Shifting to Mobile: Network-Based Empirical Study of Mobile Vulnerability Market

With the increasing popularity and great economic benefit from vulnerability exploitation, it is important to study mobile vulnerability in the mobile ecosystem. Beyond the traditional technical solutions such as developing technologies to identify potential vulnerabilities, discover the widely available exploitations and protect consumers from attacks, constructing the vulnerability market, a marketplace for vulnerability discovery, disclosure and exploitation, has been considered as an effective approach. Therefore, understanding the mechanism of the vulnerability market for further optimizations is attracting attentions from both academia and industry. Since mobile ecosystem is playing an increasingly important role for the daily life, this paper aims to understand the evolution of the mobile vulnerability market in a data-driven approach, aiming to identify the important issues for further research. Specially, a five-layer heterogeneous network, consisting of the software vendors, products, public disclosed vulnerabilities, hunters, organizations and their relations, is established to formally represent the evolution of the mobile vulnerability market. Based on the data collected from a variety of agencies, including NVD, OSVDB, BID and vendor advisories, a comprehensive empirical analysis is reported, focusing on the growth of the mobile vulnerability market as well as the interactions between mobile and other PCs platforms. Finally, suggestions drawn from the observations, including security evaluation for code reused, data leaking protection and permission overuse identification, hunter's strategy and behavior understanding, information sharing and external workforce hiring, as well as cross-platform vulnerability digging are discussed for further security enhancement.

[1]  Eric Rescorla,et al.  Is finding security holes a good idea? , 2005, IEEE Security & Privacy.

[2]  Michael Backes,et al.  You Get Where You're Looking for: The Impact of Information Sources on Code Security , 2016, 2016 IEEE Symposium on Security and Privacy (SP).

[3]  Albert-László Barabási,et al.  Understanding the Spreading Patterns of Mobile Phone Viruses , 2009, Science.

[4]  Yashwant K. Malaiya,et al.  Software Vulnerability Markets: Discoverers and Buyers , 2014 .

[5]  Neil Savage,et al.  Gaining wisdom from crowds , 2012, Commun. ACM.

[6]  David A. Wagner,et al.  Analyzing inter-application communication in Android , 2011, MobiSys '11.

[7]  Thomas T. Hills,et al.  Exploration versus exploitation in space, mind, and society , 2015, Trends in Cognitive Sciences.

[8]  Jens Grossklags,et al.  Given enough eyeballs, all bugs are shallow? Revisiting Eric Raymond with bug bounty programs , 2016, J. Cybersecur..

[9]  Mu Zhang,et al.  Efficient, context-aware privacy leakage confinement for android applications without firmware modding , 2014, AsiaCCS.

[10]  Yizheng Chen,et al.  On the Feasibility of Large-Scale Infections of iOS Devices , 2014, USENIX Security Symposium.

[11]  Steve Hanna,et al.  Android permissions demystified , 2011, CCS '11.

[12]  Michael Siegel,et al.  Poster: Diversity or Concentration? Hackers’ Strategy for Working Across Multiple Bug Bounty Programs , 2016 .

[13]  Ramayya Krishnan,et al.  An Empirical Analysis of Software Vendors' Patch Release Behavior: Impact of Vulnerability Disclosure , 2010, Inf. Syst. Res..

[14]  Golden G. Richard,et al.  Don't Touch that Column: Portable, Fine-Grained Access Control for Android's Native Content Providers , 2016, WISEC.

[15]  David A. Wagner,et al.  Android permissions: user attention, comprehension, and behavior , 2012, SOUPS.

[16]  Gregory White,et al.  An Empirical Study on the Effectiveness of Common Security Measures , 2010, 2010 43rd Hawaii International Conference on System Sciences.

[17]  Stuart E. Schechter,et al.  Milk or Wine: Does Software Security Improve with Age? , 2006, USENIX Security Symposium.

[18]  Muhammad Zubair Shafiq,et al.  A large scale exploratory analysis of software vulnerability life cycles , 2012, 2012 34th International Conference on Software Engineering (ICSE).

[19]  Dorothy E. Denning Toward more secure software , 2015, Commun. ACM.

[20]  Leyla Bilge,et al.  Before we knew it: an empirical study of zero-day attacks in the real world , 2012, CCS.

[21]  Tudor Dumitras,et al.  Vulnerability Disclosure in the Age of Social Media: Exploiting Twitter for Predicting Real-World Exploits , 2015, USENIX Security Symposium.

[22]  Fabio Massacci,et al.  Comparing Vulnerability Severity and Exploits Using Case-Control Studies , 2014, TSEC.

[23]  Bernhard Plattner,et al.  Modelling the Security Ecosystem- The Dynamics of (In)Security , 2009, WEIS.

[24]  Yuan Zhang,et al.  AppIntent: analyzing sensitive data transmission in android for privacy leakage detection , 2013, CCS.

[25]  David A. Wagner,et al.  Android Permissions Remystified: A Field Study on Contextual Integrity , 2015, USENIX Security Symposium.

[26]  Jia Zhang,et al.  An Empirical Analysis of Contemporary Android Mobile Vulnerability Market , 2015, 2015 IEEE International Conference on Mobile Services.

[27]  Mehran Bozorgi,et al.  Beyond heuristics: learning to classify vulnerabilities and predict exploits , 2010, KDD.

[28]  Xuanzhe Liu,et al.  PRADA: Prioritizing Android Devices for Apps by Mining Large-Scale Usage Data , 2016, 2016 IEEE/ACM 38th International Conference on Software Engineering (ICSE).

[29]  Ahmed E. Hassan,et al.  A Large-Scale Empirical Study on Software Reuse in Mobile Apps , 2014, IEEE Software.

[30]  Matthew Smith,et al.  VCCFinder: Finding Potential Vulnerabilities in Open-Source Projects to Assist Code Audits , 2015, CCS.

[31]  Matthew Smith,et al.  Rethinking SSL development in an appified world , 2013, CCS.

[32]  Ross J. Anderson Why information security is hard - an economic perspective , 2001, Seventeenth Annual Computer Security Applications Conference.

[33]  Konrad Rieck,et al.  Modeling and Discovering Vulnerabilities with Code Property Graphs , 2014, 2014 IEEE Symposium on Security and Privacy.

[34]  Hannes Holm,et al.  An expert-based investigation of the Common Vulnerability Scoring System , 2015, Comput. Secur..

[35]  Jacques Klein,et al.  DroidRA: taming reflection to support whole-program analysis of Android apps , 2016, ISSTA.

[36]  Nicolas Christin,et al.  Measuring the Longitudinal Evolution of the Online Anonymous Marketplace Ecosystem , 2015, USENIX Security Symposium.

[37]  Tyler Moore,et al.  The Economics of Information Security , 2006, Science.

[38]  Huseyin Cavusoglu,et al.  Emerging Issues in Responsible Vulnerability Disclosure , 2005, WEIS.

[39]  Peng Liu,et al.  An Empirical Study of Web Vulnerability Discovery Ecosystems , 2015, CCS.

[40]  Sang Pil Han,et al.  Estimating Demand for Mobile Applications in the New Economy , 2014, Manag. Sci..

[41]  Bernhard Plattner,et al.  Software Security Economics: Theory, in Practice , 2012, WEIS.

[42]  Neal Leavitt,et al.  Mobile Security: Finally a Serious Problem? , 2011, Computer.

[43]  Calton Pu,et al.  JTangCSB: A Cloud Service Bus for Cloud and Enterprise Application Integration , 2015, IEEE Internet Computing.

[44]  Peng Ning,et al.  EASEAndroid: Automatic Policy Analysis and Refinement for Security Enhanced Android via Large-Scale Semi-Supervised Learning , 2015, USENIX Security Symposium.

[45]  Hang Zhang,et al.  Android Root and its Providers: A Double-Edged Sword , 2015, CCS.

[46]  Shizhan Chen,et al.  A Skewness-Based Framework for Mobile App Permission Recommendation and Risk Evaluation , 2016, ICSOC.

[47]  Huseyin Cavusoglu,et al.  Efficiency of Vulnerability Disclosure Mechanisms to Disseminate Vulnerability Knowledge , 2007, IEEE Transactions on Software Engineering.

[48]  Hao Xu,et al.  Optimal Policy for Software Vulnerability Disclosure , 2008, Manag. Sci..

[49]  David A. Wagner,et al.  An Empirical Study of Vulnerability Rewards Programs , 2013, USENIX Security Symposium.

[50]  Terrence August,et al.  The Influence of Software Process Maturity and Customer Error Reporting on Software Release and Pricing , 2013, Manag. Sci..

[51]  Rahul Telang,et al.  Market for Software Vulnerabilities? Think Again , 2005, Manag. Sci..

[52]  Yuan Tian,et al.  OAuth Demystified for Mobile Application Developers , 2014, CCS.

[53]  Alessandra Gorla,et al.  Checking app behavior against app descriptions , 2014, ICSE.

[54]  Matthew Smith,et al.  SoK: Lessons Learned from Android Security Research for Appified Software Platforms , 2016, 2016 IEEE Symposium on Security and Privacy (SP).

[55]  Stuart E. Schechter,et al.  Bootstrapping the Adoption of Internet Security Protocols , 2006, WEIS.

[56]  Feng Li,et al.  Android Smartphone Third Party Advertising Library Data Leak Analysis , 2014, 2014 IEEE 11th International Conference on Mobile Ad Hoc and Sensor Systems.