Presented by: Tom Staley

Introduction Rising security concerns in the smartphone app community Use of private data: Passwords Financial records GPS locations Malware attacks have been found targeting smartphones

TaintDroid Previous attempt by presenters to address security problems Tracks sensitive data as it flows between apps Raises an alert when sensitive data is transmitted off the phone Leaks are only found after the data has been lost

Current Security Methods Unlike PCs, the app market is highly centralized Scan apps as they join the market Currently applied manually, if at all Some banned behavior still slips through the cracks

Proposed Solution AppInspector Service run by market providers or by a third-party Uses multiple virtual smartphones to run instances of apps before they reach the market Entire process is automated to ensure thorough testing

Challenges Three challenges with AppInspector How to track and log data How to determine security violations using the logs How to ensure all branches of code are covered

AppInspector Components Four main components Input generator Execution explorer Information flow tracker Security analyzer

Types of violations Security violation - when an app accesses data without permissions to do so Privacy violation – when an app discloses information without prompting the user AppInspector focuses on privacy violations

Tracking Data Log data about explicit and implicit data flows Various actions also logged, like methods that access disk memory or device sensors Action logging has to be limited to reduce overhead

Data Flows Explicit data flow – following data through use of data dependencies Attach a “label” to data as it leaves the source of the data Track the label through the program until it reaches a “sink” Implicit data flow – when sensitive information can be found by looking at control flow if (w == 0) x = y; else z = y; If w is privacy-sensitive, looking at values of x and z can determine if w == 0;

Violation Detection Two methods to detect privacy violations When sensitive data is disclosed: Use data dependency graph to trace sensitive data back to source Check for user notifications or search license agreements for permissions

Input Generation App are event-driven Two types of events: UI inputs Callback triggers from device sensors These inputs can be randomly generated to test apps

Concrete Execution Randomly generating input is known as Concrete Execution Developers tested this approach on 9 apps Fed constant stream of input for 30 minutes 40% or lower code coverage found

Symbolic Execution Another type of input testing known as symbolic testing Systematically tests all possible execution paths Highly inefficient

Concolic Execution Mix of concrete and symbolic execution Run symbolic execution on main application code All other code (code libraries, system code, etc.) tested with concrete execution Switch between the two methods as required during testing

Conclusion The app market is at risk for security and privacy violations AppInspector developed to scan apps before they reach marketplace Uses concolic execution to generate input Tracks sensitive data as it propagates through app Uses logs to determine if privacy violation has occurred

Bibliography Peter Gilbert, "Vision: Automated Security Validation of Mobile Apps at App Markets", MCS’11, June 28, 2011, Bethesda, Maryland, USA.