[en] The incompleteness of 3rd-party app testing is an accepted fact in Software Engineering. This issue makes it impossible to verify the app functionality and to confirm its safety to the end-user. To solve this problem, enterprises developed strict policies. A company, willing to use modern apps, may perform an expensive security analysis, rely on trust or forbid the app. These strategies may lead companies to high direct and indirect spending with no guarantee of safety.
In this work, we present a novel approach, called Dynamic Binary Shrinking, that allows a user to review app functionality and leave only tested code. The shrunk app produces 100% instruction coverage on observed behaviors and in this way guarantees the absence of unexplored, and therefore, potentially malicious code.
On our running examples, we demonstrate that apps use less than 20% of the codebase. We developed an approach and the ACVCut tool to shrink Android apps towards the executed code.
Repository — http://github.com/pilgun/acvcut.
Disciplines :
Sciences informatiques
Auteur, co-auteur :
PILGUN, Aleksandr ; University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT) > PI Mauw
Co-auteurs externes :
no
Langue du document :
Anglais
Titre :
Don't Trust Me, Test Me: 100% Code Coverage for a 3rd-party Android App
Google. (2020) Google play protect. [Online]. Available: https://www. android. com/play-protect/
K. Tam, A. Feizollah, N. B. Anuar, R. Salleh, and L. Cavallaro, "The evolution of android malware and android analysis techniques, " ACM Computing Surveys (CSUR), vol. 49, no. 4, pp. 1-41, 2017.
Y. Fratantonio, A. Bianchi, W. Robertson, E. Kirda, C. Kruegel, and G. Vigna, "Triggerscope: Towards detecting logic bombs in android applications, " in 2016 IEEE symposium on security and privacy (SP). IEEE, 2016, pp. 377-396.
Google. (2020) Mobile device management system for android enterprise. [Online]. Available: https://www. android. com/enterprise/management/
M. Linares-Vásquez, G. Bavota, and C. Escobar-Velásquez, "An empirical study on android-related vulnerabilities, " in 2017 IEEE/ACM 14th International Conference on Mining Software Repositories (MSR). IEEE, 2017, pp. 2-13.
S. Dashevskyi, Y. Zhauniarovich, O. Gadyatskaya, A. Pilgun, and H. Ouhssain, "Dissecting android cryptocurrency miners, " in Proceedings of the Tenth ACM Conference on Data and Application Security and Privacy, 2020, pp. 191-202.
L. Li, T. F. Bissyandé, M. Papadakis, S. Rasthofer, A. Bartel, D. Octeau, J. Klein, and L. Traon, "Static analysis of android apps: A systematic literature review, " Information and Software Technology, vol. 88, pp. 67-95, 2017.
P. Kong, L. Li, J. Gao, K. Liu, T. F. Bissyandé, and J. Klein, "Automated testing of android apps: A systematic literature review, " IEEE Transactions on Reliability, vol. 68, no. 1, pp. 45-66, 2018.
K. Jamrozik and A. Zeller, "Droidmate: a robust and extensible test generator for android, " in Proceedings of the International Conference on Mobile Software Engineering and Systems, 2016, pp. 293-294.
L. Bao, T.-D. B. Le, and D. Lo, "Mining sandboxes: Are we there yet?" in 2018 IEEE 25th International Conference on Software Analysis, Evolution and Reengineering (SANER). IEEE, 2018, pp. 445-455.
T.-D. B. Le, L. Bao, D. Lo, D. Gao, and L. Li, "Towards mining comprehensive android sandboxes, " in 2018 23rd International conference on engineering of complex computer systems (ICECCS). IEEE, 2018, pp. 51-60.
Y. Zhauniarovich and O. Gadyatskaya, "Small changes, big changes: An updated view on the android permission system, " in Research in Attacks, Intrusions, and Defenses, F. Monrose, M. Dacier, G. Blanc, and J. Garcia-Alfaro, Eds. Cham: Springer International Publishing, 2016, pp. 346-367.
A. Bartel, J. Klein, Y. Le Traon, and M. Monperrus, "Automatically securing permission-based software by reducing the attack surface: An application to android, " in 2012 Proceedings of the 27th IEEE/ACM International Conference on Automated Software Engineering. IEEE, 2012, pp. 274-277.
K. Jamrozik, P. von Styp-Rekowsky, and A. Zeller, "Mining sandboxes, " in Proceedings of the 38th International Conference on Software Engineering, 2016, pp. 37-48.
Y. Jiang, C. Zhang, D. Wu, and P. Liu, "Feature-based software customization: Preliminary analysis, formalization, and methods, " in 2016 IEEE 17th International Symposium on High Assurance Systems Engineering (HASE). IEEE, 2016, pp. 122-131.
Y. Jiang, D. Wu, and P. Liu, "Jred: Program customization and bloatware mitigation based on static analysis, " in 2016 IEEE 40th Annual Computer Software and Applications Conference (COMPSAC), vol. 1, 2016, pp. 12-21.
Y. Jiang, Q. Bao, S. Wang, X. Liu, and D. Wu, "Reddroid: Android application redundancy customization based on static analysis, " in 2018 IEEE 29th International Symposium on Software Reliability Engineering (ISSRE). IEEE, 2018, pp. 189-199.
K. Heo, W. Lee, P. Pashakhanloo, and M. Naik, "Effective program debloating via reinforcement learning, " in Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security, ser. CCS '18. New York, NY, USA: Association for Computing Machinery, 2018, p. 380-394. [Online]. Available: https://doi. org/10. 1145/3243734. 3243838
I. Agadakos, D. Jin, D. Williams-King, V. P. Kemerlis, and G. Portokalidis, "Nibbler: Debloating binary shared libraries, " in Proceedings of the 35th Annual Computer Security Applications Conference, ser. ACSAC '19. New York, NY, USA: Association for Computing Machinery, 2019, p. 70-83. [Online]. Available: https://doi. org/10. 1145/3359789. 3359823
B. A. Azad, P. Laperdrix, and N. Nikiforakis, "Less is more: quantifying the security benefits of debloating web applications, " in 28th {USENIX} Security Symposium ({USENIX} Security 19), 2019, pp. 1697-1714.
C. Qian, H. Hu, M. Alharthi, P. H. Chung, T. Kim, and W. Lee, "{RAZOR}: A framework for post-deployment software debloating, " in 28th {USENIX} Security Symposium ({USENIX} Security 19), 2019, pp. 1733-1750.
L. Onwuzurike, M. Almeida, E. Mariconti, J. Blackburn, G. Stringhini, and E. De Cristofaro, "A family of droids-android malware detection via behavioral modeling: Static vs dynamic analysis, " in 2018 16th Annual Conference on Privacy, Security and Trust (PST). IEEE, 2018, pp. 1-10.
R. Vallée-Rai, P. Co, E. Gagnon, L. Hendren, P. Lam, and V. Sundaresan, "Soot: A java bytecode optimization framework, " in CASCON First Decade High Impact Papers, ser. CASCON '10. USA: IBM Corp., 2010, pp. 214-224. [Online]. Available: https://doi. org/10. 1145/1925805. 1925818
N. P. Borges Jr, J. Hotzkow, and A. Zeller, "Droidmate-2: a platform for android test generation, " in Proceedings of the 33rd ACM/IEEE International Conference on Automated Software Engineering, 2018, pp. 916-919.
Y. Li, Z. Yang, Y. Guo, and X. Chen, "Droidbot: a lightweight ui-guided test input generator for android, " in 2017 IEEE/ACM 39th International Conference on Software Engineering Companion (ICSE-C), May 2017, pp. 23-26.
J. Rabe. (2016) Timebomb: Stops app usage after a period of time has passed starting from app build date. [Online]. Available: https://github. com/kibotu/TimeBomb
Google. (2020) Shrink, obfuscate, and optimize your app. [Online]. Available: https://developer. android. com/studio/build/shrink-code
A. Pilgun, O. Gadyatskaya, S. Dashevskyi, Y. Zhauniarovich, and A. Kushniarou, "An effective android code coverage tool, " in Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security, 2018, pp. 2189-2191.
A. Pilgun, O. Gadyatskaya, Y. Zhauniarovich, S. Dashevskyi, A. Kushniarou, and S. Mauw, "Fine-grained code coverage measurement in automated black-box android testing, " ACM Transactions on Software Engineering and Methodology (TOSEM), vol. 29, no. 4, pp. 1-35, 2020.
I. Google. (2020) WebView: A View that displays web pages. [Online]. Available: https://developer. android. com/reference/android/webkit/WebView
T. O. Foundation. (2020) Mobile security testing guide. android antireversing defenses. [Online]. Available: https://mobile-security. gitbook. io/mobile-security-testing-guide/android-testing-guide/0x05j-testing-resiliency-against-reverse-engineering
K. Cooper and L. Torczon, Engineering a compiler. Elsevier, 2011.
M. D. Brown and S. Pande, "Carve: Practical security-focused software debloating using simple feature set mappings, " in Proceedings of the 3rd ACM Workshop on Forming an Ecosystem Around Software Transformation, 2019, pp. 1-7.
J. Landsborough, S. Harding, and S. Fugate, "Removing the kitchen sink from software, " in Proceedings of the Companion Publication of the 2015 Annual Conference on Genetic and Evolutionary Computation, 2015, pp. 833-838.
