论文信息 - Covert Communication in Mobile Applications (T)

Covert Communication in Mobile Applications (T)

This paper studies communication patterns in mobile applications. Our analysis shows that 63% of the external communication made by top-popular free Android applications from Google Play has no effect on the user-observable application functionality. To detect such covert communication in an efficient manner, we propose a highly precise and scalable static analysis technique: it achieves 93% precision and 61% recall compared to the empirically determined "ground truth", and runs in a matter of a few minutes. Furthermore, according to human evaluators, in 42 out of 47 cases, disabling connections deemed covert by our analysis leaves the delivered application experience either completely intact or with only insignificant interference. We conclude that our technique is effective for identifying and disabling covert communication. We then use it to investigate communication patterns in the 500 top-popular applications from Google Play.

[1] Xing Zhang,et al. Feedlack detects missing feedback in web applications , 2011, CHI.

[2] Chen Fu,et al. Exception-Chain Analysis: Revealing Exception Handling Architecture in Java Server Applications , 2007, 29th International Conference on Software Engineering (ICSE'07).

[3] Alfred V. Aho,et al. Compilers: Principles, Techniques, and Tools , 1986, Addison-Wesley series in computer science / World student series edition.

[4] Jacques Klein,et al. I know what leaked in your pocket: uncovering privacy leaks on Android Apps with Static Taint Analysis , 2014, ArXiv.

[5] Marilyn Hughes Blackmon,et al. Cognitive walkthrough for the web , 2002, CHI.

[6] Byeong-Mo Chang,et al. Visualization of exception propagation for Java using static analysis , 2002, Proceedings. Second IEEE International Workshop on Source Code Analysis and Manipulation.

[7] Yajin Zhou,et al. Dissecting Android Malware: Characterization and Evolution , 2012, 2012 IEEE Symposium on Security and Privacy.

[8] Li Zhang,et al. Static analysis for java exception propagation structure , 2010, 2010 IEEE International Conference on Progress in Informatics and Computing.

[9] Laurie J. Hendren,et al. Optimizing Java Bytecode Using the Soot Framework: Is It Feasible? , 2000, CC.

[10] Kwangkeun Yi,et al. An uncaught exception analysis for Java , 2004, J. Syst. Softw..

[11] Lukasz Ziarek,et al. Information flows as a permission mechanism , 2014, ASE.

[12] Peng Wang,et al. AsDroid: detecting stealthy behaviors in Android applications by user interface and program behavior contradiction , 2014, ICSE.

[13] Seungyeop Han,et al. These aren't the droids you're looking for: retrofitting android to protect data from imperious applications , 2011, CCS '11.

[14] Jacques Klein,et al. FlowDroid: precise context, flow, field, object-sensitive and lifecycle-aware taint analysis for Android apps , 2014, PLDI.

[15] Byung-Gon Chun,et al. TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones , 2010, OSDI.

[16] Tao Xie,et al. AppContext: Differentiating Malicious and Benign Mobile App Behaviors Using Context , 2015, 2015 IEEE/ACM 37th IEEE International Conference on Software Engineering.

[17] Yannis Smaragdakis,et al. Efficient and Effective Handling of Exceptions in Java Points-to Analysis , 2013, CC.

[18] Alfred V. Aho,et al. Compilers: Principles, Techniques, and Tools (2nd Edition) , 2006 .

[19] Jeff H. Perkins,et al. Information Flow Analysis of Android Applications in DroidSafe , 2015, NDSS.

[20] Jakob Nielsen,et al. Heuristic evaluation of user interfaces , 1990, CHI '90.

[21] Alessandra Gorla,et al. Checking app behavior against app descriptions , 2014, ICSE.

[22] Barbara G. Ryder,et al. User-Centric Dependence Analysis For Identifying Malicious Mobile Apps , 2012 .

[23] L. Carvajal,et al. IEEE Transactions on Software Engineering , 2016 .

[24] Chen Fu,et al. Robustness testing of Java server applications , 2005, IEEE Transactions on Software Engineering.

[25] Lujo Bauer,et al. Android taint flow analysis for app sets , 2014, SOAP '14.

[26] Kwangkeun Yi,et al. Interprocedural exception analysis for Java , 2001, SAC.

[27] David Grove,et al. Optimization of Object-Oriented Programs Using Static Class Hierarchy Analysis , 1995, ECOOP.

[28] Alessandra Gorla,et al. Mining Apps for Abnormal Usage of Sensitive Data , 2015, 2015 IEEE/ACM 37th IEEE International Conference on Software Engineering.