论文信息 - The Transitivity-of-Trust Problem in Android Application Interaction

The Transitivity-of-Trust Problem in Android Application Interaction

Mobile phones have developed into complex platforms with large numbers of installed applications and a wide range of sensitive data. Application security policies limit the permissions of each installed application. As applications may interact, restricting single applications may create a false sense of security for end users, while data may still leave the mobile phone through other applications. Instead, the information flow needs to be policed for the composite system of applications in a transparent manner. In this paper, we propose to employ static analysis, based on the software architecture and focused on data-flow analysis, to detect information flows between components. Specifically, we aim to reveal transitivity-of-trust problems in multi-component mobile platforms. We demonstrate the feasibility of our approach with two Android applications.

Karsten Sohr | Steffen Bartsch | Michaela Bunke | Bernhard J. Berger

[1] Byung-Gon Chun,et al. TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones , 2010, OSDI.

[2] Laurie Hendren,et al. Soot: a Java bytecode optimization framework , 2010, CASCON.

[3] David W. Binkley,et al. Interprocedural slicing using dependence graphs , 1990, TOPL.

[4] Steve Hanna,et al. Android permissions demystified , 2011, CCS '11.

[5] Swarat Chaudhuri,et al. A Study of Android Application Security , 2011, USENIX Security Symposium.

[6] Karsten Sohr,et al. Idea: Towards Architecture-Centric Security Analysis of Software , 2010, ESSoS.

[7] Jacob West,et al. Secure Programming with Static Analysis , 2007 .

[8] Patrick D. McDaniel,et al. Understanding Android Security , 2009, IEEE Security & Privacy Magazine.

[9] Yajin Zhou,et al. Systematic Detection of Capability Leaks in Stock Android Smartphones , 2012, NDSS.

[10] Ondrej Lhoták,et al. Program analysis using binary decision diagrams , 2006 .