Understanding the Evolution of Android App Vulnerabilities

Gao, Jun; Li, Li; Kong, Pingfan; Bissyandé, Tegawendé F.; Klein, Jacques

doi:10.1109/tr.2019.2956690

Cited by 33 publications

(22 citation statements)

References 89 publications

(107 reference statements)

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Millions of applications are freely available for download by Android users. However, malware developers keep targeting the platform and trying to get their abusive applications into the Android ecosystem [28,32,44]. For example, 360 Security recently reported that over 500,000 new mobile malware variants targeting the Android platform were found in China in the first quarter of 2019 [65].…”

Section: Motivationmentioning

confidence: 99%

See 1 more Smart Citation

Taming Reflection

Sun

Bissyandé

et al. 2021

ACM Trans. Softw. Eng. Methodol.

Self Cite

View full text Add to dashboard Cite

Android developers heavily use reflection in their apps for legitimate reasons. However, reflection is also significantly used for hiding malicious actions. Unfortunately, current state-of-the-art static analysis tools for Android are challenged by the presence of reflective calls, which they usually ignore. Thus, the results of their security analysis, e.g., for private data leaks, are incomplete, given the measures taken by malware writers to elude static detection. We propose a new instrumentation-based approach to address this issue in a non-invasive way. Specifically, we introduce to the community a prototype tool called DroidRA, which reduces the resolution of reflective calls to a composite constant propagation problem and then leverages the COAL solver to infer the values of reflection targets. After that, it automatically instruments the app to replace reflective calls with their corresponding Java calls in a traditional paradigm. Our approach augments an app so that it can be more effectively statically analyzable, including by such static analyzers that are not reflection-aware. We evaluate DroidRA on benchmark apps as well as on real-world apps, and we demonstrate that it can indeed infer the target values of reflective calls and subsequently allow state-of-the-art tools to provide more sound and complete analysis results.

show abstract

Section: Motivationmentioning

confidence: 99%

“…Also, as of early 2020, 1 out of every 1000 app installs from Google's official Play store is from a potentially harmful application, as shown in the recent Google Transparency Report. 1 These numbers demand practical and scalable approaches and tools to support security analysis of large sets of Android apps [28,32,54].…”

Section: Motivationmentioning

confidence: 99%

Taming Reflection

Sun

Bissyandé

et al. 2021

ACM Trans. Softw. Eng. Methodol.

Self Cite

View full text Add to dashboard Cite

show abstract

“…In [13], we explained how we re-construct the versioned lineages of Android apps, by leveraging AndroZoo [5], a popular Android application repository made available to researchers. Then, we performed a large-scale investigation on how vulnerabilities evolve in Android apps.…”

Section: App Lineages To Perform Evolutionary Studiesmentioning

confidence: 99%

A Journey Through Android App Analysis: Solutions and Open Challenges

Klein¹

2021

Proceedings of the 2021 International Symposium on Advanced Security on Software and Systems

Self Cite

View full text Add to dashboard Cite

Users can today download a wide variety of apps ranging from simple toy games to sophisticated business-critical apps. They rely on these apps daily to perform diverse tasks, some of them related to sensitive information such as their finance or health. Ensuring high-quality, reliable, and secure apps is thus key. In the TruX research group of the interdisciplinary center for Security, Reliability, and Trust (SnT) of the University of Luxembourg, we are working for about 10 years to deliver practical techniques, tools, and other artifacts (such as repositories) making the analysis of Android apps possible. In this paper, we will briefly introduce our key contributions in both (1) Android app static analysis to detect security issues, and (2) Android Malware Detection with machine learning. We will conclude by listing several open challenges that we are currently facing towards improving the analysis and security of Android apps. CCS CONCEPTS• Security and privacy → Software security engineering; • Software and its engineering → Software verification and validation.

show abstract

“…To perform this experiment, we consider app lineages (i.e., different versions of apps over time). To that end, we consider a large lineage dataset proposed by Gao et al [37] based on the AndroZoo repository. Most of the lineages are spread over several years, but for each year, we consider only the latest apk version in that year for a given lineage.…”

Section: Rq2: Evolution Of Dici Usagesmentioning

confidence: 99%

“…The statistics of apks per year from the lineage dataset in the literature is listed in Table 4. Table 4: # APKs considered from the Lineage dataset [37] 2011 2012 2013 2014 2015 2016 2017 2018 3,950 6,252 13,191 23924 17,505 30,690 6,995 3,583 We run DICIDer on this dataset and compute the percentage of apks containing DICIs for each year. The result is presented in Figure 6.…”

Section: Rq2: Evolution Of Dici Usagesmentioning

confidence: 99%

Borrowing your enemy’s arrows: the case of code reuse in Android via direct inter-app code invocation

Gao

Kong

et al. 2020

Proceedings of the 28th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Softw

Self Cite

View full text Add to dashboard Cite

The Android ecosystem offers different facilities to enable communication among app components and across apps to ensure that rich services can be composed through functionality reuse. At the heart of this system is the Inter-component communication (ICC) scheme, which has been largely studied in the literature. Less known in the community is another powerful mechanism that allows for direct inter-app code invocation which opens up for different reuse scenarios, both legitimate or malicious. This paper exposes the general workflow for this mechanism, which beyond ICCs, enables app developers to access and invoke functionalities (either entire Java classes, methods or object fields) implemented in other apps using official Android APIs. We experimentally showcase how this reuse mechanism can be leveraged to łplagiarize" supposedly-protected functionalities. Typically, we were able to leverage this mechanism to bypass security guards that a popular video broadcaster has placed for preventing access to its video database from outside its provided app. We further contribute with a static analysis toolkit, named DICIDer, for detecting direct inter-app code invocations in apps. An empirical analysis of the usage prevalence of this reuse mechanism is then conducted. Finally, we discuss the usage contexts as well as the implications of this studied reuse mechanism. CCS CONCEPTS • Security and privacy → Software security engineering.

show abstract

Understanding the Evolution of Android App Vulnerabilities

Cited by 33 publications

References 89 publications

Taming Reflection

Taming Reflection

A Journey Through Android App Analysis: Solutions and Open Challenges

Borrowing your enemy’s arrows: the case of code reuse in Android via direct inter-app code invocation

Contact Info

Product

Resources

About