Presentation is loading. Please wait.

Presentation is loading. Please wait.

More Security and Programming Language Work on SmartPhones

Published byIrene Jacobs Modified over 6 years ago

Similar presentations

Presentation on theme: "More Security and Programming Language Work on SmartPhones"— Presentation transcript:

1 More Security and Programming Language Work on SmartPhones
Karthik Dantu and Steve Ko

2 Epicc Octeau et al., “Effective Inter-Component Communication Mapping in Android with Epicc: An Essential Step Towards Holistic Security Analysis” Static analysis for detecting Intent send calls and receive calls

3 Background on Intent Intent is a message data type
A sender can send an Intent with action, category, and data. This can optionally be targeted to a specific class. A static receiver declares its Intent receiving capability in its manifest file. A dynamic receiver can register at runtime.

4 Why Analyze Intents? Using Intent is a primary mechanism for inter-component and inter-app communication. Colluding apps: some apps might collude for malicious behavior Permission by-passing: some apps use other apps’ capabilities to by-pass permission requirements

5 What to Detect Intent entry points Intent exit points
What values (i.e., target, action, category, and data) are passed to match senders and receivers

6 What to Detect

7 General Approach Parse the app’s manifest to detect static Intent receivers Analyze the app’s code to detect Intent send call sites and dynamic receivers Dynamic receivers use intentFilter.addAction() Use Interprocedural Distributive Environment (IDE) analysis to get the values for each Intent This is the focus of the paper.

8 General Approach

9 IDE A general framework that tracks how variables are influenced in the program execution. Roughly, For each instruction execution, a user-supplied environment transformer is called to track how variables of interest change. Once the environment transformers are supplied, algorithms exist to solve the problem efficiently (i.e., solving the IDE problem).

10 Example Flow

11 Another Example

12 Epicc’s Environment Transformers
ComponentName(packagename, classname) transformers Bundle transformers Intent transformers IntentFilter transformers

13 ComponentName Transformers
ComponentName(packagename, classname) transformers Tracks packagename and classname used for an Intent. Two transformers Branch ComponentName transformer: per-branch tracking ConponentName transformer: combining all branches (union)

14 Bundle Transformers Tracks values passed to Bundle Two passes
First pass: identifies all added and removed values. Second pass: combines the results to derive actual values.

15 Intent and IntentFilter Transformers
Intent transformer: tracks Intent definitions and uses ComponentName & Bundle values. IntentFilter transformer: identifies dynamic registration (i.e., intentFilter.addAction()),

16 Precision Results

17 Comparison

18 Stowaway Felt et al., “Android Permissions Demystified”
Stowaway is a tool to analyze Android apps to report overprivileged apps, i.e., apps that request permissions that they do not need. In addition, Stowaway builds an API-permission map for Android.

19 Why Overprivileged Apps?
(Disclaimer: I don’t quite see this is important) To evaluate the effectiveness of installation-time permissions enforcement Increase the impact of bugs or vulnerabilities Principle of least privilege

20 Background on Permissions
Per-API protection Developers request. Installers grant. Enforced by the framework Two special cases Content providers (based on URIs & paths) Intents

21 Background on Permissions
Permission enforcement

22 Permission Check Step 1: Derive API-permission mappings
Step 2: Analyze apps to see if any permission is requested without using any corresponding API

23 Permission Map Three mechanisms
Feedback-directed testing using a test case generator, Randoop Custom test case generation, i.e., method unit tests Manual verification

24 Permission Map Content provider permissions
Collecting URIs (from android.provider package and testing) Intent permissions Collecting strings from the public API documentation

25 Permission Map Results
Comparison to Android 2.2 documentation Stowaway: 1259 API calls Android: 78 API calls (6 incorrect) 1259 API calls (6.45% of all API methods) Unused permissions BRICK

26 Permission Map Results
Largely no hierarchy WRITE_CONTACTS is not a substitute for READ_CONTACTS But ACCESS_COARSE_LOCATION is weaker than ACCESS_FINE_LOCATION

27 Stowaway Static analysis tool
Looks at disassembled DEX (using Dedexer) Identifies API calls, content providers calls, and intent send/receive calls Handles Java reflection Java.lang.reflect.Method.invoke(), etc.

28 Stowaway Results Dataset: 900 Android apps
323 apps (35.8%) as overprivileged

29 Summary Epicc: static analysis for detecting Intent sender/receiver
Stowaway: static analysis for detecting overprivileged apps

Download ppt "More Security and Programming Language Work on SmartPhones"

Similar presentations

Google Android Introduction to Mobile Computing. Android is part of the build a better phone process Open Handset Alliance produces Android Comprises.

Google Android Introduction to Mobile Computing. Android is part of the build a better phone process Open Handset Alliance produces Android Comprises.
PScout: Analyzing the Android Permission Specification

PScout: Analyzing the Android Permission Specification
Application Fundamentals Android Development. Announcements Posting in D2L Tutorials.

Application Fundamentals Android Development. Announcements Posting in D2L Tutorials.
Policy Weaving for Mobile Devices Drew Davidson. Smartphone security is critical – 1200 to 1400 US Army troops to be equipped with Android smartphones.

Policy Weaving for Mobile Devices Drew Davidson. Smartphone security is critical – 1200 to 1400 US Army troops to be equipped with Android smartphones.
Presented By: Aniithaa Rajashekar 03/04/2013 1.  Access to privacy- and security-relevant parts of the Android API is controlled with an install- time.

Presented By: Aniithaa Rajashekar 03/04/  Access to privacy- and security-relevant parts of the Android API is controlled with an install- time.
Android Security. N-Degree of Separation Applications can be thought as composed by Main Functionality Several Non-functional Concerns Security is a non-functional.

Android Security. N-Degree of Separation Applications can be thought as composed by Main Functionality Several Non-functional Concerns Security is a non-functional.
A METHODOLOGY FOR EMPIRICAL ANALYSIS OF PERMISSION-BASED SECURITY MODELS AND ITS APPLICATION TO ANDROID David Barrera, H. Güne¸s Kayacık, P.C. van Oorschot,

A METHODOLOGY FOR EMPIRICAL ANALYSIS OF PERMISSION-BASED SECURITY MODELS AND ITS APPLICATION TO ANDROID David Barrera, H. Güne¸s Kayacık, P.C. van Oorschot,
1 Software Testing and Quality Assurance Lecture 12 - The Testing Perspective (Chapter 2, A Practical Guide to Testing Object-Oriented Software)

1 Software Testing and Quality Assurance Lecture 12 - The Testing Perspective (Chapter 2, A Practical Guide to Testing Object-Oriented Software)
Security of Mobile Applications Vitaly Shmatikov CS 6431.

Security of Mobile Applications Vitaly Shmatikov CS 6431.
Mobile Programming Pertemuan 6 Presented by Mulyono Poltek NSC Surabaya.

Mobile Programming Pertemuan 6 Presented by Mulyono Poltek NSC Surabaya.
Android Security Enforcement and Refinement. Android Applications --- Example Example of location-sensitive social networking application for mobile phones.

Android Security Enforcement and Refinement. Android Applications --- Example Example of location-sensitive social networking application for mobile phones.
Emerging Platform#4: Android Bina Ramamurthy.  Android is an Operating system.  Android is an emerging platform for mobile devices.  Initially developed.

Emerging Platform#4: Android Bina Ramamurthy.  Android is an Operating system.  Android is an emerging platform for mobile devices.  Initially developed.
Understanding Android Security Yinshu Wu William Enck, Machigar Ongtang, and PatrickMcDaniel Pennsylvania State University.

Understanding Android Security Yinshu Wu William Enck, Machigar Ongtang, and PatrickMcDaniel Pennsylvania State University.
Jarhead Analysis and Detection of Malicious Java Applets Johannes Schlumberger, Christopher Kruegel, Giovanni Vigna University of California Annual Computer.

Jarhead Analysis and Detection of Malicious Java Applets Johannes Schlumberger, Christopher Kruegel, Giovanni Vigna University of California Annual Computer.
A METHODOLOGY FOR EMPIRICAL ANALYSIS OF PERMISSION-BASED SECURITY MODELS AND ITS APPLICATION TO ANDROID.

A METHODOLOGY FOR EMPIRICAL ANALYSIS OF PERMISSION-BASED SECURITY MODELS AND ITS APPLICATION TO ANDROID.
M. Taimoor Khan * Java Server Pages (JSP) is a server-side programming technology that enables the creation of dynamic,

M. Taimoor Khan * Java Server Pages (JSP) is a server-side programming technology that enables the creation of dynamic,
2015. 4. 28 박 종 혁 컴퓨터 보안 및 운영체제 연구실 MobiSys '11 Proceedings of the 9th international conference on Mobile systems, applications,

박 종 혁 컴퓨터 보안 및 운영체제 연구실 MobiSys '11 Proceedings of the 9th international conference on Mobile systems, applications,
Lei Wu, Michael Grace, Yajin Zhou, Chiachih Wu, Xuxian Jiang Department of Computer Science North Carolina State University CCS 2013.

Lei Wu, Michael Grace, Yajin Zhou, Chiachih Wu, Xuxian Jiang Department of Computer Science North Carolina State University CCS 2013.
Enhancing User Privacy on Android Devices Bachelor of Computer Science (Honours) Name: Quang Do Supervisor: Raymond Choo Associate Supervisor: Ben Martini.

Enhancing User Privacy on Android Devices Bachelor of Computer Science (Honours) Name: Quang Do Supervisor: Raymond Choo Associate Supervisor: Ben Martini.
Implementation Yaodong Bi. Introduction to Implementation Purposes of Implementation – Plan the system integrations required in each iteration – Distribute.

Implementation Yaodong Bi. Introduction to Implementation Purposes of Implementation – Plan the system integrations required in each iteration – Distribute.

Similar presentations

Ads by Google