INTERACTION-BASED SECURITY FOR MOBILE APPS

Mobile operating systems pervade our modern lives. Security and privacy is of particular concern on these systems, as they have access to a wide range of sensitive resources. Apps access these sensitive resources to help users perform tasks. However, apps may use these sensitive resources in a way that the user does not expect. For example, an app may look up reviews of restaurants nearby, but also leak the user’s location to an ad service every hour. I claim that interaction serves as a valuable component of security decisions, because the user’s interaction with the app’s user interface (UI) deeply informs their mental model of how apps access sensitive data. I introduce the notion of interaction-based security, wherein security decisions are driven by this interaction. To help understand and enforce interaction-based security, I present four pieces of work. The first is Redexer, which performs binary instrumentation of off-the-shelf Android binaries. Binary instrumentation is a useful tool for enforcing and studying security properties. I demonstrate one example of how Redexer can be used to study location privacy in apps. Android permissions constrain how data enters apps, but do not constrain how the information is used or where it goes. Information-flow allows us to formally define what it means for data to leak from applications, but it is unclear how to use information-flow policies for Android apps, because apps frequently declassify information. I define interaction-based declassification policies, and show how they can be used to define policies for several example apps. I then implement a symbolic executor which checks Android apps to ensure they respect these policies. Next, I test the hypothesis that the app’s UI influences security decisions. I outline an app study that measures when apps use sensitive resources with respect to their UI. I then conduct a user study to measure how an app’s UI influences their expectation that a sensitive resource will be accessed. I find that interactivity plays a large role in determining user expectation of sensitive resource use, and that apps largely access sensitive resources interactively. I also find that users may not always understand background uses of these sensitive resources and using them expectation requires special care in some circumstances. Last, I present a tool which can help a security auditor quickly understand how apps use resources. My tool uses a novel combination of app logging, symbolic execution, and abstract interpretation to infer a formula that holds on each per- mission use. I evaluate my tool on several moderately-sized apps and show that it infers the same formulas we laboriously found by hand

SymDroid: Symbolic Execution for Dalvik Bytecode

Apps on Google's Android mobile device platform are written in Java, but are compiled to a special bytecode language called Dalvik. In this paper, we introduce SymDroid, a symbolic executor that operates directly on Dalvik bytecode. SymDroid begins by first translating Dalvik into mu-Dalvik, a simpler language that has only 16 instructions, in contrast to Dalvik's more than 200 instructions. We present a formalism for SymDroid's symbolic executor, which can be described with a small number of operational semantics rules; this semantics may be of independent interest. In addition to modeling bytecode instructions, SymDroid also contains models of some key portions of the Android platform, including libraries and the platform's lifecycle control code. We evaluated SymDroid in two ways. First, we ran it on the Android Compatibility Test Suite, and found it passed all tests except ones that used library or system routines we have not yet implemented. On this test suite, SymDroid runs about twice as slow as the Dalvik VM, and about twice as fast as the Java VM. Second, we used SymDroid to discover the (path) conditions under which contacts may be accessed on an Android app, and found it was able to do so successfully. These results suggest that SymDroid, while still a prototype, is a promising first step in enabling direct, precise analysis of Android apps

Synthesizing framework models for symbolic execution

Symbolic execution is a powerful program analysis technique, but it is difficult to apply to programs built using frameworks such as Swing and Android, because the framework code itself is hard to symbolically execute. The standard solution is to manually create a framework model that can be symbolically executed, but developing and maintaining a model is difficult and error-prone. In this paper, we present Pasket, a new system that takes a first step toward automatically generating Java framework models to support symbolic execution. Pasket's focus is on creating models by instantiating design patterns. Pasket takes as input class, method, and type information from the framework API, together with tutorial programs that exercise the framework. From these artifacts and Pasket's internal knowledge of design patterns, Pasket synthesizes a framework model whose behavior on the tutorial programs matches that of the original framework. We evaluated Pasket by synthesizing models for subsets of Swing and Android. Our results show that the models derived by Pasket are sufficient to allow us to use off-the-shelf symbolic execution tools to analyze Java programs that rely on frameworks.National Science Foundation (U.S.) (CCF-1139021)National Science Foundation (U.S.) (CCF-1139056)National Science Foundation (U.S.) (CCF-1161775

Dr. Android and Mr. Hide: Fine-grained security policies on unmodified Android

Google’s Android platform includes a permission model that protects access to sensitive capabilities, such as Internet access, GPS use, and telephony. We have found that Android’s current permissions are often overly broad, providing apps with more access than they truly require. This deviation from least privilege increases the threat from vulnerabilities and malware. To address this issue, we present a novel system that can replace existing platform permissions with finer-grained ones. A key property of our approach is that it runs today, on stock Android devices, requiring no platform modifications. Our solution is composed of two parts: Mr. Hide, which runs in a separate process on a device and provides access to sensitive data as a service; and Dr. Android (Dalvik Rewriter for Android), a tool that transforms existing Android apps to access sensitive resources via Mr. Hide rather than directly through the system. Together, Dr. Android and Mr. Hide can completely remove several of an app’s existing permissions and replace them with finer-grained ones, leveraging the platform to provide complete mediation for protected resources. We evaluated our ideas on several popular, free Android apps. We found that we can replace many commonly used "dangerous" permissions with finer-grained permissions. Moreover, apps transformed to use these finer-grained permissions run largely as expected, with reasonable performance overhead

Pathways of Superoxide (O2-) decay in the Eastern Tropical North Atlantic

Superoxide (O2-: IUPAC name dioxide (•1−)) is an important transient reactive oxygen species (ROS) in the ocean formed as an intermediate in the redox transformation of oxygen (O2) into hydrogen peroxide (H2O2) and vice versa. This highly reactive and very short-lived radical anion can be produced both via photochemical and biological processes in the ocean. In this paper we examine the decomposition rate of O2- throughout the water column, using new data collected in the Eastern Tropical North Atlantic (ETNA) Ocean. For this approach we applied a semi factorial experimental design, to identify and quantify the pathways of the major identified sinks in the ocean. In this work we occupied 6 stations, 2 on the West African continental shelf and 4 open ocean stations, including the CVOO time series site adjacent to Cape Verde. Our results indicate that in the surface ocean, impacted by Saharan aerosols and sediment resuspension, the main decay pathways for superoxide is via reactions with Mn(II) and organic matter

Location Privacy Protection for Smartphone Users

As smartphones are increasingly used to run apps that provide users with location-based services, the users ’ location privacy has be-come a major concern. Existing solutions to this concern are defi-cient in terms of practicality, efficiency, and effectiveness. To ad-dress this problem, we design, implement, and evaluate LP-Guardian, a novel and comprehensive framework for location privacy protec-tion for Android smartphone users. LP-Guardian overcomes the shortcomings of existing approaches by addressing the tracking, profiling, and identification threats while maintaining app function-ality. We have implemented and evaluated LP-Guardian on An-droid 4.3.1. Our evaluation results show that LP-Guardian effec-tively thwarts the privacy threats, without deteriorating the user’s experience (less than 10 % overhead in delay and energy). Also, LP-Guardian’s privacy protection is shown to be achieved at a tol-erable loss in app functionality

Dynamic Modeling of Location Privacy Protection Mechanisms

International audienceMobile applications tend to ask for users’ location in order to improve the service they provide. However, aside from increasing their service utility, they may also store these data, analyze them or share them with external parties. These privacy threats for users are a hot topic of research, leading to the development of so called Location Privacy Protection Mechanisms. LPPMs often are configurable algorithms that enable the tuning of the privacy protection they provide and thus the leveraging of the service utility. However, they usually do not provide ways to measure the achieved privacy in practice for all users of mobile devices, and even less clues on how a given configuration will impact privacy of the data given the specificities of everyone’s mobility. Moreover, as most Location Based Services require the user position in real time, these measures and predictions should be achieved in real time. In this paper we present a metric to evaluate privacy of obfuscated data based on users’ points of interest as well as a predictive model of the impact of a LPPM on these measure; both working in a real time fashion. The evaluation of the paper’s contributions is done using the state of the art LPPM Geo-I on synthetic mobility data generated to be representative of real-life users’ movements. Results highlight the relevance of the metric to capture privacy, the fitting of the model to experimental data, and the feasibility of the on-line mechanisms due to their low computing complexity