171 research outputs found

    Mitigating security and privacy threats from untrusted application components on Android

    Get PDF
    Aufgrund von Androids datenzentrierter und Open-Source Natur sowie von fehlerhaften/bösartigen Apps durch das lockere Marktzulassungsverfahren, ist die Privatsphäre von Benutzern besonders gefährdet. Diese Dissertation präsentiert eine Reihe von Forschungsarbeiten, die die Bedrohung der Sicherheit/Privatsphäre durch nicht vertrauenswürdige Appkomponenten mindern. Die erste Arbeit stellt eine Compiler-basierte Kompartmentalisierungslösung vor, die Privilegientrennung nutzt, um eine starke Barriere zwischen der Host-App und Bibliothekskomponenten zu etablieren, und somit sensible Daten vor der Kompromittierung durch neugierige/bösartige Werbe-Bibliotheken schützt. Für fehleranfällige Bibliotheken von Drittanbietern implementieren wir in der zweiten Arbeit ein auf API-Kompatibilität basierendes Bibliothek-Update-Framework, das veraltete Bibliotheken durch Drop-Ins aktualisiert, um das durch Bibliotheken verursachte Zeitfenster der Verwundbarkeit zu minimieren. Die neueste Arbeit untersucht die missbräuchliche Nutzung von privilegierten Accessibility(a11y)-Funktionen in bösartigen Apps. Wir zeigen ein datenschutzfreundliches a11y-Framework, das die a11y-Logik wie eine Pipeline behandelt, die aus mehreren Modulen besteht, die in verschiedenen Sandboxen laufen. Weiterhin erzwingen wir eine Flusskontrolle über die Kommunikation zwischen den Modulen, wodurch die Angriffsfläche für den Missbrauch von a11y-APIs verringert wird, während die Vorteile von a11y erhalten bleiben.While Android’s data-intensive and open-source nature, combined with its less-than-strict market approval process, has allowed the installation of flawed and even malicious apps, its coarse-grained security model and update bottleneck in the app ecosystem make the platform’s privacy and security situation more worrying. This dissertation introduces a line of works that mitigate privacy and security threats from untrusted app components. The first work presents a compiler-based library compartmentalization solution that utilizes privilege separation to establish a strong trustworthy boundary between the host app and untrusted lib components, thus protecting sensitive user data from being compromised by curious or malicious ad libraries. While for vulnerable third-party libraries, we then build the second work that implements an API-compatibility-based library update framework using drop-in replacements of outdated libraries to minimize the open vulnerability window caused by libraries and we perform multiple dynamic tests and case studies to investigate its feasibility. Our latest work focuses on the misusing of powerful accessibility (a11y) features in untrusted apps. We present a privacy-enhanced a11y framework that treats the a11y logic as a pipeline composed of multiple modules running in different sandboxes. We further enforce flow control over the communication between modules, thus reducing the attack surface from abusing a11y APIs while preserving the a11y benefits

    Sleeping Android: Exploit Through Dormant Permission Requests

    Get PDF

    Negative Results on Mining Crypto-API Usage Rules in Android Apps

    Get PDF
    Android app developers recurrently use crypto-APIs to provide data security to app users. Unfortunately, misuse of APIs only creates an illusion of security and even exposes apps to systematic attacks. It is thus necessary to provide developers with a statically-enforceable list of specifications of crypto-API usage rules. On the one hand, such rules cannot be manually written as the process does not scale to all available APIs. On the other hand, a classical mining approach based on common usage patterns is not relevant in Android, given that a large share of usages include mistakes. In this work, building on the assumption that “developers update API usage instances to fix misuses”, we propose to mine a large dataset of updates within about 40 000 real-world app lineages to infer API usage rules. Eventually, our investigations yield negative results on our assumption that API usage updates tend to correct misuses. Actually, it appears that updates that fix misuses may be unintentional: the same misuses patterns are quickly re-introduced by subsequent updates

    From native to cross-platform hybrid development : CodeGT, design and development of a mobile app for ERP

    Get PDF
    The current trend towards mobility of individuals, together with the exponential growth of the number of mobile devices led the market to a boom in the demand for the development of mobile applications. Moreover, with the expansion and heterogeneity of the mobile devices and platforms, software companies need to search for faster and cheaper ways to develop applications that can span as many devices as possible to capture the market. Currently, the Android and iOS Operating Systems roughly share and dominate the mobile market, with timid expressions of other competitors. Each of these mobile operating systems were developed using their own languages, strategy and SDKs for development of applications using their libraries – known as Native apps. On the other hand, the evolution of HTML5, CSS and JavaScript created generic alternatives to create mobile apps that run on devices on all operating systems, although lacking the capability to access the device’s full potential. Alongside came the new Hybrid cross-platform development frameworks, which try to take the best of both worlds. This dissertation describes the evolution of the different mobile app development approaches and the state-of-the-art in their development techniques, and compares them with the Hybrid app approach, then highlighting the trends in mobile app development using Hybrid platforms and their advantages. This research includes the development of a mobile Hybrid application, CodeGT, which interacts with an Enterprise Resource Planning (ERP) to access the Transport Documents registered in this ERP and access to the code transmitted by the Portuguese Tax Authority (AT), therefore not requiring the printing of documents and meeting a need of the business market. This application does already have customer industry companies interested in it.As tendências atuais em direção à grande mobilidade dos indivíduos, juntamente com o crescimento exponencial do número de dispositivos móveis, levaram ao enorme crescimento na procura do desenvolvimento de aplicações móveis. Além disso, com a expansão e heterogeneidade dos dispositivos e das plataformas móveis, as empresas de desenvolvimento de software necessitam de encontrar formas mais rápidas e baratas de desenvolver aplicações capazes de abranger o maior número de dispositivos para ir ao encontro da elevada procura do mercado. Atualmente, os sistemas operativos Android e iOS dividem e dominam o mercado de dispositivos móveis com expressões tímidas de outros concorrentes. Cada um desses sistemas operativos móveis foi desenvolvido especificamente para linguagens de programação e estratégias próprias e oferecem um conjunto de ferramentas de desenvolvimento com as suas bibliotecas, para a criação de aplicações nativas. Por outro lado, a evolução do HTML5, CSS e do JavaScript criaram oportunidades para o surgimento de alternativas genéricas para criação de aplicações multiplataforma que correm em todos os dispositivos e em todos os sistemas operativos, mas sem a capacidade de aceder todo o potencial nativo do dispositivo. Paralelamente surgiram as novas plataformas de desenvolvimento híbridas, que tentam tirar o melhor partido dos dois mundos. Esta dissertação descreve a evolução das diferentes abordagens no desenvolvimento de aplicações móveis mais concretamente na utilização de ferramentas multiplataformas para a criação de aplicações móveis híbridas e as suas vantagens. A pesquisa incluiu ainda o desenvolvimento de uma aplicação móvel, CodeGT, desenvolvido numa plataforma híbrida para interagir com um software ERP, acedendo aos Documentos de Transporte registados nesse ERP, assim como ao código transmitido pela Autoridade Tributária (AT), que assim dispensa a impressão de documentos e indo ao encontro de uma necessidade do mercado. Esta aplicação já tem empresas clientes interessadas nela

    Demand around the clock: Time use and data demand of mobile devices in everyday life

    Get PDF
    Motivated by mobile devices’ growing demand for connectivity, and concern in HCI with the energy intensity and sustainability of networked services, in this paper we reveal the impact of applications on smartphones and tablets in terms of network demand and time use. Using a detailed mixed methods study with eight participants, we first provide an account of how data demand has meaning and utility in our participants’ social practices, and the timing and relative impacts of these. We then assess the scale of this demand by drawing comparison between our fine-grained observations and a more representative dataset of 398 devices from the Device Analyzer corpus. Our results highlight the significant categories of data demanding practice, and the identification of where changes in app time and duration of use might reduce or shift demand to reduce services’ impacts

    Test Cases Evolution of Mobile Applications: Model Driven Approach

    Get PDF
    AELOS_HCERES2020 , NAOMOD_HCERES2020Mobile Applications Developers, with large freedom given to them, focus on satisfying market requirements and on pleasing consumer’s desires. They are forced to be creative and productive in a short period of time. As a result, billions of powerful mobile applications are displayed every day. Therefore, every mobile application needs to continually change and make an incremental evolution in order to survive and preserve its ranking among the top applications in the market. Mobile apps Testers hold a heavy responsibility on their shoulders, the intrinsic nature of agile swift change of mobile apps pushes them to be meticulous, to be aware that things can be different at any time, and to be prepared for unpredicted crashes. Therefore, starting the generation or the creation of test cases from scratch and selecting each time the overridden or the overloaded test cases is a tedious operation. In software testing the time allocated for testing and correcting defects is important for every software development (regularly half the time). This time can be reduced by the introduction of tools and the adoption of new testing methods. In the field of mobile development, new concerns should be taken into account; among the most important ones are the heterogeneity of execution environments and the fragmentation of terminals which have different impacts on the functionality, performance, and connectivity. This project studies the evolution of mobile applications and its impact on the evolution of test cases from their creation until their expiration stage. A detailed case study of a native open source Android application is provided; describing many aspects of design, development, testing in addition to the analysis of the process of mobile apps evolution. This project based on model driven engineering approach where the models are serialized using the standard XMI. It presents a protocol for the adaptation of test cases under certain restrictions

    Smartphone User Privacy Preserving through Crowdsourcing

    Get PDF
    In current Android architecture, users have to decide whether an app is safe to use or not. Expert users can make savvy decisions to avoid unnecessary private data breach. However, the majority of regular users are not technically capable or do not care to consider privacy implications to make safe decisions. To assist the technically incapable crowd, we propose a permission control framework based on crowdsourcing. At its core, our framework runs new apps under probation mode without granting their permission requests up-front. It provides recommendations on whether to accept or not the permission requests based on decisions from peer expert users. To seek expert users, we propose an expertise rating algorithm using a transitional Bayesian inference model. The recommendation is based on aggregated expert responses and their confidence level. As a complete framework design of the system, this thesis also includes a solution for Android app risks estimation based on behaviour analysis. To eliminate the negative impact from dishonest app owners, we also proposed a bot user detection to make it harder to utilize false recommendations through bot users to impact the overall recommendations. This work also covers a multi-view permission notification design to customize the app safety notification interface based on users\u27 need and an app recommendation method to suggest safe and usable alternative apps to users
    • …
    corecore