Blogs (1) >>
ASE 2019
Sun 10 - Fri 15 November 2019 San Diego, California, United States
ASE 2019 (series) / Research Papers /

A Qualitative Analysis of Android Taint-Analysis Results

Linghui Luo, Eric Bodden, Johannes Späth
ASE 2019 Research Papers
Tue 12 Nov 2019 13:40 - 14:00 at Hillcrest - Mobile 2 Chair(s): Myra Cohen

In the past, researchers have developed a number of popular taint-analysis approaches, particularly in the context of Android applications. Numerous studies have shown that automated code analyses are adopted by developers only if they yield a good “signal to noise ratio”, i.e., high precision. Many previous studies have reported analysis precision quantitatively, but this gives little insight into what can and should be done to increase precision further.

To guide future research on increasing precision, we present a comprehensive study that evaluates static Android taint-analysis results on a qualitative level. To unravel the exact nature of taint flows, we have designed COVA, an analysis tool to compute partial path constraints that inform about the circumstances under which taint flows may actually occur in practice.

We have conducted a qualitative study on the taint flows in 1,022 real-world Android applications. Our results reveal several key findings: Many taint flows occur only under specific conditions, e.g., environment settings, user interaction, I/O. Taint analyses should consider the application context to discern such situations. COVA shows that few taint flows are guarded by multiple different kinds of conditions simultaneously, so tools that seek to confirm true positives dynamically can concentrate on one kind at a time, e.g., only simulating user interactions. Lastly, many false positives arise due to a too liberal source/sink configuration. Taint analyses must be more carefully configured, and their configuration could benefit from better tool assistance.

https://linghuiluo.github.io/ASE19Cova.pdf
Linghui Luo
Linghui Luo
Paderborn University
Eric Bodden
Eric Bodden
Heinz Nixdorf Institut, Paderborn University and Fraunhofer IEM
Johannes Späth
Johannes Späth
Fraunhofer IEM
Germany

Tue 12 Nov

ase-2019-paper-presentations
13:40 - 15:20: Papers - Mobile 2 at Hillcrest
Chair(s): Myra CohenIowa State University
ase-2019-papers13:40 - 14:00
Talk		A Qualitative Analysis of Android Taint-Analysis Results
Linghui LuoPaderborn University, Eric BoddenHeinz Nixdorf Institut, Paderborn University and Fraunhofer IEM, Johannes SpäthFraunhofer IEM
Pre-print
ase-2019-papers14:00 - 14:20
Talk		Goal-Driven Exploration for Android Applications
Duling LaiUniversity of British Columbia, Julia RubinUniversity of British Columbia
Pre-print
ase-2019-papers14:20 - 14:40
Talk		RANDR: Record and Replay for Android Applications via Targeted Runtime Instrumentation
Onur SahinBoston University, Assel AliyevaBoston University, Hariharan MathavanBoston University, Ayse CoskunBoston University, Manuel EgeleBoston University, USA
ase-2019-Journal-First-Presentations14:40 - 15:00
Talk		Specifying Callback Control Flow of Mobile Apps Using Finite Automata
Danilo Dominguez PerezIowa State University, Wei LeIowa State University
Link to publication
ase-2019-papers15:00 - 15:20
Talk		MalScan: Fast Market-Wide Mobile Malware Scanning by Social-Network Centrality Analysis
Yueming WuHuazhong University of Science and Technology, Xiaodi LiUniversity of Texas at Dallas, Deqing ZouHuazhong University of Science and Technology, Wei YangUniversity of Texas at Dallas, Xin ZhangHuazhong University of Science and Technology, Hai JinHuazhong University of Science and Technology
Pre-print

A Qualitative Analysis of Android Taint-Analysis Results Research Papers

Session: Mobile 2 Chair(s): Myra CohenIowa State University

In the past, researchers have developed a number of popular taint-analysis approaches, particularly in the context of Android applications. Numerous studies have shown that automated code analyses are adopted by developers only if they yield a good “signal to noise ratio”, i.e., high precision. Many previous studies have reported analysis precision quantitatively, but this gives little insight into what can and should be done to increase precision further.

To guide future research on increasing precision, we present a comprehensive study that evaluates static Android taint-analysis results on a qualitative level. To unravel the exact nature of taint flows, we have designed COVA, an analysis tool to compute partial path constraints that inform about the circumstances under which taint flows may actually occur in practice.

We have conducted a qualitative study on the taint flows in 1,022 real-world Android applications. Our results reveal several key findings: Many taint flows occur only under specific conditions, e.g., environment settings, user interaction, I/O. Taint analyses should consider the application context to discern such situations. COVA shows that few taint flows are guarded by multiple different kinds of conditions simultaneously, so tools that seek to confirm true positives dynamically can concentrate on one kind at a time, e.g., only simulating user interactions. Lastly, many false positives arise due to a too liberal source/sink configuration. Taint analyses must be more carefully configured, and their configuration could benefit from better tool assistance.

Linghui Luo
Linghui Luo
Paderborn University
Eric Bodden
Eric Bodden
Heinz Nixdorf Institut, Paderborn University and Fraunhofer IEM
Johannes Späth
Johannes Späth
Fraunhofer IEM
Germany
All Details Close

Goal-Driven Exploration for Android Applications Research Papers

Session: Mobile 2 Chair(s): Myra CohenIowa State University

This paper proposes a solution for automated goal-driven exploration of Android applications – a scenario in which a user, e.g., security auditor, needs to dynamically trigger the functionality of interest in an application, e.g., to check whether user-sensitive info is only sent to recognized third-party servers. As the auditor might need to check hundreds or even thousands of apps, manually exploring each app to trigger the desired behavior is too time-consuming to be feasible. Existing automated application exploration and testing techniques are of limited help in this scenario as well, as their goal is mostly to identify faults by systematically exploring different app paths, rather than swiftly navigating to the target functionality.

The goal-driven application exploration approach proposed in this paper, called GoalExplorer, automatically generates an executable test script that directly triggers the functionality of interest. The core idea behind GoalExplorer is to first statically model the application UI screens and transitions between these screens, producing a Screen Transition Graph (STG). Then, GoalExplorer uses the STG to guide the dynamic exploration of the application to the particular target of interest: an Android activity, API call, or a program statement. The results of our empirical evaluation on 93 benchmark applications and 95 the most popular GooglePlay applications show that the STG is substantially more accurate than other Android app UI models and that \tool is able to trigger a target functionality much faster than existing application exploration and testing techniques.

small-avatar
Duling Lai
University of British Columbia
Julia Rubin
Julia Rubin
University of British Columbia
Canada
All Details Close

RANDR: Record and Replay for Android Applications via Targeted Runtime Instrumentation Research Papers

Session: Mobile 2 Chair(s): Myra CohenIowa State University

The ability to repeat the execution of a program is a fundamental requirement in many areas of computing from computer system evaluation to software engineering. Reproducing executions of mobile apps, in particular, has proven difficult under real-life scenarios due to multiple sources of external inputs and interactive nature of the apps. Previous works that provide record/replay functionality for mobile apps are restricted to particular input sources (e.g., touchscreen events) and present deployment challenges due to intrusive modifications to the underlying software stack. Moreover, due to their reliance on record and replay of device specific events, the recorded executions cannot be reliably reproduced across different platforms.

In this paper, we present a new practical approach, RandR, for record and replay of Android applications. RandR captures and replays multiple sources of input (i.e., UI and network) without requiring source code (OS or app), administrative device privileges, or any special platform support. RandR achieves these qualities by instrumenting a select set of methods at runtime within an application’s own sandbox. In addition, to enable portability of recorded executions across different platforms for replay, RandR contextualizes UI events as interactions with particular UI components (e.g., a button) as opposed to relying on platform specific features (e.g., screen coordinates). We demonstrate RandR’s accurate cross-platform record and replay capabilities using over 30 real-world Android apps across a variety of platforms including emulators as well as commercial off-the-shelf mobile devices deployed in real life.

small-avatar
Onur Sahin
Boston University
small-avatar
Assel Aliyeva
Boston University
small-avatar
Hariharan Mathavan
Boston University
small-avatar
Ayse Coskun
Boston University
Manuel Egele
Manuel Egele
Boston University, USA
United States
All Details Close

Specifying Callback Control Flow of Mobile Apps Using Finite Automata Journal First Presentations

Session: Mobile 2 Chair(s): Myra CohenIowa State University

Given the event-driven and framework-based architecture of Android apps, finding the ordering of callbacks executed by the framework remains a problem that affects every tool that requires inter-callback reasoning. Previous work has focused on the ordering of callbacks related to the Android components and GUI events. But the execution of callbacks can also come from direct calls of the framework (API calls). This paper defines a novel program representation, called Callback Control Flow Automata (CCFA), that specifies the control flow of callbacks invoked via a variety of sources. We present an analysis to automatically construct CCFAs by combining two callback control flow representations developed from the previous research, namely, Window Transition Graphs (WTGs) and Predicate Callback Summaries (PCSs). To demonstrate the usefulness of our representation, we integrated CCFAs into two client analyses: a taint analysis using FLOWDROID, and a value-flow analysis that computes source and sink pairs of a program. Our evaluation shows that we can compute CCFAs efficiently and that CCFAs improved the callback coverages over WTGs. As a result of using CCFAs, we obtained 33 more true positive security leaks than FLOWDROID over a total of 55 apps we have run. With a low false positive rate, we found that 22.76% of source-sink pairs we computed are located in different callbacks and that 31 out of 55 apps contain source-sink pairs spreading across components. Thus, callback control flow graphs and inter-callback analysis are indeed important. Although this paper mainly uses Android, we believe that CCFAs can be useful for modeling control flow of callbacks for other event-driven, framework-based systems.

Link to Publication: https://ieeexplore.ieee.org/document/8613913

Danilo Dominguez Perez
Danilo Dominguez Perez
Iowa State University
Panama
Wei Le
Wei Le
Iowa State University
All Details Close

MalScan: Fast Market-Wide Mobile Malware Scanning by Social-Network Centrality Analysis Research Papers

Session: Mobile 2 Chair(s): Myra CohenIowa State University

Malware scanning of an app market is expected to be scalable and effective. However, existing approaches use either syntax-based features which can be evaded by transformation attacks or semantic-based features which are usually extracted by performing expensive program analysis. Therefore, in this paper, we propose a lightweight graph-based approach to perform Android malware detection. Instead of traditional heavyweight static analysis, we treat function call graphs of apps as social networks and perform social-network-based centrality analysis to represent the semantic features of the graphs. Our key insight is that centrality provides a succinct and fault- tolerant representation of graph semantics, especially for graphs with certain amount of inaccurate information (e.g., inaccurate call graphs). We implement a prototype system, MalScan, and evaluate it on datasets of 15,285 benign samples and 15,430 malware samples. Experimental results show that MalScan is capable of detecting Android malware with up to 98% accuracy under one second which is more than 100 times faster than two state-of-the-art approaches, namely MaMaDroid and Drebin. We also demonstrate the feasibility of MalScan on market-wide malware scanning by performing a statistical study on over 3 million apps. Finally, in a corpus of dataset collected from Google-Play app market, MalScan is able to identify 18 zero-day malware including malware samples that can evade detection of existing tools.

small-avatar
Yueming Wu
Huazhong University of Science and Technology
China
small-avatar
Xiaodi Li
University of Texas at Dallas
small-avatar
Deqing Zou
Huazhong University of Science and Technology
Wei Yang
Wei Yang
University of Texas at Dallas
United States
Xin Zhang
Xin Zhang
Huazhong University of Science and Technology
China
small-avatar
Hai Jin
Huazhong University of Science and Technology
All Details Close