99 research outputs found
Ghera: A Repository of Android App Vulnerability Benchmarks
Security of mobile apps affects the security of their users. This has fueled
the development of techniques to automatically detect vulnerabilities in mobile
apps and help developers secure their apps; specifically, in the context of
Android platform due to openness and ubiquitousness of the platform. Despite a
slew of research efforts in this space, there is no comprehensive repository of
up-to-date and lean benchmarks that contain most of the known Android app
vulnerabilities and, consequently, can be used to rigorously evaluate both
existing and new vulnerability detection techniques and help developers learn
about Android app vulnerabilities. In this paper, we describe Ghera, an open
source repository of benchmarks that capture 25 known vulnerabilities in
Android apps (as pairs of exploited/benign and exploiting/malicious apps). We
also present desirable characteristics of vulnerability benchmarks and
repositories that we uncovered while creating Ghera.Comment: 10 pages. Accepted at PROMISE'1
I know what leaked in your pocket: uncovering privacy leaks on Android Apps with Static Taint Analysis
Android applications may leak privacy data carelessly or maliciously. In this
work we perform inter-component data-flow analysis to detect privacy leaks
between components of Android applications. Unlike all current approaches, our
tool, called IccTA, propagates the context between the components, which
improves the precision of the analysis. IccTA outperforms all other available
tools by reaching a precision of 95.0% and a recall of 82.6% on DroidBench. Our
approach detects 147 inter-component based privacy leaks in 14 applications in
a set of 3000 real-world applications with a precision of 88.4%. With the help
of ApkCombiner, our approach is able to detect inter-app based privacy leaks
Reflection-Aware Static Analysis of Android Apps
We demonstrate the benefits of DroidRA, a tool for taming reflection in Android apps. DroidRA first statically extracts reflection-related object values from a given Android app. Then, it leverages the extracted values to boost the app in a way that reflective calls are no longer a challenge for existing static analyzers. This is achieved through a bytecode instrumentation approach, where reflective calls are supplemented with explicit traditional Java method calls which can be followed by state-of-the-art analyzers which do not handle reflection. Instrumented apps can thus be completely analyzed by existing static analyzers, which are no longer required to be modified to support reflection-aware analysis. The video demo of DroidRA can be found at https://youtu.be/-HW0V68aAW
ACMiner: Extraction and Analysis of Authorization Checks in Android's Middleware
Billions of users rely on the security of the Android platform to protect
phones, tablets, and many different types of consumer electronics. While
Android's permission model is well studied, the enforcement of the protection
policy has received relatively little attention. Much of this enforcement is
spread across system services, taking the form of hard-coded checks within
their implementations. In this paper, we propose Authorization Check Miner
(ACMiner), a framework for evaluating the correctness of Android's access
control enforcement through consistency analysis of authorization checks.
ACMiner combines program and text analysis techniques to generate a rich set of
authorization checks, mines the corresponding protection policy for each
service entry point, and uses association rule mining at a service granularity
to identify inconsistencies that may correspond to vulnerabilities. We used
ACMiner to study the AOSP version of Android 7.1.1 to identify 28
vulnerabilities relating to missing authorization checks. In doing so, we
demonstrate ACMiner's ability to help domain experts process thousands of
authorization checks scattered across millions of lines of code
DroidRA: Taming Reflection to Support Whole-Program Analysis of Android Apps
Android developers heavily use reflection in their apps for legitimate reasons, but also significantly for hiding malicious actions. Unfortunately, current state-of-the-art static analysis tools for Android are challenged by the presence of reflective calls which they usually ignore. Thus, the results of their security analysis, e.g., for private data leaks, are inconsistent given the measures taken by malware writers to elude static detection. We propose the DroidRA instrumentation-based approach to address this issue in a non-invasive way. With DroidRA, we reduce the resolution of reflective calls to a composite constant propagation problem. We leverage the COAL solver to infer the values of reflection targets and app, and we eventually instrument this app to include the corresponding traditional Java call for each reflective call. Our approach allows to boost an app so that it can be immediately analyzable, including by such static analyzers that were not reflection-aware. We evaluate DroidRA on benchmark apps as well as on real-world apps, and demonstrate that it can allow state-of-the-art tools to provide more sound and complete analysis results
Sensitive and Personal Data: What Exactly Are You Talking About?
Mobile devices are pervasively used for a variety of tasks, including the processing of sensitive data in mobile apps.
While in most cases access to this data is legitimate, malware often targets sensitive data and even benign apps collect more data than necessary for their task.
Therefore, researchers have proposed several frameworks to detect and track the use of sensitive data in apps, so as to disclose and prevent unauthorized access and data leakage. Unfortunately, a review of the literature reveals a lack of consensus on what sensitive data is in the context of technical frameworks like Android. Authors either
provide an intuitive definition or an ad-hoc definition, derive their definition from the Android permission model, or rely on previous research papers which do or do not give a definition of sensitive data.
In this paper, we provide an overview of existing definitions of sensitive data in literature and legal frameworks.
We further provide a sound definition of sensitive data derived from the definition of personal data of several legal frameworks.
To help the scientific community further advance in this field, we publicly provide a list of sensitive sources from the Android framework, thus starting a community project leading to a complete list of sensitive API methods across different frameworks and programming languages
Extension of the Chiral Perturbation Theory Meson Lagrangian to Order
We have derived the most general chirally invariant Lagrangian
for the meson sector at order . The result provides an extension of the
standard Gasser-Leutwyler Lagrangian to one higher order,
including as well all the odd intrinsic parity terms in the Lagrangian. The
most difficult part of the derivation was developing a systematic strategy so
as to get all of the independent terms and eliminate the redundant ones in an
efficient way. The 'equation of motion' terms, which are redundant in the sense
that they can be transformed away via field transformations, are separated out
explicitly. The resulting Lagrangian has been separated into groupings of terms
contributing to increasingly more complicated processes, so that one does not
have to deal with the full result when calculating contributions to
simple processes.Comment: 59 pages in LaTex, using RevTex macro, TRIUMF preprint TRI-PP-94-6
Negative Results of Fusing Code and Documentation for Learning to Accurately Identify Sensitive Source and Sink Methods An Application to the Android Framework for Data Leak Detection
Almost two-thirds of the population owns a mobile phone. Given that there is a profusion of mobile applications that manipulate all sorts of data, privacy-related concerns arise more and more. New regulations such as the General Data Protection Regulation (GDPR) provide rules for which developers must comply when their apps process sensitive and/or private data. Ensuring that no such data is leaked without the consent of the user is a primary objective in each GDPR compliance check.
Researchers have proposed sophisticated approaches to track sensitive data within mobile apps, all of which rely on specific lists of sensitive source and sink methods. The data flow analysis results greatly depend on these lists' quality. Previous approaches either used incomplete hand-written lists and quickly became outdated or relied on machine learning. The latter, however, leads to numerous false positives, as we show.
This paper introduces CoDoC that aims to revive the machine-learning approach to precisely identify the privacy-related source and sink API methods. In contrast to previous approaches, CoDoC uses deep learning techniques and combines the source code with the documentation of API methods.
Firstly, we propose novel definitions that clarify the concepts of taint analysis, source, and sink methods.
Secondly, based on these definitions, we build a new ground truth of Android methods representing sensitive source, sink, and neither methods that will be used to train our classifier.
We evaluate CoDoC and show that, on our validation dataset, it achieves a precision, recall, and F1 score of 91%, outperforming the state-of-the-art SuSi.
However, similarly to existing tools, we show that in the wild, i.e., with unseen data, CoDoC performs poorly and generates many false-positive results. Our findings suggest that machine-learning models for abstract concepts such as privacy fail in practice despite good lab results.
To encourage future research, we release all our artifacts to the community
Recommended from our members
Verantwortungsbewusster Umgang mit IT-Sicherheitslücken : Problemlagen und Optimierungsoptionen für ein effizientes Zusammenwirken zwischen IT-Sicherheitsforschung und IT-Verantwortlichen
IT-Sicherheitslücken in Hard- und Software betreffen private, unternehmerische und auch staatliche Systeme. Sobald eine Ausnutzung der Lücken technisch möglich ist, stellen sie eine Bedrohung für die IT-Sicherheit aller Beteiligten dar. Konkret betroffen sind Bürger:innen und Unternehmen als Nutzende, Hersteller von Soft- und Hardware sowie staatliche (kritische) IT-Infrastruktur. Es ist daher im gesamtgesellschaftlichen Interesse, die Zahl der ausnutzbaren Sicherheitslücken so gering wie möglich zu halten. Dieses Whitepaper führt in die rechtlichen und praktischen Probleme der IT-Sicherheitsforschung ein. Zugleich zeigt es vor allem rechtliche Auswege auf, die perspektivisch zu einer rechtssicheren IT-Sicherheitsforschung führen
- …