Effective inter-component communication mapping in Android with Epicc: an essential step towards holistic security analysis

Authors:
Damien Octeau;Patrick McDaniel;Somesh Jha;Alexandre Bartel;Eric Bodden;Jacques Klein;Yves Le Traon
Affiliations:
Department of Computer Science and Engineering, Pennsylvania State University;Department of Computer Science and Engineering, Pennsylvania State University;Computer Sciences Department, University of Wisconsin;Interdisciplinary Centre for Security, Reliability and Trust, University of Luxembourg;EC SPRIDE, Technische Universität Darmstadt;Interdisciplinary Centre for Security, Reliability and Trust, University of Luxembourg;Interdisciplinary Centre for Security, Reliability and Trust, University of Luxembourg
Venue:
SEC'13 Proceedings of the 22nd USENIX conference on Security
Year:
2013

Citing 26
Cited 1

Precise interprocedural dataflow analysis with applications to constant propagation

TAPSOFT '95 Selected papers from the 6th international joint conference on Theory and practice of software development
Optimizing Java Bytecode Using the Soot Framework: Is It Feasible?

CC '00 Proceedings of the 9th International Conference on Compiler Construction
The Confused Deputy: (or why capabilities might have been invented)

ACM SIGOPS Operating Systems Review
Understanding Android Security

IEEE Security and Privacy
On lightweight mobile phone application certification

Proceedings of the 16th ACM conference on Computer and communications security
Semantically Rich Application-Centric Security in Android

ACSAC '09 Proceedings of the 2009 Annual Computer Security Applications Conference
Precise analysis of string expressions

SAS'03 Proceedings of the 10th international conference on Static analysis
Scaling Java points-to analysis using SPARK

CC'03 Proceedings of the 12th international conference on Compiler construction
A methodology for empirical analysis of permission-based security models and its application to android

Proceedings of the 17th ACM conference on Computer and communications security
Not So Great Expectations: Why Application Markets Haven't Failed Security

IEEE Security and Privacy
TaintDroid: an information-flow tracking system for realtime privacy monitoring on smartphones

OSDI'10 Proceedings of the 9th USENIX conference on Operating systems design and implementation
Privilege escalation attacks on android

ISC'10 Proceedings of the 13th international conference on Information security
Vision: automated security validation of mobile apps at app markets

MCS '11 Proceedings of the second international workshop on Mobile cloud computing and services
Analyzing inter-application communication in Android

MobiSys '11 Proceedings of the 9th international conference on Mobile systems, applications, and services
The effectiveness of application permissions

WebApps'11 Proceedings of the 2nd USENIX conference on Web application development
A study of android application security

SEC'11 Proceedings of the 20th USENIX conference on Security
Permission re-delegation: attacks and defenses

SEC'11 Proceedings of the 20th USENIX conference on Security
Quire: lightweight provenance for smart phone operating systems

SEC'11 Proceedings of the 20th USENIX conference on Security
Android permissions demystified

Proceedings of the 18th ACM conference on Computer and communications security
These aren't the droids you're looking for: retrofitting android to protect data from imperious applications

Proceedings of the 18th ACM conference on Computer and communications security
Defending users against smartphone apps: techniques and future directions

ICISS'11 Proceedings of the 7th international conference on Information Systems Security
Unsafe exposure analysis of mobile in-app advertisements

Proceedings of the fifth ACM conference on Security and Privacy in Wireless and Mobile Networks
Inter-procedural data-flow analysis with IFDS/IDE and Soot

Proceedings of the ACM SIGPLAN International Workshop on State of the Art in Java Program analysis
SmartDroid: an automatic system for revealing UI-based trigger conditions in android applications

Proceedings of the second ACM workshop on Security and privacy in smartphones and mobile devices
CHEX: statically vetting Android apps for component hijacking vulnerabilities

Proceedings of the 2012 ACM conference on Computer and communications security
Retargeting Android applications to Java bytecode

Proceedings of the ACM SIGSOFT 20th International Symposium on the Foundations of Software Engineering

Static Reference Analysis for GUI Objects in Android Software

Proceedings of Annual IEEE/ACM International Symposium on Code Generation and Optimization

Quantified Score

Hi-index	0.00

Visualization

Abstract

Many threats present in smartphones are the result of interactions between application components, not just artifacts of single components. However, current techniques for identifying inter-application communication are ad hoc and do not scale to large numbers of applications. In this paper, we reduce the discovery of inter-component communication (ICC) in smartphones to an instance of the Interprocedural Distributive Environment (IDE) problem, and develop a sound static analysis technique targeted to the Android platform. We apply this analysis to 1,200 applications selected from the Play store and characterize the locations and substance of their ICC. Experiments show that full specifications for ICC can be identified for over 93% of ICC locations for the applications studied. Further the analysis scales well; analysis of each application took on average 113 seconds to complete. Epicc, the resulting tool, finds ICC vulnerabilities with far fewer false positives than the next best tool. In this way, we develop a scalable vehicle to extend current security analysis to entire collections of applications as well as the interfaces they export.