[en] Many threats present in smartphones are the result of interactions between application components, not just artifacts of single components. However, current techniques for identifying inter-application communication are ad hoc and do not scale to large numbers of ap-
plications. In this paper, we reduce the discovery of inter-component communication (ICC) in smartphones to an instance of the Interprocedural Distributive Environment (IDE) problem, and develop a sound static analysis technique targeted to the Android platform. We apply this analysis to 1,200 applications selected from the Play store and characterize the locations and substance of their ICC. Experiments show that full specifications for ICC can be identified for over 93% of ICC locations for the applications studied. Further the analysis scales well; analysis of each application took on average 113 seconds to complete. Epicc, the resulting tool, finds ICC
vulnerabilities with far fewer false positives than the next best tool. In this way, we develop a scalable vehicle to extend current security analysis to entire collections of applications as well as the interfaces they export.
Disciplines :
Computer science
Author, co-author :
Octeau, Damien
McDaniel, Patrick
Jha, Somesh
Bartel, Alexandre ; University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT)
Bodden, Eric
Klein, Jacques ; University of Luxembourg > Faculty of Science, Technology and Communication (FSTC) > Computer Science and Communications Research Unit (CSC)
Le Traon, Yves ; University of Luxembourg > Faculty of Science, Technology and Communication (FSTC) > Computer Science and Communications Research Unit (CSC)
Language :
English
Title :
Effective Inter-Component Communication Mapping in Android with Epicc: An Essential Step Towards Holistic Security Analysis
Publication date :
2013
Event name :
USENIX Security 2013
Event date :
August 14-16 2013
Audience :
International
Main work title :
Effective Inter-Component Communication Mapping in Android with Epicc: An Essential Step Towards Holistic Security Analysis
ARTHUR, C. Feature phones dwindle as android powers ahead in third quarter. The Guardian, Nov. 2012. Available at http://www.guardian.co.uk/technology/2012/nov/15/smartphones-market-android-feature-phones.
BARRERA, D., and KAYACIK., H. G., VAN OORSHOT, P. C., AND SOMAYAJI, A. A Methodology for Empirical Analysis of Permission-Based Security Models and its Application to Android. In Proceedings of the ACM Conference on Computer and Communications Security (Oct. 2010).
BODDEN, E. Inter-procedural data-flow analysis with ifds/ide and soot. In Proceedings of the ACM SIGPLAN International Workshop on State of the Art in Java Program analysis (2012). Available from http://sable.github.com/heros/.
BUGIEL, S., DAVI, L., DMITRIENKO, A., FISCHER, T., AND SADEGHI, A.-R. XManDroid: A New Android Evolution to Mitigate Privilege Escalation Attacks. Tech. Rep. TR-2011-04, Technische Universitat Darmstadt, Germany, Apr. 2011.
BUGIEL, S., DAVI, L., DMITRIENKO, A., FISCHER, T., SADEGHI, A.-R., AND SHASTRY, B. Towards taming privilege-escalation attacks on Android. In Proceedings of the 19th Annual Network & Distributed System Security Symposium (Feb. 2012).
CHIN, E., and FELT., A. P., GREENWOOD, K., and WAGNER, D. Analyzing Inter-Application Communication in Android. In Proceedings of the 9th Annual International Conference on Mobile Systems, Applications, and Services (MobiSys) (2011).
CHRISTENSEN, A. S., MØLLER, A., and SCHWARTZBACH, M. I. Precise analysis of string expressions. In Proc. 10th International Static Analysis Symposium (SAS) (June 2003), Vol. 2694 of LNCS, Springer-Verlag, pp. 1-18. Available from http://www.brics.dk/JSA/.
DAVI, L., DMITRIENKO, A., SADEGHI, A.-R., and WINANDY, M. Privilege Escalation Attacks on Android. In Proc. of the 13th Information Security Conference (ISC) (Oct. 2010).
DIETZ, M., SHEKHAR, S., PISETSKY, Y., SHU, A., AND WALLACH, D. S. Quire: Lightweight Provenance for Smart Phone Operating Systems. In 20th USENIX Security Symposium (2011).
ENCK, W. Defending users against smartphone apps: Techniques and future directions. In ICISS (2011), pp. 49-70.
ENCK, W., GILBERT, P., CHUN, B.-G., and COX., L. P., JUNG, J., MCDANIEL, P., and SHETH, A. N. TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones. In Proc. of the 9th USENIX Symp. on Operating Systems Design and Implementation (OSDI) (2010).
ENCK, W., OCTEAU, D., MCDANIEL, P., and CHAUDHURI, S. A Study of Android Application Security. In Proceedings of the 20th USENIX Security Symposium (August 2011).
ENCK, W., ONGTANG, M., and MCDANIEL, P. On Lightweight Mobile Phone Application Certification. In Proceedings of the 16th ACM Conference on Computer and Communications Security (CCS) (Nov. 2009).
ENCK, W., ONGTANG, M., and MCDANIEL, P. Understanding Android Security. IEEE Security & Privacy Magazine 7, 1 (January/February 2009), 50-57.
FELT, A. P., CHIN, E., HANNA, S., SONG, D., and WAGNER, D. Android Permissions Demystified. In Proc. of the ACM Conf. on Computer and Communications Security (CCS) (2011).
FELT, A. P., GREENWOOD, K., and WAGNER, D. The Effectiveness of Application Permissions. In Proc. of the USENIX Conference on Web Application Development (WebApps) (2011).
FELT, A. P., and WANG., H. J., MOSHCHUK, A., HANNA, S., and CHIN, E. Permission Re-Delegation: Attacks and Defenses. In Proc. of the 20th USENIX Security Symp. (August 2011).
GILBERT, P., CHUN, B.-G., and COX., L. P., and JUNG, J. Vision: Automated Security Validation of Mobile Apps at App Markets. In Proceedings of the International Workshop on Mobile Cloud Computing and Services (MCS) (2011).
GRACE, M., ZHOU, Y., WANG, Z., and JIANG, X. Systematic Detection of Capability Leaks in Stock Android Smartphones. In NDSS '12 (2012).
GRACE, M. C., ZHOU, W., JIANG, X., and SADEGHI, A.-R. Unsafe exposure analysis of mobile in-app advertisements. In Proceedings of the fifth ACM conference on Security and Privacy in Wireless and Mobile Networks (2012), WISEC '12, ACM.
HARDY, N. The confused deputy: (or why capabilities might have been invented). SIGOPS Oper. Syst. Rev. 22, 4 (Oct. 1988).
HORNYACK, P., HAN, S., JUNG, J., SCHECHTER, S., and WETHERALL, D. These Aren't the Droids You're Looking For: Retrofitting Android to Protect Data from Imperious Applications. In Proceedings of the ACM Conference on Computer and Communications Security (CCS) (2011).
KIM, J., YOON, Y., and YI, K. Scandal: Static analyzer for detecting privacy leaks in android applications. In MoST 2012: Workshop on Mobile Security Technologies 2012 (2012).
LHOTÁK, O., AND HENDREN, L. Scaling java points-to analysis using spark. In Proceedings of the 12th international conference on Compiler construction (2003), CC'03, Springer-Verlag.
LU, L., LI, Z., WU, Z., LEE, W., and JIANG, G. Chex: statically vetting android apps for component hijacking vulnerabilities. In Proc. of the 2012 ACM conference on Computer and communications security (2012), CCS '12, ACM, pp. 229-240.
MCDANIEL, P., and ENCK, W. Not So Great Expectations: Why Application Markets Haven't Failed Security. IEEE Security & Privacy Magazine 8, 5 (September/October 2010), 76-78.
MLOT, S. Google's bouncer malware tool hacked. PC Magazine, June 2012. Available from http://www.pcmag.com/article2/0,2817,2405358,00.asp.
OCTEAU, D., ENCK, W., and MCDANIEL, P. The ded Decompiler. Tech. Rep. NAS-TR-0140-2010, Network and Security Research Center, Pennsylvania State University, USA, Sept. 2010. Available from http://siis.cse.psu.edu/ded/.
OCTEAU, D., JHA, S., and MCDANIEL, P. Retargeting android applications to java bytecode. In Proceedings of the 20th International Symposium on the Foundations of Software Engineering (November 2012). Available from http://siis.cse.psu.edu/dare/.
ONGTANG, M., MCLAUGHLIN, S., ENCK, W., and MC-DANIEL, P. Semantically Rich Application-Centric Security in Android. In Proceedings of the 25th Annual Computer Security Applications Conference (ACSAC) (Dec. 2009), pp. 340-349.
ROSENBERG, J. Google play hits 25 billion downloads. Android - Official blog, Sept. 2012. Available at http://officialandroid.blogspot.com/2012/09/google-play-hits-25-billion-downloads.html.
SAGIV, M., REPS, T., and HORWITZ, S. Precise interprocedu-ral dataflow analysis with applications to constant propagation. Theor. Comput. Sci. 167, 1-2 (Oct. 1996), 131-170.
SECURITY, N. Malware controls 620, 000 phones, sends costly messages. Help Net Security, January 2013. Available from http://www.net-security.org/malware_news.php?id=2391.
VALLÉE-RAI, R., GAGNON, E., HENDREN, L. J., LAM, P., POMINVILLE, P., AND SUNDARESAN, V. Optimizing java bytecode using the soot framework: Is it feasible? In Proc. of the 9th International Conf. on Compiler Construction (2000), CC '00.
ZHENG, C., ZHU, S., DAI, S., GU, G., GONG, X., HAN, X., and ZOU, W. Smartdroid: an automatic system for revealing ui-based trigger conditions in android applications. In Proceedings of the second ACM workshop on Security and privacy in smart-phones and mobile devices (2012), ACM, pp. 93-104.
ZHOU, Y., WANG, Z., ZHOU, W., and JIANG, X. Hey, You, Get off of My Market: Detecting Malicious Apps in Official and Alternative Android Markets. In Proceedings of the Network and Distributed System Security Symposium (Feb. 2012).
