Vision: automated security validation of mobile apps at app markets

Authors:
Peter Gilbert;Byung-Gon Chun;Landon P. Cox;Jaeyeon Jung
Affiliations:
Duke University, Durham, NC, USA;Yahoo! Research, Santa Clara, CA, USA;Duke University, Durham, NC, USA;University of Washington, Seattle, WA, USA
Venue:
MCS '11 Proceedings of the second international workshop on Mobile cloud computing and services
Year:
2011

Citing 13
Cited 17

Symbolic execution and program testing

Communications of the ACM
Backtracking intrusions

SOSP '03 Proceedings of the nineteenth ACM symposium on Operating systems principles
CUTE: a concolic unit testing engine for C

Proceedings of the 10th European software engineering conference held jointly with 13th ACM SIGSOFT international symposium on Foundations of software engineering
EXE: automatically generating inputs of death

Proceedings of the 13th ACM conference on Computer and communications security
Dytan: a generic dynamic taint analysis framework

Proceedings of the 2007 international symposium on Software testing and analysis
Panorama: capturing system-wide information flow for malware detection and analysis

Proceedings of the 14th ACM conference on Computer and communications security
CloudAV: N-version antivirus in the network cloud

SS'08 Proceedings of the 17th conference on Security symposium
Automated software testing as a service

Proceedings of the 1st ACM symposium on Cloud computing
KLEE: unassisted and automatic generation of high-coverage tests for complex systems programs

OSDI'08 Proceedings of the 8th USENIX conference on Operating systems design and implementation
Paranoid Android: versatile protection for smartphones

Proceedings of the 26th Annual Computer Security Applications Conference
TaintDroid: an information-flow tracking system for realtime privacy monitoring on smartphones

OSDI'10 Proceedings of the 9th USENIX conference on Operating systems design and implementation
S2E: a platform for in-vivo multi-path analysis of software systems

Proceedings of the sixteenth international conference on Architectural support for programming languages and operating systems
CloneCloud: elastic execution between mobile device and cloud

Proceedings of the sixth conference on Computer systems

Defending users against smartphone apps: techniques and future directions

ICISS'11 Proceedings of the 7th international conference on Information Systems Security
Identifying spam in the iOS app store

Proceedings of the 2nd Joint WICOW/AIRWeb Workshop on Web Quality
Towards a trustworthy service marketplace for the future internet

The Future Internet
User-aware privacy control via extended static-information-flow analysis

Proceedings of the 27th IEEE/ACM International Conference on Automated Software Engineering
SmartDroid: an automatic system for revealing UI-based trigger conditions in android applications

Proceedings of the second ACM workshop on Security and privacy in smartphones and mobile devices
Towards verifying android apps for the absence of no-sleep energy bugs

HotPower'12 Proceedings of the 2012 USENIX conference on Power-Aware Computing and Systems
Insights into layout patterns of mobile user interfaces by an automatic analysis of android apps

Proceedings of the 5th ACM SIGCHI symposium on Engineering interactive computing systems
Dynodroid: an input generation system for Android apps

Proceedings of the 2013 9th Joint Meeting on Foundations of Software Engineering
DEMO: Enabling trusted stores for android

Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security
AppIntent: analyzing sensitive data transmission in android for privacy leakage detection

Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security
Vetting undesirable behaviors in android apps with permission use analysis

Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security
Unauthorized origin crossing on mobile platforms: threats and mitigation

Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security
Mobile Testing

ACM SIGSOFT Software Engineering Notes
Flexible and fine-grained mandatory access control on Android for diverse security and privacy policies

SEC'13 Proceedings of the 22nd USENIX conference on Security
Effective inter-component communication mapping in Android with Epicc: an essential step towards holistic security analysis

SEC'13 Proceedings of the 22nd USENIX conference on Security
Systematic audit of third-party android phones

Proceedings of the 4th ACM conference on Data and application security and privacy
DECAF: detecting and characterizing ad fraud in mobile apps

NSDI'14 Proceedings of the 11th USENIX Conference on Networked Systems Design and Implementation

Quantified Score

Hi-index	0.00

Visualization

Abstract

Smartphones and "app" markets are raising concerns about how third-party applications may misuse or improperly handle users' privacy-sensitive data. Fortunately, unlike in the PC world, we have a unique opportunity to improve the security of mobile applications thanks to the centralized nature of app distribution through popular app markets. Thorough validation of apps applied as part of the app market admission process has the potential to significantly enhance mobile device security. In this paper, we propose AppInspector, an automated security validation system that analyzes apps and generates reports of potential security and privacy violations. We describe our vision for making smartphone apps more secure through automated validation and outline key challenges such as detecting and analyzing security and privacy violations, ensuring thorough test coverage, and scaling to large numbers of apps.