Towards Understanding and Reasoning About Android Interoperations

Bae, Sora; Lee, Sungho; Ryu, Sukyoung

doi:10.1109/icse.2019.00038

Cited by 12 publications

(6 citation statements)

References 12 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…al. [33] will be unsound. The unsoundness stems from the analyses' limitation to analyze the described callback communication methods, thus only supporting one-way communication from Android to JavaScript.…”

Section: Case Study: Information Flow From Javascript Tomentioning

confidence: 99%

“…Although evaluateJavascript is meant to only evaluate the passed JavaScript expression, it is also possible to mimic the functionality of loadUrl by manipulating DOM properties. Again, this makes the existing analyses [8,33] unsound. A more precise and sound analysis has to also consider the data-flow between Android and evaluateJavascript.…”

Section: Case Study -Liquidpaymentioning

confidence: 99%

“…Bae [33] formalized the semantics of the android interoperations between Java and JavaScript. Their approach proposed a type-system based error detection for MethodNotFound errors.…”

Section: Related Workmentioning

confidence: 99%

See 2 more Smart Citations

A Large Scale Analysis of Android-Web Hybridization

Tiwari¹,

Prakash²,

Groß³

et al. 2020

Preprint

View full text Add to dashboard Cite

Many Android applications embed webpages via WebView components and execute JavaScript code within Android. Hybrid applications leverage dedicated APIs to load a resource and render it in a WebView. Furthermore, Android objects can be shared with the JavaScript world. However, bridging the interfaces of the Android and JavaScript world might also incur severe security threats: Potentially untrusted webpages and their JavaScript might interfere with the Android environment and its access to native features.No general analysis is currently available to assess the implications of such hybrid apps bridging the two worlds. To understand the semantics and effects of hybrid apps, we perform a large-scale study on the usage of the hybridization APIs in the wild. We analyze and categorize the parameters to hybridization APIs for 7,500 randomly selected and the 196 most popular applications from the Google Playstore as well as 1000 malware samples. Our results advance the general understanding of hybrid applications, as well as implications for potential program analyses, and the current security situation: We discovered thousands of flows of sensitive data from Android to JavaScript, the vast majority of which could flow to potentially untrustworthy code. Our analysis identified numerous web pages embedding vulnerabilities, which we exemplarily exploited. Additionally, we discovered a multitude of applications in which potentially untrusted JavaScript code may interfere with (trusted) Android objects, both in benign and malign applications.

show abstract

Section: Case Study: Information Flow From Javascript Tomentioning

confidence: 99%

Section: Case Study -Liquidpaymentioning

confidence: 99%

See 1 more Smart Citation

A Large Scale Analysis of Android-Web Hybridization

Tiwari¹,

Prakash²,

Groß³

et al. 2020

Preprint

View full text Add to dashboard Cite

show abstract

“…HybriDroid, 40 implemented on top of WALA, 41 analyzes Java and JavaScript code seamlessly to detect programmer errors on interoperations and track data leakages across language boundaries. Bae et al 42 tackled the expensive analysis of HybriDroid and proposed a lightweight type system detecting the same kinds of programmer errors in Android hybrid apps. Jin et al 43 proposed static detection of code injection attacks from JavaScript to Java.…”

Section: Related Workmentioning

confidence: 99%

Declarative static analysis for multilingual programs using CodeQL

2023

Self Cite

View full text Add to dashboard Cite

Summary Declarative static program analysis has become one of the widely‐used program analysis techniques. Declarative static analyzers perform three steps: creating databases of facts from program source code, evaluating rules to generate new facts, and running queries over facts to extract all information related to specific properties via query systems. Declarative static analyzers can easily target diverse programming languages by modifying only databases and rules for new languages. Because query systems are independent of programming languages, they are reusable for new languages. However, even when declarative analyzers support multiple programming languages they do not currently support the analysis of multilingual programs written in two or more programming languages. We propose a systematic methodology that extends a declarative static analyzer supporting multiple languages to support multilingual programs as well. The main idea is to reuse existing components of the analyzer. Our approach first generates a merged database of facts, consisting of multiple logical language spaces. It allows existing language‐specific rules to derive new facts for the corresponding language from the facts in the corresponding language space. Then, it defines language‐interoperation rules that handle the language interoperation semantics. Finally, it uses the same query system to get analysis results leveraging the language interoperation semantics. We develop a proof‐of‐concept declarative static analyzer for multilingual programs by extending CodeQL, which can track dataflows across language boundaries. Our evaluation shows that the analyzer successfully tracks dataflows across Java‐C and Python‐C language boundaries and detects genuine interoperation bugs in real‐world multilingual programs.

show abstract

“…Shen et al [40] proposed a behavior detection method based on function and process algebra for the detection of privilege escalation attacks in Android Apps. To describe the interactions between Apps, [41] proposed a formal interoperability semantic to help understand and infer Android interoperations. In [42], a methodology based on formal methods was proposed to help understand and identify obfuscation codes.…”

Section: Related Workmentioning

confidence: 99%

A Formal Method for Description and Decision of Android Apps Behavior Based on Process Algebra

et al. 2022

View full text Add to dashboard Cite

Android is the most popular mobile platform, and it has become a primary malware target. Existing behavior-based Android malware detection methods suffer from false positive and false negative problems, which lead to low detection accuracy. Formal theory is crucial in studying the behaviors of Android applications characterized by high concurrency, interaction, and mobility. However, existing formal methods mainly focus on specific issues and lack the essential abstraction and high-level description of application behavior. In this study, we propose a formal method for the description and decision of application behavior based on process algebra. First, we propose a formal method for describing application behavior at a component level using process algebra. By extending π-calculus theory, we establish the mapping relationship from the Android application to process algebra, and present the semantics and evolution rules of behavior based on process algebra. Second, we describe the behavior of four types of components in applications and characterize concurrent interactions of components using process algebra expressions. Third, we define the behavior equivalence and simulation mechanism for application behavior analysis and propose the decision rules based on weak simulation. Finally, we discuss a demonstration case, which includes malicious behavior, to demonstrate the feasibility and effectiveness of the proposed method. The results show that our method can accurately describe and analyze application behavior, which provides theoretical support for technologies and methods of behavior-based detection.

show abstract

Towards Understanding and Reasoning About Android Interoperations

Cited by 12 publications

References 12 publications

A Large Scale Analysis of Android-Web Hybridization

A Large Scale Analysis of Android-Web Hybridization

Declarative static analysis for multilingual programs using CodeQL

A Formal Method for Description and Decision of Android Apps Behavior Based on Process Algebra

Contact Info

Product

Resources

About