS Operating Systems Review, 22, October 1998.
30. P. Hornyack, S. Han, J. Jung, S. Schechter, and D. Wetherall. These Aren't the Droids You're Looking For: Retrofitting Android to Protect Data from Imperious Applications. In Proceedings of the 18th ACM Conference on Computer and Communications Security, CCS, 2011.
31. J. Jeon, K. K. Micinski, J. A. Vaughan, A. Fogel, N. Reddy, J. S. Foster, and T. Millstein. Dr. android and mr. hide: Fine-grained permissions in android applications. In ACM CCS Workshop on Security and Privacy in Smartphones and Mobile Devices, CCS-SPSM, 2012.
32. M. Lange, S. Liebergeld, A. Lackorzynski, A. Warg, and M. Peter. L4Android: A Generic Operating System Framework for Secure Smartphones. In Proceedings of the 1st Workshop on Security and Privacy in Smartphones and Mobile Devices, CCS-SPSM, 2011.
33. L. Lu, Z. Li, Z. Wu, W. Lee, and G. Jiang. Chex: Statically vetting android apps for component hijacking vulnerabilities. In Proceedings of the 19th ACM Conference on Computer and Communications Security, CCS, 2012.
34. M. Nauman, S. Khan, and X. Zhang. Apex: Extending Android Permission Model and Enforcement with User-Defined Runtime Constraints. In Proceedings of the 5th ACM Symposium on Information, Computer and Communications Security, ASIACCS, 2010.
35. P. Pearce, A. P. Felt, G. Nunez, and D. Wagner. AdDroid: Privilege Separation for Applications and Advertisers in Android. In Proceedings of the 7th ACM Symposium on Information, Computer and Communications Security, ASIACCS, 2012.
36. H. Peng, C. Gates, B. Sarma, N. Li, Y. Qi, R. Potharaju, C. Nita-Rotaru, and I. Molloy. Using probabilistic generative models for ranking risks of android apps. In Proceedings of the 19th ACM Conference on Computer and Communications Security, CCS, 2012.
37. P. Saxena, P. Poosankam, S. McCamant, and D. Song. Loop-extended symbolic execution on binary programs. In Proceedings of the ACM/SIGSOFT International Symposium on Software Testing and Analysis, ISSTA, 2009.
38. S. Shekhar, M. Dietz, and D. S. Wallach. Adsplit: Separating smartphone advertising from applications. In Proceedings of the 21th USENIX Security Symposium, USENIX Security, 2012.
39. D. Song, D. Brumley, H. Yin, J. Caballero, I. Jager, M. G. Kang, Z. Liang, J. Newsome, P. Poosankam, and P. Saxena. BitBlaze: A new approach to computer security via binary analysis. In Proceedings of the 4th International Conference on Information Systems Security, ICISS, 2008.
40. R. Xu, H. Saidi, and R. Anderson. Aurasium: Practical Policy Enforcement for Android Applications. In Proceedings of the 21th USENIX Security Symposium, USENIX Security, 2012.
41. L. K. Yan and H. Yin. DroidScope: Seamlessly Reconstructing the OS and Dalvik Semantic Views for Dynamic Android Malware Analysis. In Proceedings of the 21th USENIX Security Symposium, USENIX Security, 2012.
42. W. Zhou, Y. Zhou, M. Grace, X. Jiang, and S. Zou. Fast, scalable detection of 'piggybacked' mobile applications. In Proceedings of the 3rd ACM Conference on Data and Application Security and Privacy, CODASPY, 2013.
43. W. Zhou, Y. Zhou, X. Jiang, and P. Ning. DroidMOSS: Detecting Repackaged Smartphone Applications in Third-Party Android Marketplaces. In Proceedings of the 2nd ACM Conference on Data and Application Security and Privacy, CODASPY, 2012.
44. Y. Zhou and X. Jiang. Dissecting Android Malware: Characterization and Evolution. In Proceedings of the 33rd IEEE Symposium on Security and Privacy, IEEE S&P, 2012.
45. Y. Zhou, Z. Wang, W. Zhou, and X. Jiang. Hey, You, Get off of My Market: Detecting Malicious Apps in Official and Alternative Android Markets. In Proceedings of the 19th Annual Symposium on Network and Distributed System Security, NDSS, 2012.
46. Y. Zhou, X. Zhang, X. Jiang, and V. W. Freeh. Taming Information-Stealing Smartphone Applications (on Android). In Proceedings of the 4th International Conference on Trust and Trustworthy Computing, TRUST, 2011.