Symbolic Path Tracing to Find Android Permission-Use Triggers

Understanding whether Android apps are safe requires, among other things, knowing what dynamically triggers an app to use its permissions, and under what conditions. For example, an app might access contacts after a button click, but only if a certain setting is enabled. Automatically inferring such conditional trigger information is difficult because Android is callback-oriented and reasoning about conditions requires analysis of program paths. To address these issues, we introduce Hogarth, an Android app analysis tool that constructs trigger diagrams, which show, post hoc, what sequence of callbacks, under what conditions, led to a permission use observed at run time. Hogarth works by instrumenting apps to produce a trace of relevant events. Then, given a trace, it performs symbolic path tracing—symbolic execution restricted to path segments from that trace—to infer path conditions at key program locations, and path splicing to combine the per-segment information into a trigger diagram. We validated Hogarth by showing its results match those of a manual reverse-engineering effort on five small apps. Then, in a case study, we applied Hogarth to 12 top apps from Google Play. We found that Hogarth provided more precise information about triggers than prior related work, and was able successfully generate a trigger diagram for all but one permission use in our case study. Hogarth’s performance was generally good, taking at most a few minutes on most of our subject apps. In sum, Hogarth provides a new approach to discovering conditional trigger information for permission uses on Android.

[1]  Christopher Krügel,et al.  TriggerScope: Towards Detecting Logic Bombs in Android Applications , 2016, 2016 IEEE Symposium on Security and Privacy (SP).

[2]  Dawson R. Engler,et al.  EXE: Automatically Generating Inputs of Death , 2008, TSEC.

[3]  Mu Zhang,et al.  Semantics-Aware Android Malware Classification Using Weighted Contextual API Dependency Graphs , 2014, CCS.

[4]  Irina Shklovski,et al.  Leakiness and creepiness in app space: perceptions of privacy and mobile app use , 2014, CHI.

[5]  Daniel Votipka,et al.  User Interactions and Permission Use on Android , 2017, CHI.

[6]  Michael Pradel,et al.  Making Malory Behave Maliciously: Targeted Fuzzing of Android Execution Environments , 2017, 2017 IEEE/ACM 39th International Conference on Software Engineering (ICSE).

[7]  Wei You,et al.  Mass Discovery of Android Traffic Imprints through Instantiated Partial Execution , 2017, CCS.

[8]  David Lie,et al.  IntelliDroid: A Targeted Input Generator for the Dynamic Analysis of Android Malware , 2016, NDSS.

[9]  Sam Blackshear,et al.  Selective control-flow abstraction via jumping , 2015, OOPSLA.

[10]  Guofei Gu,et al.  SmartDroid: an automatic system for revealing UI-based trigger conditions in android applications , 2012, SPSM '12.

[11]  Yan Wang,et al.  Static Control-Flow Analysis of User-Driven Callbacks in Android Applications , 2015, 2015 IEEE/ACM 37th IEEE International Conference on Software Engineering.

[12]  Barbara G. Ryder,et al.  User-Centric Dependence Analysis For Identifying Malicious Mobile Apps , 2012 .

[13]  Dawn Xiaodong Song,et al.  Contextual Policy Enforcement in Android Applications with Permission Event Graphs , 2013, NDSS.

[14]  Harold Abelson,et al.  No technical understanding required: helping users make informed choices about access to their personal data , 2014, MobiQuitous.

[15]  Todd D. Millstein,et al.  Dr. Android and Mr. Hide: fine-grained permissions in android applications , 2012, SPSM '12.

[16]  David A. Wagner,et al.  When it's better to ask forgiveness than get permission: attribution mechanisms for smartphone resources , 2013, SOUPS.

[17]  Christopher Krügel,et al.  EdgeMiner: Automatically Detecting Implicit Control Flow Transitions through the Android Framework , 2015, NDSS.

[18]  Yuan Zhang,et al.  AppIntent: analyzing sensitive data transmission in android for privacy leakage detection , 2013, CCS.

[19]  Jacques Klein,et al.  FlowDroid: precise context, flow, field, object-sensitive and lifecycle-aware taint analysis for Android apps , 2014, PLDI.

[20]  Lorrie Faith Cranor,et al.  "Little brothers watching you": raising awareness of data leaks on smartphones , 2013, SOUPS.

[21]  Dawson R. Engler,et al.  KLEE: Unassisted and Automatic Generation of High-Coverage Tests for Complex Systems Programs , 2008, OSDI.

[22]  David W. Binkley,et al.  Program slicing , 2008, 2008 Frontiers of Software Maintenance.

[23]  Koushik Sen,et al.  DART: directed automated random testing , 2005, PLDI '05.

[24]  Zhen Huang,et al.  PScout: analyzing the Android permission specification , 2012, CCS.

[25]  Koushik Sen,et al.  CUTE: a concolic unit testing engine for C , 2005, ESEC/FSE-13.

[26]  Byung-Gon Chun,et al.  TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones , 2010, OSDI.

[27]  Tao Xie,et al.  AppContext: Differentiating Malicious and Benign Mobile App Behaviors Using Context , 2015, 2015 IEEE/ACM 37th IEEE International Conference on Software Engineering.

[28]  Gail E. Kaiser,et al.  Phosphor: illuminating dynamic data flow in commodity jvms , 2014, OOPSLA.

[29]  Joseph Robert Horgan,et al.  Dynamic program slicing , 1990, PLDI '90.