Checking More and Alerting Less: Detecting Privacy Leakages via Enhanced Data-flow Analysis and Peer Voting

22nd Annual Network and Distributed System Security Symposium, NDSS 2015

Volumn , Issue , 2015, Pages

  Lu, Kangjie ^a   Li, Zhichun ^b   Kemerlis, Vasileios P ^c   Wu, Zhenyu ^b   Lu, Long ^d   Zheng, Cong ^a   Qian, Zhiyun ^e   Lee, Wenke ^a   Jiang, Guofei ^b  

^a GEORGIA INSTITUTE OF TECHNOLOGY   (United States)

^b NEC LABORATORIES AMERICA   (United States)

^c Och Spine at New York Presbyterian Hospitals   (United States)

^d STONY BROOK UNIVERSITY   (United States)

^e UNIVERSITY OF CALIFORNIA   (United States)

Author keywords

[No Author keywords available]

Indexed keywords

ANDROID (OPERATING SYSTEM); AUTOMATION; DATA FLOW ANALYSIS; DATA PRIVACY; MOBILE SECURITY;

ANDROID APPS; DATA-FLOW ANALYSIS; HIGHLY ACCURATE; PRIVACY DISCLOSURES; PRIVACY LEAKAGES; RECENT RESEARCHES; RESEARCH EFFORTS; SECURITIES ANALYSTS; SMARTPHONE APPS; USER DATA;

STATIC ANALYSIS;

EID: 85180549026     PISSN: None     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.14722/ndss.2015.23287     Document Type: Conference Paper

References (41)

1. “Scandroid: Automated security certification of android applications, ” http://www.cs.umd.edu/avik/projects/scandroidascaa.
2. “Android application components, ” http://developer.android.com/guide/topics/fundamentals.html#Components, April 2012. [Online]. Available:http://developer.android.eom/guide/topics/fundamentals.html# Components
3. O. Agesen, “The cartesian product algorithm: Simple and precise type inference of parametric polymorphism, ” in Proceedings of the 9th European Conference on Object-Oriented Programming, ser. ECOOP '95. London, UK, UK: Springer-Verlag, 1995, pp. 2-26. [Online], Available: http://dl.acm.org/citation.cfm?id=646153.679533
4. D. Arp, M. Spreitzenbarth, M. Hubner, H. Gascon, and K. Rieck, “Drebin: Effective and explainable detection of android malware in your pocket, ” in Proceedings of the 21th Network and Distributed System Security Symposium (NDSS), 2014.
5. S. Arzt, S. Rasthofer, C. Fritz, E. Bodden, A. Bartel, J. Klein, Y. Le Traon, D. Octeau, and P. McDaniel, “Flowdroid: Precise context, flow, field, object-sensitive and lifecycle-aware taint analysis for android apps” in Proceedings of the 35th ACM SIGPLAN Conference on Programming Language Design and Implementation, ser. PLDI'14. New York, NY, USA: ACM, 2014, pp. 259-269. [Online], Available: http://doi.acm.org/10.1145/2594291.2594299
6. K. W. Y. Au, Y. F. Zhou, Z. Huang, and D. Lie, “Pscout: Analyzing the android permission specification, ” in Proceedings of the 2012 ACM Conference on Computer and Communications Security, ser. CCS'12. New York, NY, USA: ACM, 2012, pp. 217-228. [Online], Available: http://doi.acm.org/10.1145/2382196.2382222
7. R. Bodik and S. Anik, “Path-sensitive value-flow analysis, ” in Proceedings of the 25th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, ser. POPL'98. New York, NY, USA: ACM, 1998, pp. 237-251. [Online], Available: http://doi.acm.org/10.1145/268946.268966
8. S. Bugiel, L. Davi, A. Dmitrienko, T. Fischer, A.-R. Sadeghi, and B. Shastry, “Towards taming privilege-escalation attacks on android, ” in Proceedings of the 19th Network and Distributed System Security Symposium (NDSS), 2012.
9. D. Callahan, K. D. Cooper, K. Kennedy, and L. Torczon, “Interprocedural constant propagation, ” in Proceedings of the 1986 SIGPLAN Symposium on Compiler Construction, ser. SIGPLAN'86. New York, NY, USA: ACM, 1986, pp. 152-161. [Online], Available: http://doi.acm.org/10.1145/12276.13327
10. S. Chakradeo, B. Reaves, P. Traynor, and W. Enck, “Mast: Triage for market-scale mobile malware analysis, ” in Proceedings of the Sixth ACM Conference on Security and Privacy in Wireless and Mobile Networks, ser. WiSec'13. New York, NY, USA: ACM, 2013, pp. 13-24. [Online], Available: http://doi.acm.org/10.1145/2462096. 2462100
11. M. Dietz, S. Shekhar, Y. Pisetsky, A. Shu, and D. S. Wallach, “Quire: Lightweight provenance for smart phone operating systems, ” in Proceedings of the 20th USENIX conference on Security, San Francisco, CA, Aug. 2011.
12. M. Egele, C. Kruegel, E. Kirda, and G. Vigna, “Pios: Detecting privacy leaks in ios applications, ” in Proceedings of the 18th Network and Distributed System Security Symposium (NDSS), 2011.
13. W. Enck, P. Gilbert, B.-G. Chun, L. P. Cox, J. Jung, P. McDaniel, and A. N. Sheth, “Taintdroid: an information-flow tracking system for realtime privacy monitoring on smartphones, ” in Proceedings ofthe 9th USENIX conference on Operating systems design and implementation, ser. OSDI'IO. Berkeley, CA, USA: USENIX Association, 2010, pp. 1-6. [Online], Available: http://dl.acm.org/citation.cfm?id=1924943. 1924971
14. W. Enck, D. Octeau, P. McDaniel, and S. Chaudhuri, “A study of android application security, ” in Proceedings of the 20th USENIX conference on Security. Berkeley, CA, USA: USENIX Association, 2011, pp. 21-21. [Online], Available: http://dl.acm.org/citation.cfm?id=2028067.2028088
15. W. Enck, M. Ongtang, and P. McDaniel, “On lightweight mobile phone application certification, ” in Proceedings of the 16th ACM conference on Computer and communications security, ser. CCS'09. New York, NY, USA: ACM, 2009, pp. 235-245. [Online], Available: http://doi.acm.org/10.1145/1653662.1653691
16. A. P. Felt, E. Chin, S. Hanna, D. Song, and D. Wagner, “Android permissions demystified, ” in Proceedings of the 18th ACM conference on Computer and communications security, ser. CCS'll. New York, NY, USA: ACM, 2011, pp. 627-638. [Online], Available: http://doi.acm.org/10.1145/2046707.2046779
17. A. P. Felt, H. J. Wang, A. Moshchuk, S. Hanna, and E. Chin, “Permission re-delegation: attacks and defenses, ” in Proceedings of the 20th USENIX conference on Security, ser. SEC'11. Berkeley, CA, USA: USENIX Association, 2011, pp. 22-22. [Online]. Available: http://dl.acm.org/citation.cfm?id=2028067.2028089
18. C. Gibler, J. Crussell, J. Erickson, and H. Chen, “Androidleaks: Automatically detecting potential privacy leaks in android applications on a large scale, ” in Proceedings of the 5th International Conference on Trust and Trustworthy Computing, ser. TRUST'12. Berlin, Heidelberg: Springer-Verlag, 2012, pp. 291-307. [Online], Available: http://dx.doi.org/10.1007/978-3-642-30921-2_17
19. A. Gorla, I. Tavecchia, F. Gross, and A. Zeller, “Checking app behavior against app descriptions, ” in Proceedings of the 36th International Conference on Software Engineering, ser. ICSE 2014. New York, NY, USA: ACM, 2014, pp. 1025-1035. [Online], Available: http://doi.acm.org/10.1145/2568225.2568276
20. M. Grace, Y. Zhou, Z. Wang, and X. Jiang, “Systematic detection of capability leaks in stock android smartphones, ” in Proceedings of the 19th Network and Distributed System Security Symposium (NDSS), 2012.
21. M. Grace, Y. Zhou, Q. Zhang, S. Zou, and X. Jiang, “Riskranker: Scalable and accurate zero-day android malware detection, ” in Proceedings of the 10th International Conference on Mobile Systems, Applications, and Services, ser. MobiSys'12. New York, NY, USA: ACM, 2012, pp. 281-294. [Online], Available: http://doi.acm.org/10.1145/2307636.2307663
22. J. Han, Q. Yan, D. Gao, J. Zhou, and R. Deng, “Comparing mobile privacy protection through cross-platform applications, ” in Proceedings of the 20th Network and Distributed System Security Symposium (NDSS), 2013.
23. P. Hornyack, S. Han, J. Jung, S. Schechter, and D. Wetherall, “These aren't the droids you're looking for: Retrofitting android to protect data from imperious applications, ” in Proceedings of the 18th ACM Conference on Computer and Communications Security, ser. CCS'll. New York, NY, USA: ACM, 2011, pp. 639-652. [Online], Available: http://doi.acm.org/10.1145/2046707.2046780
24. S. Horwitz, T. Reps, and D. Binkley, “Interprocedural slicing using dependence graphs, ” SIGPLAN Not., vol. 23, no. 7, pp. 3546, Jun. 1988. [Online], Available: http://doi.acm.org/10.1145/960116.53994
25. B. Lee, L. Lu, T. Wang, T. Kim, and W. Lee, “From zygote to morula: Fortifying weakened aslr on android, ” in Proceedings of the 2014 IEEE Symposium on Security and Privacy, ser. SP'14. Washington, DC, USA: IEEE Computer Society, 2014, pp. 424439. [Online], Available: http://dx.doi.org/10.1109/SP.2014.34
26. L. Lu, Z. Li, Z. Wu, W. Lee, and G. Jiang, “Chex: Statically vetting android apps for component hijacking vulnerabilities, ” in Proceedings of the 2012 ACM Conference on Computer and Communications Security, ser. CCS'12. New York, NY, USA: ACM, 2012, pp. 229-240. [Online], Available: http://doi.acm.org/10.1145/2382196. 2382223
27. A. Nadkarni and W. Enck, “Preventing accidental data disclosure in modern operating systems, ” in Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security, ser. CCS '13. New York, NY, USA: ACM, 2013, pp. 1029-1042. [Online], Available: http://doi.acm.Org/10.l 145/2508859.2516677
28. J. Palsberg and M. I. Schwartzbach, “Object-oriented type inference, ” in Conference Proceedings on Object-oriented Programming Systems, Languages, and Applications, ser. OOPSLA'91. New York, NY, USA: ACM, 1991, pp. 146-161. [Online], Available: http://doi.acm. org/10.1145/117954.117965
29. R. Pandita, X. Xiao, W. Yang, W. Enck, and T. Xie, “Whyper: Towards automating risk assessment of mobile applications, ” in Presented as part of the 22nd USENIX Security Symposium (USENIX Security 13). Washington, D.C.: USENIX, 2013, pp. 527-542. [Online]. Available: https://www.usenix.org/conference/usenixsecurity13/technical- sessions/presentation/pandita
30. H. Peng, C. Gates, B. Sarma, N. Li, Y. Qi, R. Potharaju, C. Nita-Rotaru, and I. Molloy, “Using probabilistic generative models for ranking risks of android apps, ” in Proceedings of the 2012 ACM conference on Computer and communications security. ACM, 2012, pp. 241-252.
31. V. Rastogi, Y. Chen, and W. Enck, “Appsplayground: Automatic security analysis of smartphone applications, ” in Proceedings of the Third ACM Conference on Data and Application Security and Privacy, ser. CODASPY'13. New York, NY, USA: ACM, 2013, pp. 209-220. [Online], Available: http://doi.acm.org/10.1145/2435349.2435379
32. P. Resnik, “Semantic similarity in a taxonomy: An information-based measure and its application to problems of ambiguity in natural language, ” 1999.
33. R. Stevens, C. Gibler, J. Crussell, J. Erickson, and H. Chen, “Investigating user privacy in android ad libraries, ” in Workshop on Mobile Security Technologies (MoST). Citeseer, 2012.
34. L. Xing, X. Pan, R. Wang, K. Yuan, and X. Wang, “Upgrading your android, elevating my malware: Privilege escalation through mobile os updating, ” in Proceedings of the 2014 IEEE Symposium on Security and Privacy, ser. SP'14. Washington, DC, USA: IEEE Computer Society, 2014, pp. 393^408. [Online], Available: http://dx.doi.org/10.1109/SP.2014.32
35. Z. Yang, M. Yang, Y. Zhang, G. Gu, P. Ning, and X. S. Wang, “Appintent: analyzing sensitive data transmission in android for privacy leakage detection, ” in Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security, ser. CCS '13. New York, NY, USA: ACM, 2013, pp. 1043-1054. [Online], Available: http://doi.acm.0rg/lO.l 145/2508859.2516676
36. C. Zheng, S. Zhu, S. Dai, G. Gu, X. Gong, X. Han, and W. Zou, “Smartdroid: An automatic system for revealing ui-based trigger conditions in android applications, ” in Proceedings of the Second ACM Workshop on Security and Privacy in Smartphones and Mobile Devices, ser. SPSM'12. New York, NY, USA: ACM, 2012, pp. 93-104. [Online], Available: http://doi.acm.org/10.1145/2381934.2381950
37. W. Zhou, Y. Zhou, X. Jiang, and P. Ning, “Detecting repackaged smartphone applications in third-party android marketplaces, ” in Proceedings of the Second ACM Conference on Data and Application Security and Privacy, ser. CODASPY'12. New York, NY, USA: ACM, 2012, pp. 317-326. [Online], Available: http://doi.acm.org/10.1145/2133601.2133640
38. X. Zhou, Y. Lee, N. Zhang, M. Naveed, and X. Wang, “The peril of fragmentation: Security hazards in android device driver customizations, ” in Proceedings of the 2014 IEEE Symposium on Security and Privacy, ser. SP'14. Washington, DC, USA: IEEE Computer Society, 2014, pp. 409^423. [Online], Available: http://dx.doi.org/10.1109/SP.2014.33
39. Y. Zhou and X. Jiang, “Dissecting android malware: Characterization and evolution, ” in Proceedings of the 2012 IEEE Symposium on Security and Privacy, ser. SP'12. Washington, DC, USA: IEEE Computer Society, 2012, pp. 95-109. [Online], Available: http://dx.doi.org/10.1109/SP.2012.16
40. Y. Zhou and X. Jiang, “Detecting passive content leaks and pollution in android applications, ” in Proceedings of the 20th Network and Distributed System Security Symposium (NDSS), 2013.
41. Y. Zhou, Z. Wang, W. Zhou, and X. Jiang, “Hey, you, get off of my market: Detecting malicious apps in official and alternative android markets, ” in Proceedings of the 19th Network and Distributed System Security Symposium (NDSS), 2012.