Efficient Permission-Aware Analysis of Android Apps

Total Page:16

File Type:pdf, Size:1020Kb

Efficient Permission-Aware Analysis of Android Apps UNIVERSITY OF CALIFORNIA, IRVINE Efficient Permission-Aware Analysis of Android Apps DISSERTATION submitted in partial satisfaction of the requirements for the degree of DOCTOR OF PHILOSOPHY in Software Engineering by Alireza Sadeghi Dissertation Committee: Associate Professor Sam Malek, Chair Associate Professor James A. Jones Professor Cristina Videira Lopes 2017 c 2017 Alireza Sadeghi DEDICATION To my better half, Reyhan| The best friend, classmate, and colleague. ii TABLE OF CONTENTS Page LIST OF FIGURES vi LIST OF TABLES viii ACKNOWLEDGMENTS ix CURRICULUM VITAE x ABSTRACT OF THE DISSERTATION xiii 1 Introduction 1 1.1 Dissertation Overview . .2 1.2 Dissertation Structure . .4 2 Background and Related Work 7 2.1 Android Overview . .9 2.2 Related Surveys . 11 2.3 Research Method . 13 2.3.1 Research Tasks . 14 2.3.2 Literature Review Protocol . 16 2.3.3 Selected papers . 19 2.3.4 Threats to Validity . 21 2.4 Taxonomy . 23 2.4.1 Approach Positioning (Problem) . 24 2.4.2 Approach Characteristics (Solution) . 31 2.4.3 Assessment (Validation) . 36 2.5 Survey Results and Analysis . 37 2.5.1 Approach Positioning (Problem) . 38 2.5.2 Approach Characteristics (Solution) . 48 2.5.3 Assessment (Validation) . 62 2.5.4 Cross Analysis . 67 2.6 Discussion and Directions for Future Research . 72 2.7 Conclusion . 76 iii 3 Research Problem 78 3.1 Permission-Induced Security Attacks . 79 3.2 Permission-Induced Compatibility Defects . 80 4 Compositional Analysis of Permission-Induced Security Vulnerabilities 81 4.1 Introduction . 81 4.2 Motivating Example . 84 4.3 Approach Overview . 86 4.4 Model Extractor . 89 4.4.1 Entity Extraction and Resolution . 91 4.4.2 Control Flow Augmentation . 97 4.4.3 Vulnerable Paths Identification . 97 4.5 Formal Analyzer . 100 4.5.1 Alloy Overview . 102 4.5.2 Formal Model of Android Framework . 103 4.5.3 Formal Model of Apps . 107 4.5.4 Checking Android Application Models . 110 4.6 Empirical Evaluation . 113 4.6.1 Significance of Compositional Analysis . 115 4.6.2 Automated Analysis of Applications . 116 4.6.3 Manual Analysis . 119 4.6.4 Compositional vs. Single App Analysis . 121 4.6.5 Performance and Timing . 124 4.7 Discussion . 125 4.7.1 Other Types of Vulnerabilities . 127 4.8 Conclusion . 128 5 Automatic Enforcement of Permission-Based Security Policies 130 5.1 Introduction . 130 5.2 Motivating Example . 133 5.3 Approach Overview . 136 5.4 AME: Android Model Extractor . 138 5.5 ASE: Analysis and Synthesis Engine . 142 5.6 APE: Android Policy Enforcer . 151 5.7 Evaluation . 153 5.7.1 Results for RQ1 (Accuracy) . 154 5.7.2 Results for RQ2 (Separ and Real-World Apps) . 156 5.7.3 Results for RQ3 (Performance and Timing) . 158 5.7.4 Results for RQ4 (Policy Enforcement) . 159 5.8 Conclusion . 160 6 Incorporating Time in Permission Analysis and Enforcement 161 6.1 Introduction . 161 6.2 Permission-Induced Attacks . 164 6.2.1 Privilege Escalation . 164 iv 6.2.2 Unsafe PendingIntent . 166 6.2.3 Identical Custom Permission . 167 6.2.4 Passive Data Leak . 167 6.3 Temporal Permission . 168 6.3.1 Modeling the Android System . 168 6.3.2 Formulating Safety Rules . 170 6.3.3 Leasing Temporal Permissions . 174 6.4 TERMINATOR . 176 6.4.1 Approach Overview . 176 6.4.2 Analysis . 178 6.4.3 Enforcement . 181 6.5 Evaluation . 183 6.5.1 RQ1: Coverage . 183 6.5.2 RQ2: Disruption . 186 6.5.3 RQ3: Applicability & Reliability . 188 6.5.4 RQ4: Performance . 190 6.6 Conclusion . 191 7 Permission-Aware Testing of Android 193 7.1 Introduction . 193 7.2 Illustrative Example . 196 7.3 Approach Overview . 200 7.4 Dynamic Analysis . 202 7.5 Static Analysis of Test Harness App . 204 7.6 Static Analysis of App Under Test . 206 7.6.1 Permission Analysis . 208 7.6.2 Widget Analysis . 209 7.7 Building Permission Combinations . 212 7.8 Implementation . 214 7.9 Evaluation . 214 7.9.1 Experiment Setup . 215 7.9.2 Efficiency . 216 7.9.3 Coverage . 218 7.9.4 Effectiveness . 220 7.9.5 Performance . 221 7.10 Conclusion . 222 8 Conclusion 224 8.1 Research Contributions . 225 8.2 Future Work . 227 Bibliography 229 v LIST OF FIGURES Page 1.1 Dissertation Roadmap. .3 2.1 Research process flow and tasks. 13 2.2 Scope of this survey. 17 2.3 Word cloud of the titles of the selected papers. 20 2.4 Distribution of surveyed papers. 21 2.5 Proposed Taxonomy of Android Security Analysis, Problem Category. 24 2.6 Proposed Taxonomy of Android Security Analysis, Solution Category. 31 2.7 Proposed Taxonomy of Android Security Analysis, Assessment Category. 37 2.8 Distribution of research based on the type of analyzed code . 59 2.9 Distribution of surveyed papers based on the number of source of the apps used for empirical evaluation. 64 2.10 Comparison graph for the surveyed papers . 66 2.11 Dependency graph for the surveyed papers . 67 2.12 Cross Analysis 1 and 2 . 68 2.13 Cross Analysis 3 and 4 . 69 2.14 Cross Analysis 5 . ..
Recommended publications
  • Downloaded and Installed from the Google Play Store and Cafe Bazaar
    Raeesi et al. BMC Med Inform Decis Mak (2021) 21:135 https://doi.org/10.1186/s12911-021-01498-7 RESEARCH Open Access Evaluation of HIV/AIDS-related mobile health applications content using an evidence-based content rating tool Ahmad Raeesi1,2 , Reza Khajouei3 and Leila Ahmadian4* Abstract Background: Despite the increasing number of mobile health applications, the validity of their content is under- studied. The objective of this study was to rate the content of HIV/AIDS-related mobile applications and to determine the extent to which evidence-based medicine is being incorporated into their content using a new tool called the Evidence-based content rating tool of mobile health applications (EBCRT-mHealth). Methods: All available HIV/AIDS-related applications in Iran from Cafe Bazaar and Google Play Store were evaluated. This study was frst conducted in 2018, then after almost two years in 2021 was done again. In this study, research- ers developed the EBCRT-mHealth tool to rate the content of applications based on the evidence-based medicine pyramid. Its reliability was calculated (α 0.78), and fve specialists confrmed its validity. Two reviewers independently reviewed all HIV/AIDS applications directly= downloaded and installed from the Google Play Store and Cafe Bazaar. Results: Out of 980 retrieved applications, in 2018, 85, and in 2021, 78 applications were included in the study. Only in 17 (28%) out of the 60 in 2018, and 25 (51%) in 2021 Google Play store applications the source of content informa- tion was mentioned. All Cafe Bazaar mobile applications mentioned the source of information.
    [Show full text]
  • 3000 Applications
    Uila Supported Applications and Protocols updated March 2021 Application Protocol Name Description 01net.com 05001net plus website, is a Japanese a French embedded high-tech smartphonenews site. application dedicated to audio- 050 plus conferencing. 0zz0.com 0zz0 is an online solution to store, send and share files 10050.net China Railcom group web portal. This protocol plug-in classifies the http traffic to the host 10086.cn. It also classifies 10086.cn the ssl traffic to the Common Name 10086.cn. 104.com Web site dedicated to job research. 1111.com.tw Website dedicated to job research in Taiwan. 114la.com Chinese cloudweb portal storing operated system byof theYLMF 115 Computer website. TechnologyIt is operated Co. by YLMF Computer 115.com Technology Co. 118114.cn Chinese booking and reservation portal. 11st.co.kr ThisKorean protocol shopping plug-in website classifies 11st. the It ishttp operated traffic toby the SK hostPlanet 123people.com. Co. 123people.com Deprecated. 1337x.org Bittorrent tracker search engine 139mail 139mail is a chinese webmail powered by China Mobile. 15min.lt ChineseLithuanian web news portal portal 163. It is operated by NetEase, a company which pioneered the 163.com development of Internet in China. 17173.com Website distributing Chinese games. 17u.com 20Chinese minutes online is a travelfree, daily booking newspaper website. available in France, Spain and Switzerland. 20minutes This plugin classifies websites. 24h.com.vn Vietnamese news portal 24ora.com Aruban news portal 24sata.hr Croatian news portal 24SevenOffice 24SevenOffice is a web-based Enterprise resource planning (ERP) systems. 24ur.com Slovenian news portal 2ch.net Japanese adult videos web site 2Checkout (acquired by Verifone) provides global e-commerce, online payments 2Checkout and subscription billing solutions.
    [Show full text]
  • Gaikai - Wikipedia Case 3:19-Cv-07027-WHA Document 28-2 Filed 10/14/19 Page 2 of 8 Not Logged in Talk Contributions Create Account Log In
    Case 3:19-cv-07027-WHA Document 28-2 Filed 10/14/19 Page 1 of 8 EXHIBIT B Gaikai - Wikipedia Case 3:19-cv-07027-WHA Document 28-2 Filed 10/14/19 Page 2 of 8 Not logged in Talk Contributions Create account Log in Article Talk Read Edit View history Gaikai From Wikipedia, the free encyclopedia Main page Gaikai (外海, lit. "open sea", i.e. an expansive outdoor space) is an American company which provides technology for the streaming of high- Contents Gaikai Featured content end video games.[1] Founded in 2008, it was acquired by Sony Interactive Entertainment in 2012. Its technology has multiple applications, Current events including in-home streaming over a local wired or wireless network (as in Remote Play between the PlayStation 4 and PlayStation Vita), as Random article well as cloud-based gaming where video games are rendered on remote servers and delivered to end users via internet streaming (such as Donate to Wikipedia the PlayStation Now game streaming service.[2]) As a startup, before its acquisition by Sony, the company announced many partners using Wikipedia store [3] the technology from 2010 through 2012 including game publishers, web portals, retailers and consumer electronics manufacturers. On July Founded November 2008 Interaction 2, 2012, Sony announced that a formal agreement had been reached to acquire the company for $380 million USD with plans of establishing Headquarters Aliso Viejo, California, U.S. [4] Help their own new cloud-based gaming service, as well as integrating streaming technology built by Gaikai into PlayStation products, resulting Owner Sony [5] [6] About Wikipedia in PlayStation Now and Remote Play.
    [Show full text]
  • Read Our Full Report Here
    1 2 contEnts 03 preface 30 5 data security 30 5.1 Major Data Leaks 05 part i / the changing iranian internet & how we got here 32 6 patterns of information consumption 06 1 internet governance 32 6.1 Consumer Trends & Cafe Bazaar 07 1.1 Policy Development In 1398 34 6.2 Misinformation & Disinformation 10 2 information controls 39 7 media plurality 10 2.1 Internet Shutdowns And Localisations 39 7.1 The Growing Role Of Instagram 12 2.2 Layered Filtering 41 7.2 Tv On-Demand 14 2.3 Content Filtering 15 2.4 Impact Of Sanctions 45 8 ict market & the digital economy 17 3 state surveillance 45 8.1 Mobile Registry 17 3.1 Policy Developments 46 8.2 Start-Ups In The Digital Economy 18 3.2 Surveillance And Law Enforcement 48 8.3 Legalisation Of Circumvention Tools 21 4 digital inclusion 50 conclusion 21 4.1 Child Protection: Towards A “Children’s Internet”? 23 4.2 Women’s Experiences: Instagram & Compulsory Hijab 23 4.3 Religious Minorities: Baha’is Face Exclusion From New E-Government Initiatives 25 4.4 Online Education Services And Marginalized Students 26 4.5 Border Provinces: Extended Shutdowns In Sistan & Baluchestan 28 part ii / navigating iran’s online public realm: users’ experiences of the iranian internet 3 Filterwatch Yearbook 1398 Preface welcome to the inaugural edition of the Filterwatch Yearbook. This is the first edition in a series of yearbooks documenting important developments shaping the Internet in Iran. The first two volumes of this report are being published in the early months of 2021, and cover the Iranian calendar year 1398 (which falls between March 2019 to March 2020) and 1399 (covering the period between March 2020 to March 2021).
    [Show full text]
  • Guards at the Gate the Expanding State Control Over the Internet in Iran Guards at the Gate the Expanding State Control Over the Internet in Iran
    Guards at the Gate The Expanding State Control Over the Internet in Iran Guards at the Gate The Expanding State Control Over the Internet in Iran Copyright © 2018 by the Center for Human Rights in Iran All rights reserved. No part of this report may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, including mechanical, electric, photocopying, recording, or otherwise, without the prior written permission of the Center for Human Rights in Iran. Center for Human Rights in Iran New York Tel: +1 -347-689-7782 www.iranhumanrights.org2 About us The Center for Human Rights in Iran (CHRI) is an independent, nonpartisan, nonprofit organization dedicated to the protection and promotion of human rights in Iran. CHRI investigates and documents rights violations occurring throughout Iran, relying on first-hand accounts to expose abuses that would otherwise go unreported. We bring these violations to the attention of the international community through news articles, briefings, in-depth reports and videos, and work to build support for human rights inside Iran as well. CHRI engages in intensive outreach and international advocacy aimed at defending the fundamental rights and freedoms of the Iranian people and holding the Iranian government accountable to its human rights obligations. Table of Contents EXECUTIVE RECOMMENDATIONS METHODOLOGY INTRODUCTION SUMMARY 7 9 To the Rouhani 12 13 administration 10 To the Iranian Parliament 10 To the Iranian judiciary 10 To the UN and the special rapporteurs 11 To member states
    [Show full text]
  • Efficient Permission-Aware Analysis of Android Apps
    UC Irvine UC Irvine Electronic Theses and Dissertations Title Efficient Permission-Aware Analysis of Android Apps Permalink https://escholarship.org/uc/item/5hr6v7rc Author Sadeghi, Alireza Publication Date 2017 License https://creativecommons.org/licenses/by-nc-sa/4.0/ 4.0 Peer reviewed|Thesis/dissertation eScholarship.org Powered by the California Digital Library University of California UNIVERSITY OF CALIFORNIA, IRVINE Efficient Permission-Aware Analysis of Android Apps DISSERTATION submitted in partial satisfaction of the requirements for the degree of DOCTOR OF PHILOSOPHY in Software Engineering by Alireza Sadeghi Dissertation Committee: Associate Professor Sam Malek, Chair Associate Professor James A. Jones Professor Cristina Videira Lopes 2017 c 2017 Alireza Sadeghi DEDICATION To my better half, Reyhan| The best friend, classmate, and colleague. ii TABLE OF CONTENTS Page LIST OF FIGURES vi LIST OF TABLES viii ACKNOWLEDGMENTS ix CURRICULUM VITAE x ABSTRACT OF THE DISSERTATION xiii 1 Introduction 1 1.1 Dissertation Overview . .2 1.2 Dissertation Structure . .4 2 Background and Related Work 7 2.1 Android Overview . .9 2.2 Related Surveys . 11 2.3 Research Method . 13 2.3.1 Research Tasks . 14 2.3.2 Literature Review Protocol . 16 2.3.3 Selected papers . 19 2.3.4 Threats to Validity . 21 2.4 Taxonomy . 23 2.4.1 Approach Positioning (Problem) . 24 2.4.2 Approach Characteristics (Solution) . 31 2.4.3 Assessment (Validation) . 36 2.5 Survey Results and Analysis . 37 2.5.1 Approach Positioning (Problem) . 38 2.5.2 Approach Characteristics (Solution) . 48 2.5.3 Assessment (Validation) . 62 2.5.4 Cross Analysis .
    [Show full text]
  • Report on the Privacy Risks of COVID-19 Software
    Report on the privacy risks of COVID-19 software December 2020 This report was commissioned by AWO and undertaken by external technical consultants. 2 Executive Summary This report provides a technical analysis of seven smartphone applications deployed in six countries (Brazil, Colombia, India, Iran, Lebanon, and South Africa) to be used by citizens as part of their country’s national response strategy to fight the COVID-19 pandemic. All are official apps, in the sense that they have been developed by (or with the approval of) competent organizational units in their respective governments, including health authorities. The focus of this technical analysis is on the potential privacy risks of using such apps for citizens. Specifically, the report provides an assessment of the following elements: (i) the architecture used for contact tracing, if any; (ii) the presence of elements that can impact on users’ privacy negatively (use of dangerous permissions, presence of software development kits (SDKs), potential dissemination of personal data, and consistency of observed behaviors and statements of the privacy policy); and (iii) components and design choices that can affect the security of the app, such as the presence of potentially harmful behaviors oran incorrect use of hosting and communication capabilities. The main findings of this report are: • All the examined apps implement a functionality for contact tracing / exposure notification. Two of them—Coronavirus SUS (Brazil) and COVID Alert SA (South Africa)—rely on the Google-Apple Exposure Notification (GAEN) API, which enforces some privacy guarantees. The remaining apps use centralized approaches that are potentially more privacy harmful, including custom implementations—Aarogya Setu (India), COVA (India), and Mask (Iran)—or based on Singapore’s BlueTrace technology—CoronaApp (Colombia) and MA3AN (Lebanon).
    [Show full text]
  • Gaikai - Wikipedia Case 1:19-Cv-07529-DLC Document 28-2 Filed 10/14/19 Page 2 of 8 Not Logged in Talk Contributions Create Account Log In
    Case 1:19-cv-07529-DLC Document 28-2 Filed 10/14/19 Page 1 of 8 EXHIBIT B Gaikai - Wikipedia Case 1:19-cv-07529-DLC Document 28-2 Filed 10/14/19 Page 2 of 8 Not logged in Talk Contributions Create account Log in Article Talk Read Edit View history Gaikai From Wikipedia, the free encyclopedia Main page Gaikai (外海, lit. "open sea", i.e. an expansive outdoor space) is an American company which provides technology for the streaming of high- Contents Gaikai Featured content end video games.[1] Founded in 2008, it was acquired by Sony Interactive Entertainment in 2012. Its technology has multiple applications, Current events including in-home streaming over a local wired or wireless network (as in Remote Play between the PlayStation 4 and PlayStation Vita), as Random article well as cloud-based gaming where video games are rendered on remote servers and delivered to end users via internet streaming (such as Donate to Wikipedia the PlayStation Now game streaming service.[2]) As a startup, before its acquisition by Sony, the company announced many partners using Wikipedia store [3] the technology from 2010 through 2012 including game publishers, web portals, retailers and consumer electronics manufacturers. On July Founded November 2008 Interaction 2, 2012, Sony announced that a formal agreement had been reached to acquire the company for $380 million USD with plans of establishing Headquarters Aliso Viejo, California, U.S. [4] Help their own new cloud-based gaming service, as well as integrating streaming technology built by Gaikai into PlayStation products, resulting Owner Sony [5] [6] About Wikipedia in PlayStation Now and Remote Play.
    [Show full text]