Automated Execution Control and Dynamic Behavior Monitoring for Android (TM) Applications

We explore techniques for eliciting a behavioral description from an Android smartphone app in a controlled manner. A description of app behavior is useful for performing subsequent analysis such as model checking, for example to verify the app satisfies a set of desirable security properties. Our solution is to dynamically execute the app in a customized version of the Android SDK emulator, which provides many of an app's inputs as responses to invoked API calls. A more focused set of input values computed offline are then injected to the app via hooks introduced into the Android API implementation. To dynamically monitor app behavior, we instrument the app bytecode to record control and data flows during execution. We also instrument the Android API to record all of the app's inputs and outputs. We have used this technique on the DARPA Automated Program Analysis for Cybersecurity (APAC) program to reveal hidden, triggerable attacks in independently developed challenge apps. Our framework for extracting app behavior is part of Droid Reasoning, Analysis, and Protection Engine (DRAPE), an integrated, semi-automated app behavior analysis system capable of discovering hidden malware in Android apps.

[1]  R. Cathey,et al.  Behavior Analysis via Execution Path Clustering , 2013 .

[2]  Chao Liu,et al.  Mining past-time temporal rules from execution traces , 2008, WODA '08.

[3]  Dawn Xiaodong Song,et al.  Contextual Policy Enforcement in Android Applications with Permission Event Graphs , 2013, NDSS.

[4]  Mayur Naik,et al.  Dynodroid: an input generation system for Android apps , 2013, ESEC/FSE 2013.

[5]  Byung-Gon Chun,et al.  TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones , 2010, OSDI.

[6]  Adam Kiezun,et al.  jFuzz: A Concolic Whitebox Fuzzer for Java , 2009, NASA Formal Methods.

[7]  Michael Weber,et al.  Behavior Analysis via Execution Path Clusters , 2013, MILCOM 2013 - 2013 IEEE Military Communications Conference.

[8]  James C. King,et al.  Symbolic execution and program testing , 1976, CACM.

[9]  Hongseok Yang,et al.  Automated concolic testing of smartphone apps , 2012, SIGSOFT FSE.

[10]  Daniel Le Métayer,et al.  Model Checking Security Properties of Control Flow Graphs , 2001, J. Comput. Secur..

[11]  Jeffrey S. Foster,et al.  SymDroid: Symbolic Execution for Dalvik Bytecode , 2012 .

[12]  Grigore Rosu,et al.  Testing Linear Temporal Logic Formulae on Finite Execution Traces , 2001 .

[13]  Insik Shin,et al.  Mobile code security by Java bytecode instrumentation , 2001, Proceedings DARPA Information Survivability Conference and Exposition II. DISCEX'01.

[14]  Frank Yellin,et al.  The Java Virtual Machine Specification , 1996 .

[15]  Koushik Sen,et al.  DART: directed automated random testing , 2005, PLDI '05.

[16]  Jacques Klein,et al.  Improving Privacy on Android Smartphones Through In-Vivo Bytecode Instrumentation , 2012, ArXiv.