Taking Android app vetting to the next level with path-sensitive value analysis

Application vetting at app stores and market places is the first line of defense to protect mobile end-users from malware, spyware, and immoderately curious apps. However, the lack of a highly precise yetlarge-scaling static analysis has forced market operators to resort to less reliable and only small-scaling dynamic or even manual analysis techniques. In this paper, we present Bati, an analysis framework specifically tailored to perform highly precise static analysis of Android apps. Building on established static analysis frameworks for Java, we solve two important challenges to reach this goal: First, we extend this ground work with an Android application lifecycle model that includes the asynchronous communication of multi-threading. Second, we introduce a novel value analysis algorithm that builds on controlflow ordered backwards slicing and techniques from partial and symbolic evaluation. As a result, Bati is the first context-, flow-, object-, and path-sensitive analysis framework for Android apps and improves the statusquo for static analysis on Android. In particular, we empirically demonstrate the benefits of Bati in dissecting Android malware by statically detecting behavior that previously required manual reverse engineering. Noticeably, in contrast to the common conjecture about pathsensitive analyses, our evaluation of 19,700 apps from Google Play shows that highly precise path-sensitive value analysis of Android apps is possible in a reasonable amount of time and is hence amenable for largescale vetting processes

[1]  Christopher Krügel,et al.  PiOS: Detecting Privacy Leaks in iOS Applications , 2011, NDSS.

[2]  Gregor Snelting,et al.  Flow-sensitive, context-sensitive, and object-sensitive information flow control based on program dependence graphs , 2009, International Journal of Information Security.

[3]  Xuxian Jiang,et al.  Unsafe exposure analysis of mobile in-app advertisements , 2012, WISEC '12.

[4]  Michael Backes,et al.  AppGuard - Enforcing User Requirements on Android Apps , 2013, TACAS.

[5]  Yajin Zhou,et al.  Dissecting Android Malware: Characterization and Evolution , 2012, 2012 IEEE Symposium on Security and Privacy.

[6]  Eric Bodden,et al.  A Machine-learning Approach for Classifying and Categorizing Android Sources and Sinks , 2014, NDSS.

[7]  Ross J. Anderson,et al.  Aurasium: Practical Policy Enforcement for Android Applications , 2012, USENIX Security Symposium.

[8]  Seungyeop Han,et al.  These aren't the droids you're looking for: retrofitting android to protect data from imperious applications , 2011, CCS '11.

[9]  H. Rice Classes of recursively enumerable sets and their decision problems , 1953 .

[10]  Shashi Shekhar,et al.  AdSplit: Separating Smartphone Advertising from Applications , 2012, USENIX Security Symposium.

[11]  Heng Yin,et al.  DroidScope: Seamlessly Reconstructing the OS and Dalvik Semantic Views for Dynamic Android Malware Analysis , 2012, USENIX Security Symposium.

[12]  Yajin Zhou,et al.  Fast, scalable detection of "Piggybacked" mobile applications , 2013, CODASPY.

[13]  J. Foster,et al.  SCanDroid: Automated Security Certification of Android , 2009 .

[14]  Ahmad-Reza Sadeghi,et al.  ASM: A Programmable Interface for Extending Android Security , 2014, USENIX Security Symposium.

[15]  Hao Chen,et al.  AndroidLeaks: Automatically Detecting Potential Privacy Leaks in Android Applications on a Large Scale , 2012, TRUST.

[16]  Bowen Alpern,et al.  Detecting equality of variables in programs , 1988, POPL '88.

[17]  David A. Wagner,et al.  AdDroid: privilege separation for applications and advertisers in Android , 2012, ASIACCS '12.

[18]  Thorsten Holz,et al.  Slicing droids: program slicing for smali code , 2013, SAC '13.

[19]  Tadayoshi Kohno,et al.  Securing Embedded User Interfaces: Android and Beyond , 2013, USENIX Security Symposium.

[20]  Patrick D. McDaniel,et al.  Semantically rich application-centric security in Android , 2012 .

[21]  Yajin Zhou,et al.  RiskRanker: scalable and accurate zero-day android malware detection , 2012, MobiSys '12.

[22]  Stephen Smalley,et al.  Security Enhanced (SE) Android: Bringing Flexible MAC to Android , 2013, NDSS.

[23]  Wenke Lee,et al.  CHEX: statically vetting Android apps for component hijacking vulnerabilities , 2012, CCS.

[24]  Steve Hanna,et al.  Android permissions demystified , 2011, CCS '11.

[25]  Yuan Zhang,et al.  AppIntent: analyzing sensitive data transmission in android for privacy leakage detection , 2013, CCS.

[26]  Jacques Klein,et al.  FlowDroid: precise context, flow, field, object-sensitive and lifecycle-aware taint analysis for Android apps , 2014, PLDI.

[27]  Jacques Klein,et al.  Effective inter-component communication mapping in Android with Epicc: an essential step towards holistic security analysis , 2013 .

[28]  Avik Chaudhuri,et al.  SCanDroid: Automated Security Certification of Android , 2009 .

[29]  David A. Wagner,et al.  Analyzing inter-application communication in Android , 2011, MobiSys '11.

[30]  Byung-Gon Chun,et al.  TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones , 2010, OSDI.

[31]  David W. Binkley,et al.  Interprocedural slicing using dependence graphs , 1988, SIGP.

[32]  Jürgen Graf Speeding Up Context-, Object- and Field-Sensitive SDG Generation , 2010, SCAM 2010.

[33]  M. Wegman,et al.  Global value numbers and redundant computations , 1988, POPL '88.

[34]  Zhemin Yang,et al.  LeakMiner: Detect Information Leakage on Android with Static Taint Analysis , 2012, 2012 Third World Congress on Software Engineering.

[35]  Yajin Zhou,et al.  Hey, You, Get Off of My Market: Detecting Malicious Apps in Official and Alternative Android Markets , 2012, NDSS.

[36]  Todd Millstein,et al.  Dr. Android and Mr. Hide: Fine-grained security policies on unmodified Android , 2011 .

[37]  Ahmad-Reza Sadeghi,et al.  Flexible and Fine-grained Mandatory Access Control on Android for Diverse Security and Privacy Policies , 2013, USENIX Security Symposium.

[38]  Shashi Shekhar,et al.  QUIRE: Lightweight Provenance for Smart Phone Operating Systems , 2011, USENIX Security Symposium.