A study of android application security

Authors:
William Enck;Damien Octeau;Patrick McDaniel;Swarat Chaudhuri
Affiliations:
Systems and Internet Infrastructure Security Laboratory, Department of Computer Science and Engineering, The Pennsylvania State University;Systems and Internet Infrastructure Security Laboratory, Department of Computer Science and Engineering, The Pennsylvania State University;Systems and Internet Infrastructure Security Laboratory, Department of Computer Science and Engineering, The Pennsylvania State University;Systems and Internet Infrastructure Security Laboratory, Department of Computer Science and Engineering, The Pennsylvania State University
Venue:
SEC'11 Proceedings of the 20th USENIX conference on Security
Year:
2011

Citing 21
Cited 74

Type inference problems: a survey

MFCS '90 Proceedings on Mathematical foundations of computer science 1990
Optimizing Java Bytecode Using the Soot Framework: Is It Feasible?

CC '00 Proceedings of the 9th International Conference on Compiler Construction
Decompiling Java Bytecode: Problems, Traps and Pitfalls

CC '02 Proceedings of the 11th International Conference on Compiler Construction
Using Programmer-Written Compiler Extensions to Catch Security Holes

SP '02 Proceedings of the 2002 IEEE Symposium on Security and Privacy
Decompiling Java using staged encapsulation

WCRE '01 Proceedings of the Eighth Working Conference on Reverse Engineering (WCRE'01)
Finding bugs is easy

OOPSLA '04 Companion to the 19th annual ACM SIGPLAN conference on Object-oriented programming systems, languages, and applications
Model Checking An Entire Linux Distribution for Security Violations

ACSAC '05 Proceedings of the 21st Annual Computer Security Applications Conference
Finding security vulnerabilities in java applications with static analysis

SSYM'05 Proceedings of the 14th conference on USENIX Security Symposium - Volume 14
Behavior-based spyware detection

USENIX-SS'06 Proceedings of the 15th conference on USENIX Security Symposium - Volume 15
Krakatoa: decompilation in java (dose bytecode reveal source?)

COOTS'97 Proceedings of the 3rd conference on USENIX Conference on Object-Oriented Technologies (COOTS) - Volume 3
Panorama: capturing system-wide information flow for malware detection and analysis

Proceedings of the 14th ACM conference on Computer and communications security
Dynamic spyware analysis

ATC'07 2007 USENIX Annual Technical Conference on Proceedings of the USENIX Annual Technical Conference
Securing Java code: heuristics and an evaluation of static analysis tools

Proceedings of the 2008 workshop on Static analysis
Privacy oracle: a system for finding application leaks with black box differential testing

Proceedings of the 15th ACM conference on Computer and communications security
Understanding Android Security

IEEE Security and Privacy
On lightweight mobile phone application certification

Proceedings of the 16th ACM conference on Computer and communications security
Semantically Rich Application-Centric Security in Android

ACSAC '09 Proceedings of the 2009 Annual Computer Security Applications Conference
Not So Great Expectations: Why Application Markets Haven't Failed Security

IEEE Security and Privacy
Porscha: policy oriented secure content handling in Android

Proceedings of the 26th Annual Computer Security Applications Conference
TaintDroid: an information-flow tracking system for realtime privacy monitoring on smartphones

OSDI'10 Proceedings of the 9th USENIX conference on Operating systems design and implementation
Toward automated detection of logic vulnerabilities in web applications

USENIX Security'10 Proceedings of the 19th USENIX conference on Security

Analyzing inter-application communication in Android

MobiSys '11 Proceedings of the 9th international conference on Mobile systems, applications, and services
Crowdroid: behavior-based malware detection system for Android

Proceedings of the 1st ACM workshop on Security and privacy in smartphones and mobile devices
L4Android: a generic operating system framework for secure smartphones

Proceedings of the 1st ACM workshop on Security and privacy in smartphones and mobile devices
Android permissions demystified

Proceedings of the 18th ACM conference on Computer and communications security
Smartphone security limitations: conflicting traditions

Proceedings of the 2011 Workshop on Governance of Technology, Information, and Policies
Detecting repackaged smartphone applications in third-party android marketplaces

Proceedings of the second ACM conference on Data and Application Security and Privacy
Defending users against smartphone apps: techniques and future directions

ICISS'11 Proceedings of the 7th international conference on Information Systems Security
Unsafe exposure analysis of mobile in-app advertisements

Proceedings of the fifth ACM conference on Security and Privacy in Wireless and Mobile Networks
DroidChecker: analyzing android applications for capability leak

Proceedings of the fifth ACM conference on Security and Privacy in Wireless and Mobile Networks
Challenges for dynamic analysis of iOS applications

iNetSec'11 Proceedings of the 2011 IFIP WG 11.4 international conference on Open Problems in Network Security
Dexpler: converting Android Dalvik bytecode to Jimple for static analysis with Soot

Proceedings of the ACM SIGPLAN International Workshop on State of the Art in Java Program analysis
Android permissions: a perspective combining risks and benefits

Proceedings of the 17th ACM symposium on Access Control Models and Technologies
RiskRanker: scalable and accurate zero-day android malware detection

Proceedings of the 10th international conference on Mobile systems, applications, and services
Android permissions: user attention, comprehension, and behavior

Proceedings of the Eighth Symposium on Usable Privacy and Security
ProfileDroid: multi-layer profiling of android applications

Proceedings of the 18th annual international conference on Mobile computing and networking
User-aware privacy control via extended static-information-flow analysis

Proceedings of the 27th IEEE/ACM International Conference on Automated Software Engineering
Aurasium: practical policy enforcement for Android applications

Security'12 Proceedings of the 21st USENIX conference on Security symposium
DroidScope: seamlessly reconstructing the OS and Dalvik semantic views for dynamic Android malware analysis

Security'12 Proceedings of the 21st USENIX conference on Security symposium
AndroidLeaks: automatically detecting potential privacy leaks in android applications on a large scale

TRUST'12 Proceedings of the 5th international conference on Trust and Trustworthy Computing
Expectation and purpose: understanding users' mental models of mobile app privacy through crowdsourcing

Proceedings of the 2012 ACM Conference on Ubiquitous Computing
Dr. Android and Mr. Hide: fine-grained permissions in android applications

Proceedings of the second ACM workshop on Security and privacy in smartphones and mobile devices
Short paper: enhancing users' comprehension of android permissions

Proceedings of the second ACM workshop on Security and privacy in smartphones and mobile devices
Reducing attack surfaces for intra-application communication in android

Proceedings of the second ACM workshop on Security and privacy in smartphones and mobile devices
Understanding and improving app installation security mechanisms through empirical analysis of android

Proceedings of the second ACM workshop on Security and privacy in smartphones and mobile devices
SmartDroid: an automatic system for revealing UI-based trigger conditions in android applications

Proceedings of the second ACM workshop on Security and privacy in smartphones and mobile devices
Why eve and mallory love android: an analysis of android SSL (in)security

Proceedings of the 2012 ACM conference on Computer and communications security
PScout: analyzing the Android permission specification

Proceedings of the 2012 ACM conference on Computer and communications security
CHEX: statically vetting Android apps for component hijacking vulnerabilities

Proceedings of the 2012 ACM conference on Computer and communications security
Using probabilistic generative models for ranking risks of Android apps

Proceedings of the 2012 ACM conference on Computer and communications security
Collaborative TCP sequence number inference attack: how to crack sequence number under a second

Proceedings of the 2012 ACM conference on Computer and communications security
Towards verifying android apps for the absence of no-sleep energy bugs

HotPower'12 Proceedings of the 2012 USENIX conference on Power-Aware Computing and Systems
Retargeting Android applications to Java bytecode

Proceedings of the ACM SIGSOFT 20th International Symposium on the Foundations of Software Engineering
Android application's copyright protection technology based on forensic mark

Proceedings of the 2012 ACM Research in Applied Computation Symposium
Exposing security risks for commercial mobile devices

MMM-ACNS'12 Proceedings of the 6th international conference on Mathematical Methods, Models and Architectures for Computer Network Security: computer network security
Permission evolution in the Android ecosystem

Proceedings of the 28th Annual Computer Security Applications Conference
Abusing cloud-based browsers for fun and profit

Proceedings of the 28th Annual Computer Security Applications Conference
Permission-based abnormal application detection for android

ICICS'12 Proceedings of the 14th international conference on Information and Communications Security
Fast, scalable detection of "Piggybacked" mobile applications

Proceedings of the third ACM conference on Data and application security and privacy
Sweetening android lemon markets: measuring and combating malware in application marketplaces

Proceedings of the third ACM conference on Data and application security and privacy
AppsPlayground: automatic security analysis of smartphone applications

Proceedings of the third ACM conference on Data and application security and privacy
AppProfiler: a flexible method of exposing privacy-related behavior in android applications to end users

Proceedings of the third ACM conference on Data and application security and privacy
Portability evaluation of cryptographic libraries on android smartphones

CSS'12 Proceedings of the 4th international conference on Cyberspace Safety and Security
MAST: triage for market-scale mobile malware analysis

Proceedings of the sixth ACM conference on Security and privacy in wireless and mobile networks
ProtectMyPrivacy: detecting and mitigating privacy leaks on iOS devices using crowdsourcing

Proceeding of the 11th annual international conference on Mobile systems, applications, and services
RetroSkeleton: retrofitting android apps

Proceeding of the 11th annual international conference on Mobile systems, applications, and services
Slicing droids: program slicing for smali code

Proceedings of the 28th Annual ACM Symposium on Applied Computing
Supporting visual security cues for WebView-based Android apps

Proceedings of the 28th Annual ACM Symposium on Applied Computing
ADAM: an automatic and extensible platform to stress test android anti-virus systems

DIMVA'12 Proceedings of the 9th international conference on Detection of Intrusions and Malware, and Vulnerability Assessment
MeadDroid: detecting monetary theft attacks in android by DVM monitoring

ICISC'12 Proceedings of the 15th international conference on Information Security and Cryptology
Role mining algorithm evaluation and improvement in large volume android applications

Proceedings of the first international workshop on Security in embedded systems and smartphones
When it's better to ask forgiveness than get permission: attribution mechanisms for smartphone resources

Proceedings of the Ninth Symposium on Usable Privacy and Security
Rise of the planet of the apps: a systematic study of the mobile app ecosystem

Proceedings of the 2013 conference on Internet measurement conference
Filtering illegal Android application based on feature information

Proceedings of the 2013 Research in Adaptive and Convergent Systems
Design of a mobile inspector for detecting illegal Android applications using fingerprinting

Proceedings of the 2013 Research in Adaptive and Convergent Systems
Identity, location, disease and more: inferring your secrets from android public resources

Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security
AppIntent: analyzing sensitive data transmission in android for privacy leakage detection

Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security
The impact of vendor customizations on android security

Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security
Easily instrumenting android applications for security purposes

Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security
Structural detection of android malware using embedded call graphs

Proceedings of the 2013 ACM workshop on Artificial intelligence and security
AndroSimilar: robust statistical feature signature for Android malware detection

Proceedings of the 6th International Conference on Security of Information and Networks
Crossover: secure and usable user interface for mobile devices with multiple isolated OS personalities

Proceedings of the 29th Annual Computer Security Applications Conference
FireDroid: hardening security in almost-stock Android

Proceedings of the 29th Annual Computer Security Applications Conference
Launching generic attacks on iOS with approved third-party applications

ACNS'13 Proceedings of the 11th international conference on Applied Cryptography and Network Security
WHYPER: towards automating risk assessment of mobile applications

SEC'13 Proceedings of the 22nd USENIX conference on Security
Effective inter-component communication mapping in Android with Epicc: an essential step towards holistic security analysis

SEC'13 Proceedings of the 22nd USENIX conference on Security
An operational semantics for android activities

Proceedings of the ACM SIGPLAN 2014 Workshop on Partial Evaluation and Program Manipulation
RiskMon: continuous and automated risk assessment of mobile applications

Proceedings of the 4th ACM conference on Data and application security and privacy
Systematic audit of third-party android phones

Proceedings of the 4th ACM conference on Data and application security and privacy
Compac: enforce component-level access control in android

Proceedings of the 4th ACM conference on Data and application security and privacy
Large-scale machine learning-based malware detection: confronting the "10-fold cross validation" scheme with reality

Proceedings of the 4th ACM conference on Data and application security and privacy
Repackaging Attack on Android Banking Applications and Its Countermeasures

Wireless Personal Communications: An International Journal
Load time code validation for mobile phone Java Cards

Journal of Information Security and Applications
Information leakage through mobile analytics services

Proceedings of the 15th Workshop on Mobile Computing Systems and Applications
Detecting mobile malware threats to homeland security through static analysis

Journal of Network and Computer Applications

Quantified Score

Hi-index	0.00

Visualization

Abstract

The fluidity of application markets complicate smartphone security. Although recent efforts have shed light on particular security issues, there remains little insight into broader security characteristics of smartphone applications. This paper seeks to better understand smartphone application security by studying 1,100 popular free Android applications. We introduce the ded decompiler, which recovers Android application source code directly from its installation image. We design and execute a horizontal study of smartphone applications based on static analysis of 21 million lines of recovered code. Our analysis uncovered pervasive use/misuse of personal/ phone identifiers, and deep penetration of advertising and analytics networks. However, we did not find evidence of malware or exploitable vulnerabilities in the studied applications. We conclude by considering the implications of these preliminary findings and offer directions for future analysis.