Interprocedural control flow analysis of first-order programs with tail-call optimization
ACM Transactions on Programming Languages and Systems (TOPLAS)
Securing web application code by static analysis and runtime protection
Proceedings of the 13th international conference on World Wide Web
Detecting format string vulnerabilities with type qualifiers
SSYM'01 Proceedings of the 10th conference on USENIX Security Symposium - Volume 10
Finding security vulnerabilities in java applications with static analysis
SSYM'05 Proceedings of the 14th conference on USENIX Security Symposium - Volume 14
An empirical security study of the native code in the JDK
SS'08 Proceedings of the 17th conference on Security symposium
Understanding Android Security
IEEE Security and Privacy
Control-flow analysis of function calls and returns by abstract interpretation
Proceedings of the 14th ACM SIGPLAN international conference on Functional programming
On lightweight mobile phone application certification
Proceedings of the 16th ACM conference on Computer and communications security
Semantically Rich Application-Centric Security in Android
ACSAC '09 Proceedings of the 2009 Annual Computer Security Applications Conference
Apex: extending Android permission model and enforcement with user-defined runtime constraints
ASIACCS '10 Proceedings of the 5th ACM Symposium on Information, Computer and Communications Security
Securing Android-Powered Mobile Devices Using SELinux
IEEE Security and Privacy
Retroactive detection of malware with applications to mobile platforms
HotSec'10 Proceedings of the 5th USENIX conference on Hot topics in security
TaintDroid: an information-flow tracking system for realtime privacy monitoring on smartphones
OSDI'10 Proceedings of the 9th USENIX conference on Operating systems design and implementation
Privilege escalation attacks on android
ISC'10 Proceedings of the 13th international conference on Information security
Analyzing inter-application communication in Android
MobiSys '11 Proceedings of the 9th international conference on Mobile systems, applications, and services
A study of android application security
SEC'11 Proceedings of the 20th USENIX conference on Security
Permission re-delegation: attacks and defenses
SEC'11 Proceedings of the 20th USENIX conference on Security
Quire: lightweight provenance for smart phone operating systems
SEC'11 Proceedings of the 20th USENIX conference on Security
Combining control-flow integrity and static analysis for efficient and validated data sandboxing
Proceedings of the 18th ACM conference on Computer and communications security
Interprocedural analysis for privileged code placement and tainted variable detection
ECOOP'05 Proceedings of the 19th European conference on Object-Oriented Programming
SmartDroid: an automatic system for revealing UI-based trigger conditions in android applications
Proceedings of the second ACM workshop on Security and privacy in smartphones and mobile devices
Towards unified authorization for android
ESSoS'13 Proceedings of the 5th international conference on Engineering Secure Software and Systems
Towards an understanding of the impact of advertising on data leaks
International Journal of Security and Networks
DroidAlarm: an all-sided static analysis tool for Android privilege-escalation malware
Proceedings of the 8th ACM SIGSAC symposium on Information, computer and communications security
Android malware classification method: Dalvik bytecode frequency analysis
Proceedings of the 2013 Research in Adaptive and Convergent Systems
Rethinking SSL development in an appified world
Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security
Vetting undesirable behaviors in android apps with permission use analysis
Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security
AFrame: isolating advertisements from mobile applications in Android
Proceedings of the 29th Annual Computer Security Applications Conference
A taxonomy of privilege escalation attacks in Android applications
International Journal of Security and Networks
Hi-index | 0.00 |
While Apple has checked every app available on the App Store, Google takes another approach that allows anyone to publish apps on the Android Market. The openness of the Android Market attracts both benign and malicious developers. The security of the Android platform relies mainly on sandboxing applications and restricting their capabilities such that no application, by default, can perform any operations that would adversely impact other applications, the operating system, or the user. However, a recent research reported that a genuine but vulnerable application may leak its capabilities to other applications. When being leveraged, other applications can gain extra capabilities which they are not granted originally. We present DroidChecker, an Android application analyzing tool which searches for the aforementioned vulnerability in Android applications. DroidChecker uses interprocedural control flow graph searching and static taint checking to detect exploitable data paths in an Android application. We analyzed more than 1100 Android applications using DroidChecker and found 6 previously unknown vulnerable applications including the re-nowned Adobe Photoshop Express application. We have also developed a malicious application that exploits the previously unknown vulnerability found in the Adobe Photoshop Express application. We show that the malicious application, which is not granted any permissions, can access contacts on the phone with just a few lines of code.