Abstract:The number of Android applications is growing rapidly, which is bringing more and more vulnerabilities. However, most existing tools use only simple API scanning with data flow analysis tools rarely used, so some vulnerabilities cannot be found. This paper presents a static analysis framework for Android applications based on common vulnerability patterns. The analysis can detect 7 kinds of vulnerability patterns in Android apps using detection rules. Tests on 323 Android applications show that the framework can detect more than 70% of the vulnerabilities with less than 30% false positives, which shows that it can effectively detect common security vulnerabilities in Android apps.
[1] Google. Bouncer[Z/OL]. (2012-02-18). http://googlemobile.blogspot.com/2012/02/android-and-security.html.
[2] Felt A P, Finifter M, Chin E, et al. A survey of mobile malware in the wild[C]//Proceedings of the 1st ACM Workshop on Security and Privacy in Smartphones and Mobile Devices (SPSM'11). Chicago, USA:ACM, 2011:1-14.
[3] Grace M, Zhou Y, Wang Z, et al. Systematic detection of capability leaks in stock Android smartphones[C]//Proceedings of the 19th Annual Network & Distributed System Security Symposium (NDSS'12). San Diego, USA:ISOC, 2012:107-121.
[4] Wang R, Xing L, Wang X, et al. Unauthorized origin crossing on mobile platforms:Threats and mitigation[C]//Proceedings of the 20th ACM Conference on Computer and Communications Security (CCS'13). Berlin, Germany:ACM, 2013:635-646.
[5] Zhou Y, Jiang X. Dissecting Android malware:Characterization and evolution[C]//Proceedings of the 33rd IEEE Symposium on Security and Privacy (S&P'12). San Francisco, USA:IEEE, 2012:95-109.
[6] Zhou Y, Wang Z, Zhou W, et al. Hey, you, get off of my market:Detecting malicious apps in official and alternative Android markets[C]//Proceedings of the 19th Annual Network & Distributed System Security Symposium (NDSS' 12). San Diego, USA:ISOC, 2012:1-13.
[7] Lu L, Li Z, Wu Z, et al. Chex:Statically vetting Android apps for component hijacking vulnerabilities[C]//Proceedings of the 19th ACM Conference on Computer and Communications Security (CCS' 12). Raleigh, USA:ACM, 2012:229-240.
[8] Zhong Y, Xin Z, Mao B, et al. DroidAlarm:An all-sided static analysis tool for Android privilege-escalation malware[C]//Proceedings of the 8th ACM Symposium on Information, Computer and Communications Security (ASIACCS'13). Hangzhou, China:ACM, 2013:353-358.
[9] Zhou Y J, Jiang X X. Detecting passive content leaks and pollution in Android applications[C]//Proceedings of the 20th Network and Distributed System Security Symposium (NDSS'13). San Diego, USA:ISOC, 2013:1-16.
[10] Chin E, Felt A P, Greenwood K, et al. Analyzing inter-application communication in Android[C]//Proceedings of the 9th International Conference on Mobile Systems, Applications, and Services (MobiSys'11). Washington D C, USA:ACM, 2011:239-252.
[11] Luo T, Hao H, Du W, et al. Attacks on WebView in the Android system[C]//Proceedings of the 27th Annual Computer Security Applications Conference (ACSAC'11). Florida, USA:ACM, 2011:343-352.
[12] Jin X, Hu X, Ying K, et al. Code injection attacks on HTML5-based mobile apps:Characterization, detection and mitigation[C]//Proceedings of the 21st ACM Conference on Computer and Communications Security (CCS'14). Scottsdale, USA:ACM, 2014:66-77.
[13] Poeplau S, Fratantonio Y, Bianchi A, et al. Execute this analyzing unsafe and malicious dynamic code loading in android applications[C]//Proceedings of the 20th Annual Network & Distributed System Security Symposium (NDSS'14). San Digeo, USA:ISOC, 2014:1-16.
[14] 丰生强. Android软件安全与逆向分析[M]. 北京:人民邮电出版社, 2013. FENG Shengqiang. Android Software Security and Reverse Engineering. Beijing:Posts & Telecom Press, 2013. (in Chinese)
[15] Arzt S, Rasthofer S, Fritz C, et al. Flowdroid:Precise context, flow, field, object-sensitive and lifecycle-aware taint analysis for Android apps[C]//Proceedings of the 35th Annual ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI'14). Edinburgh, UK:ACM, 2014:259-269.
[16] Egele M, Brumley D, Fratantonio Y, et al. An empirical study of cryptographic misuse in Android applications[C]//Proceedings of the 20th ACM Conference on Computer and Communications Security (CCS'13). Berlin, Germany:ACM, 2013:73-84.
[17] Kim S H, Han D, Lee D H. Predictability of Android OpenSSL's pseudo random number generator[C]//Proceedings of the 20th ACM Conference on Computer and Communications Security (CCS'13). Berlin, Germany:ACM, 2013:124-136.
[18] Enck W, Gilbert P, Chun B G, et al. TaintDroid:An information-flow tracking system for realtime privacy monitoring on smartphones[C]//Proceedings of the 9th USENIX Symposium on Operating Systems Design and Implementation (OSDI'10). Vancouver, Canada:USENIX, 2010:1-15.
[19] Lessard J, Kessler G. Android forensics:Simplifying cell phone examinations[J].Digital Device Forensics Journal, 2010,4(1):1-12.