On the effectiveness of API-level access control using bytecode rewriting in Android

Authors:
Hao Hao;Vicky Singh;Wenliang Du
Affiliations:
Syracuse University, Syracuse, NY, USA;Syracuse University, Syracuse, NY, USA;Syracuse University, Syracuse, NY, USA
Venue:
Proceedings of the 8th ACM SIGSAC symposium on Information, computer and communications security
Year:
2013

Citing 8
Cited 2

Object-Oriented Programming and Java

Object-Oriented Programming and Java
Apex: extending Android permission model and enforcement with user-defined runtime constraints

ASIACCS '10 Proceedings of the 5th ACM Symposium on Information, Computer and Communications Security
TaintDroid: an information-flow tracking system for realtime privacy monitoring on smartphones

OSDI'10 Proceedings of the 9th USENIX conference on Operating systems design and implementation
Analyzing inter-application communication in Android

MobiSys '11 Proceedings of the 9th international conference on Mobile systems, applications, and services
Taming information-stealing smartphone applications (on Android)

TRUST'11 Proceedings of the 4th international conference on Trust and trustworthy computing
Android permissions demystified

Proceedings of the 18th ACM conference on Computer and communications security
These aren't the droids you're looking for: retrofitting android to protect data from imperious applications

Proceedings of the 18th ACM conference on Computer and communications security
Aurasium: practical policy enforcement for Android applications

Security'12 Proceedings of the 21st USENIX conference on Security symposium

Structural detection of android malware using embedded call graphs

Proceedings of the 2013 ACM workshop on Artificial intelligence and security
Compac: enforce component-level access control in android

Proceedings of the 4th ACM conference on Data and application security and privacy

Quantified Score

Hi-index	0.00

Visualization

Abstract

Bytecode rewriting on Android applications has been widely adopted to implement fine-grained access control. It endows more flexibility and convenience without modifying the Android platform. Bytecode rewriting uses static analysis to identify the usage of security-sensitive API methods, before it instruments the bytecode to control the access to these API calls. Due to the significance of this technique, the effectiveness of its performance in providing fine-grained access control is crucial. We have provided a systematic evaluation to assess the effectiveness of API-level access control using bytecode rewriting on Android Operating System. In our evaluation, we have identified a number of potential attacks targeted at incomplete implementations of bytecode rewriting on Android OS, which can be applied to bypass access control imposed by bytecode rewriter. These attacks can either bypass the API-level access control or make such access control difficult to implement, exposing weak links in the bytecode rewriting process. Recommendations on engineering secure bytecode rewriting tools are presented based on the identified attacks. This work is the first systematic study on the effectiveness of using bytecode rewriting for API-level access control.