In the app releasing process, Android requires all apps to be digitally signed with a certificate before distribution. Android uses this certificate to identify the author and ensure the integrity of an app. However, a number of signature issues have been reported recently, threatening the security and privacy of Android apps. In this paper, we present the first large-scale systematic measurement study on issues related to Android app signatures. We first create a taxonomy covering four types of app signing issues (21 anti-patterns in total), including vulnerabilities, potential attacks, release bugs and compatibility issues. Then we developed an automated tool to characterize signature-related issues in over 5 million app items (3 million distinct apks) crawled from Google Play and 24 alternative Android app markets. Our empirical findings suggested that although Google has introduced apk-level signing schemes (V2 and V3) to overcome some of the known security issues, more than 93% of the apps still use only the JAR signing schemes (V1), which poses great security threats. Besides, we also revealed that 7% to 45% of the apps in the 25 studied markets have been found containing at least one signing issue, while a large number of apps have been exposed to security vulnerabilities, attacks and compatibility issues. Among them a considerable number of apps we identified are popular apps with millions of downloads. Finally, our evolution analysis suggested that most of the issues were not mitigated after considerable amounts of time across markets. The results demonstrate the emergency for detecting and repairing app signing issues.
Tue 12 Nov
16:00 - 16:20 Talk | Performance-Boosting Sparsification of the IFDS Algorithm with Applications to Taint AnalysisACM SIGSOFT Distinguished Paper Award Dongjie HeUniversity of New South Wales; Institute of Computing Technology, CAS; University of Chinese Academy of Sciences, Haofeng LiInstitute of Computing Technology, CAS; University of Chinese Academy of Sciences, Lei WangInstitute of Computing Technology, Chinese Academy of Science, Haining MengInstitute of Computing Technology, CAS; University of Chinese Academy of Sciences, Hengjie ZhengInstitute of Computing Technology, CAS; University of Chinese Academy of Sciences, Jie LiuUniversity of New South Wales, Shuangwei Huvivo AI Lab, Lian LiInstitute of Computing Technology at Chinese Academy of Sciences, China, Jingling XueUNSW Sydney | |||||||||||||||||||||||||||||||||||||||||
16:20 - 16:40 Talk | Characterizing Android App Signing Issues Haoyu WangBeijing University of Posts and Telecommunications, China, Hongxuan LiuPeking University, Xusheng XiaoCase Western Reserve University, Guozhu MengInstitute of Information Engineering, Chinese Academy of Sciences, Yao GuoPeking University | |||||||||||||||||||||||||||||||||||||||||
16:40 - 17:00 Talk | OAuthLint: An Empirical Study on OAuth Bugs in Android Applications Tamjid Al RahatUniversity of Virginia, Yu FengUniversity of California, Santa Barbara, Yuan TianUniversity of Virginia Pre-print | |||||||||||||||||||||||||||||||||||||||||
17:00 - 17:20 Talk | Are Free Android App Security Analysis Tools Effective in Detecting Known Vulnerabilities? Link to publication DOI Pre-print Media Attached | |||||||||||||||||||||||||||||||||||||||||
17:20 - 17:30 Demonstration | SWAN_ASSIST: Semi-Automated Detection of Code-Specific, Security-Relevant Methods Goran PiskachevFraunhofer IEM, Lisa Nguyen Quang DoGoogle, Oshando JohnsonFraunhofer IEM, Eric BoddenHeinz Nixdorf Institut, Paderborn University and Fraunhofer IEM Pre-print Media Attached File Attached | |||||||||||||||||||||||||||||||||||||||||
17:30 - 17:40 Demonstration | Sip4J: Statically Inferring Access Permission Contracts for Parallelising Sequential Java Programs Ayesha SadiqMonash University, Li LiMonash University, Australia, Yuan-Fang LiMonash University, Ijaz AhmedUniversity of Lahore, Sea LingMonash University |