A Risk Estimation Mechanism for Android Apps based on Hybrid Analysis

Son, Ha Xuan; Carminati, Barbara; Ferrari, Elena

doi:10.1007/s41019-022-00189-1

Cited by 8 publications

(3 citation statements)

References 40 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…The data leakage modelling is relatively coarse‐grained compared with the data‐flow analysis used in this work. Our work focusses on the sensitive data operated by cryptographic APIs, which are more specialised than the personal data of [38]. Taking the information from Table 1, we summarise the differences between related approaches in Table 12.…”

Section: Related Workmentioning

confidence: 99%

“…Compared with these cryptographic misuse detection approaches, our work aims at demonstrating the risk of dependency between cryptographic misuse and related data leakage. On the other hand, the general-purpose risk estimation approach [38] takes private data collection and sharing behaviours as the metrics to measure apps' risk. The data leakage modelling is relatively coarse-grained compared with the data-flow analysis used in this work.…”

Section: Related Workmentioning

confidence: 99%

See 1 more Smart Citation

CryptoEval: Evaluating the risk of cryptographic misuses in Android apps with data‐flow analysis

Zeng

et al. 2023

IET Information Security

View full text Add to dashboard Cite

The misunderstanding and incorrect configurations of cryptographic primitives have exposed severe security vulnerabilities to attackers. Due to the pervasiveness and diversity of cryptographic misuses, a comprehensive and accurate understanding of how cryptographic misuses can undermine the security of an Android app is critical to the subsequent mitigation strategies but also challenging. Although various approaches have been proposed to detect cryptographic misuse in Android apps, studies have yet to focus on estimating the security risks of cryptographic misuse. To address this problem, the authors present an extensible framework for deciding the threat level of cryptographic misuse in Android apps. Firstly, the authors propose a general and unified specification for representing cryptographic misuses to make our framework extensible and develop adapters to unify the detection results of the state-of-the-art cryptographic misuse detectors, resulting in an adapter-based detection tool chain for a more comprehensive list of cryptographic misuses. Secondly, the authors employ a misuse-originating data-flow analysis to connect each cryptographic misuse to a set of data-flow sinks in an app, based on which the authors propose a quantitative data-flow-driven metric for assessing the overall risk of the app introduced by cryptographic misuses. To make the per-app assessment more useful for app vetting at the app-store level, the authors apply unsupervised learning to predict and classify the top risky threats to guide more efficient subsequent mitigation. In the experiments on an instantiated implementation of the framework, the authors evaluate the accuracy of our detection and the effect of data-flow-driven risk assessment of our framework. Our empirical study on over 40,000 apps, and the analysis of popular apps reveal important security observations on the real threats of cryptographic misuse in Android apps. K E Y W O R D SAndroid (operating system), application programme interfaces, learning (artificial intelligence), programme analysis, smart phones | INTRODUCTIONCryptographic algorithms and protocols are the indispensable building blocks for modern distributed computing systems and smartphone apps. Cryptographic primitives, implemented as cryptographic APIs in typical libraries, provide various functionalities such as keys/certificate management, encryption, decryption, digital signature, message digest, and utilisation of security protocols. Such cryptographic primitives have been reported vulnerable to many attacks and misused seriously on different platforms [1][2][3][4].Previous detection approaches of cryptographic misuses fall into three categories: static analysis [2, 5-9], dynamic analysis [10], or a combination of both [3,11]. In general, static

show abstract

Section: Related Workmentioning

confidence: 99%

Section: Related Workmentioning

confidence: 99%

CryptoEval: Evaluating the risk of cryptographic misuses in Android apps with data‐flow analysis

Zeng

et al. 2023

IET Information Security

View full text Add to dashboard Cite

show abstract

“…The two graphs are then compared to determine the set of dangerous APIs. Son et al [19,20] leverages on app's static analysis to model an app's behavior w.r.t data collection, on the basis of APIs, classes, functions, and constants usage. They measure an app's risk level by quantifying how much the app's behaviour diverges from the behavior of the majority of the apps in the same category.…”

Section: Related Workmentioning

confidence: 99%

PriApp-Install: Learning User Privacy Preferences on Mobile Apps’ Installation

Son

Carminati

Ferrari

2022

Information Security Practice and Experience

Self Cite

View full text Add to dashboard Cite

It is undeniable that smartphones play a vital role in our lives, as their applications (called apps) can be used to access a variety of services anytime and anywhere. Despite the benefits provided by mobile apps, there are risks connected to the release of personal and sensitive data. Understanding the potential privacy risks of installing an app based on its description or privacy policy could be challenging, especially for non-skilled users. In this paper, to assist users in their app selection process, we propose PriApp-Install, a privacy-aware app installation recommendation system. It leverages semi-supervised learning to learn individual privacy preferences w.r.t mobile app installation. Learning is done based on a rich set of features modeling both the app behavior w.r.t. personal data consumption and the benefits a user can get in installing the app. We have tested four different learning strategies on a real dataset by exploiting three participant groups: security and privacy experts, IT workers, and crowd workers. The obtained results show the effectiveness of our proposal.

show abstract