A Study of Android Application Security

The fluidity of application markets complicate smartphone security. Although recent efforts have shed light on particular security issues, there remains little insight into broader security characteristics of smartphone applications. This paper seeks to better understand smartphone application security by studying 1,100 popular free Android applications. We introduce the ded decompiler, which recovers Android application source code directly from its installation image. We design and execute a horizontal study of smartphone applications based on static analysis of 21 million lines of recovered code. Our analysis uncovered pervasive use/misuse of personal/ phone identifiers, and deep penetration of advertising and analytics networks. However, we did not find evidence of malware or exploitable vulnerabilities in the studied applications. We conclude by considering the implications of these preliminary findings and offer directions for future analysis.

[1]  Robin Milner,et al.  A Theory of Type Polymorphism in Programming , 1978, J. Comput. Syst. Sci..

[2]  Jerzy Tiuryn,et al.  Type Inference Problems: A Survey , 1990, MFCS.

[3]  Todd A. Proebsting,et al.  Krakatoa: Decompilation in Java (Does Bytecode Reveal Source?) , 1997, COOTS.

[4]  Laurie J. Hendren,et al.  Optimizing Java Bytecode Using the Soot Framework: Is It Feasible? , 2000, CC.

[5]  Laurie J. Hendren,et al.  Decompiling Java using staged encapsulation , 2001, Proceedings Eighth Working Conference on Reverse Engineering.

[6]  Passagetm 60x,et al.  INSTALLATION INSTRUCTIONS , 2001 .

[7]  Laurie Hendren,et al.  Decompiling Java Bytecode: Problems, Traps and Pitfalls , 2002, CC.

[8]  Dawson R. Engler,et al.  Using programmer-written compiler extensions to catch security holes , 2002, Proceedings 2002 IEEE Symposium on Security and Privacy.

[9]  David Hovemeyer,et al.  Finding bugs is easy , 2004, SIGP.

[10]  David A. Wagner,et al.  Model Checking One Million Lines of C Code , 2004, NDSS.

[11]  Wei Tu,et al.  Model checking an entire Linux distribution for security violations , 2005, 21st Annual Computer Security Applications Conference (ACSAC'05).

[12]  Benjamin Livshits,et al.  Finding Security Vulnerabilities in Java Applications with Static Analysis , 2005, USENIX Security Symposium.

[13]  Christopher Krügel,et al.  Behavior-based Spyware Detection , 2006, USENIX Security Symposium.

[14]  Heng Yin,et al.  Dynamic Spyware Analysis , 2007, USENIX Annual Technical Conference.

[15]  Heng Yin,et al.  Panorama: capturing system-wide information flow for malware detection and analysis , 2007, CCS '07.

[16]  David Wetherall,et al.  Privacy oracle: a system for finding application leaks with black box differential testing , 2008, CCS.

[17]  Christopher J. Fox,et al.  Securing Java code: heuristics and an evaluation of static analysis tools , 2008, SAW '08.

[18]  Patrick D. McDaniel,et al.  Semantically Rich Application-Centric Security in Android , 2009, 2009 Annual Computer Security Applications Conference.

[19]  Patrick D. McDaniel,et al.  Understanding Android Security , 2009, IEEE Security & Privacy Magazine.

[20]  Patrick D. McDaniel,et al.  On lightweight mobile phone application certification , 2009, CCS.

[21]  Patrick D. McDaniel,et al.  Not So Great Expectations: Why Application Markets Haven't Failed Security , 2010, IEEE Security & Privacy.

[22]  Byung-Gon Chun,et al.  TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones , 2010, OSDI.

[23]  Christopher Krügel,et al.  Toward Automated Detection of Logic Vulnerabilities in Web Applications , 2010, USENIX Security Symposium.

[24]  Patrick D. McDaniel,et al.  Porscha: policy oriented secure content handling in Android , 2010, ACSAC '10.

[25]  Christopher Krügel,et al.  PiOS: Detecting Privacy Leaks in iOS Applications , 2011, NDSS.

[26]  Apu Kapadia,et al.  Soundcomber: A Stealthy and Context-Aware Sound Trojan for Smartphones , 2011, NDSS.