Tracking Explicit and Control Flows in Java and Native Android Apps Code

Mariem Graa, Nora Cuppens-Boulahia, Frédéric Cuppens, Jean-Louis Lanet

Abstract

The native app development is increased in Android systems to implement CPU-intensive applications such as game engines, signal processing, and physics simulation. However, native code analysis is very difficult and requires a lot of time which explains the limited number of systems that track information flow in native libraries. But, none of them detects the sensitive information leakage through control flows at native level. In this paper, we combine dynamic and static taint analysis to propagate taint along control dependencies. Our approach has proven to be effective in analyzing several malicious Android applications that invoke native librairies with reasonable performance overheads.

References

  1. Aho, A. V., Sethi, R., and Ullman, J. D. (1986). Compilers: principles, techniques, and tools. AddisonWesley Longman Publishing Co., Inc., Boston, MA, USA.
  2. Allen, F. E. (1970). Control flow analysis. ACM Sigplan Notices, 5(7):1-19.
  3. Arzt, S., Rasthofer, S., Fritz, C., Bodden, E., Bartel, A., Klein, J., Le Traon, Y., Octeau, D., and McDaniel, P. (2014). Flowdroid: Precise context, flow, field, objectsensitive and lifecycle-aware taint analysis for android apps. ACM SIGPLAN Notices, 49(6).
  4. Bench (2011). Cf-bench. http://bench.chainfire.eu/.
  5. Blasing, T., Batyuk, L., Schmidt, A.-D., Camtepe, S. A., and Albayrak, S. (2010). An android application sandbox system for suspicious software detection. In Malicious and Unwanted Software (MALWARE), 2010 5th International Conference on, pages 55-62. IEEE.
  6. Brown, J. and Knight Jr, T. (2001). A minimal trusted computing base for dynamically ensuring secure information flow. Project Aries TM-015 (November 2001).
  7. Burguera, I., Zurutuza, U., and Nadjm-Tehrani, S. (2011). Crowdroid: behavior-based malware detection system for android. In Proceedings of the 1st ACM workshop on Security and privacy in smartphones and mobile devices, pages 15-26. ACM.
  8. Cavallaro, L., Saxena, P., and Sekar, R. (2008). On the limits of information flow techniques for malware analysis and containment. In Detection of Intrusions and Malware, and Vulnerability Assessment, pages 143- 163. Springer.
  9. Chin, E., Felt, A. P., Greenwood, K., and Wagner, D. (2011). Analyzing inter-application communication in android. In Proceedings of the 9th international conference on Mobile systems, applications, and services, pages 239-252. ACM.
  10. Clause, J., Li, W., and Orso, A. (2007). Dytan: a generic dynamic taint analysis framework. In Proceedings of the 2007 international symposium on Software testing and analysis, pages 196-206. ACM.
  11. Denning, D. (1975). Secure information flow in computer systems. PhD thesis, Purdue University.
  12. Egele, M., Kruegel, C., Kirda, E., Yin, H., and Song, D. (2007). Dynamic spyware analysis. In Usenix Annual Technical Conference.
  13. Enck, W., Gilbert, P., Chun, B., Cox, L., Jung, J., McDaniel, P., and Sheth, A. (2010). Taintdroid: An informationflow tracking system for realtime privacy monitoring on smartphones. In Proceedings of the 9th USENIX conference on Operating systems design and implementation, pages 1-6. USENIX Association.
  14. Enck, W., Octeau, D., McDaniel, P., and Chaudhuri, S. (2011). A study of android application security. In USENIX security symposium.
  15. Fedler, R., Kulicke, M., and Sch ütte, J. (2013). Native code execution control for attack mitigation on android. In Proceedings of the Third ACM workshop on Security and privacy in smartphones & mobile devices, pages 15-20. ACM.
  16. Fenton, J. (1974). Memoryless subsystem. Computer Journal, 17(2):143-147.
  17. Fuchs, A. P., Chaudhuri, A., and Foster, J. S. (2009). Scandroid: Automated security certification of android applications. Manuscript, Univ. of Maryland.
  18. Google (2015). dex2jar. http://code.google.com/p/dex2jar/.
  19. Graa, M., Cuppens-Boulahia, N., Cuppens, F., and Cavalli, A. (2012). Detecting control flow in smarphones: combining static and dynamic analyses. In Proceedings of the 4th international conference on Cyberspace Safety and Security, pages 33-47, Berlin, Heidelberg. Springer-Verlag.
  20. Graa, M., Cuppens-Boulahia, N., Cuppens, F., and Cavalli, A. (2013). Formal characterization of illegal control flow in android system. In Proceedings of the 9th International Conference on Signal Image Technology & Internet Systems. IEEE.
  21. Graa, M., Cuppens-Boulahia, N., Cuppens, F., and Cavalli, A. (2014). Detection of illegal control flow in android system: Protecting private data used by smartphone apps. In Foundations and Practice of Security, pages 337-346. Springer.
  22. Grace, M., Zhou, Y., Zhang, Q., Zou, S., and Jiang, X. (2012). Riskranker: scalable and accurate zero-day android malware detection. In Proceedings of the 10th international conference on Mobile systems, applications, and services, pages 281-294. ACM.
  23. Hornyack, P., Han, S., Jung, J., Schechter, S., and Wetherall, D. (2011). These aren't the droids you're looking for: retrofitting android to protect data from imperious applications. In Proceedings of the 18th ACM conference on Computer and communications security, pages 639-652. ACM.
  24. Java (2015). Java decompiler. http://jd.benow.ca/.
  25. Kang, M., McCamant, S., Poosankam, P., and Song, D. (2011). Dta++: Dynamic taint analysis with targeted control-flow propagation. In Proc. of the 18th Annual Network and Distributed System Security Symp. San Diego, CA.
  26. Portokalidis, G., Homburg, P., Anagnostakis, K., and Bos, H. (2010). Paranoid android: versatile protection for smartphones. In Proceedings of the 26th Annual Computer Security Applications Conference, pages 347- 356. ACM.
  27. Qian, C., Luo, X., Shao, Y., and Chan, A. T. (2014). On tracking information flows through jni in android applications. In Dependable Systems and Networks (DSN), 2014 44th Annual IEEE/IFIP International Conference on, pages 180-191. IEEE.
  28. Reina, A., Fattori, A., and Cavallaro, L. (2013). A system call-centric analysis and stimulation technique to automatically reconstruct android malware behaviors. EuroSec, April.
  29. Rob van der Meulen, J. R. (2013). Gartner says smartphone sales accounted for 55 percent of overall mobile phone sales in third quarter of 2013. http://www.gartner.com/newsroom/id/2623415.
  30. Song, D., Brumley, D., Yin, H., Caballero, J., Jager, I., Kang, M., Liang, Z., Newsome, J., Poosankam, P., and Saxena, P. (2008). Bitblaze: A new approach to computer security via binary analysis. Information Systems Security, pages 1-25.
  31. sourceware (2015). Objdump. https://sourceware.org /binutils/docs/binutils/objdump.html.
  32. Spreitzenbarth, M., Freiling, F., Echtler, F., Schreck, T., and Hoffmann, J. (2013). Mobile-sandbox: Having a deeper look into android applications. In Proceedings of the 28th Annual ACM Symposium on Applied Computing, pages 1808-1815. ACM.
  33. WANG, C. and SHIEH, S. W. (2015). Droit: Dynamic alternation of dual-level tainting for malware analysis. JOURNAL OF INFORMATION SCIENCE AND ENGINEERING, 31:111-129.
  34. Warren, C. (2013). Google play hits 1 million apps. http://mashable.com/2013/07/24/google-play1-million/.
  35. Wiki (2015). Qemu open source processor emulator. http://wiki.qemu.org/Main Page/.
  36. Yan, L.-K. and Yin, H. (2012). Droidscope: Seamlessly reconstructing the os and dalvik semantic views for dynamic android malware analysis. In USENIX Security Symposium, pages 569-584.
  37. Yin, H., Song, D., Egele, M., Kruegel, C., and Kirda, E. (2007). Panorama: capturing system-wide information flow for malware detection and analysis. In Proceedings of the 14th ACM Conference on Computer and Communications Security, pages 116-127. ACM.
  38. Zhou, Y., Wang, Z., Zhou, W., and Jiang, X. (2012). Hey, you, get off of my market: Detecting malicious apps in official and alternative android markets. InNDSS.
Download


Paper Citation


in Harvard Style

Graa M., Cuppens-Boulahia N., Cuppens F. and Lanet J. (2016). Tracking Explicit and Control Flows in Java and Native Android Apps Code . In Proceedings of the 2nd International Conference on Information Systems Security and Privacy - Volume 1: ICISSP, ISBN 978-989-758-167-0, pages 307-316. DOI: 10.5220/0005686603070316


in Bibtex Style

@conference{icissp16,
author={Mariem Graa and Nora Cuppens-Boulahia and Frédéric Cuppens and Jean-Louis Lanet},
title={Tracking Explicit and Control Flows in Java and Native Android Apps Code},
booktitle={Proceedings of the 2nd International Conference on Information Systems Security and Privacy - Volume 1: ICISSP,},
year={2016},
pages={307-316},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0005686603070316},
isbn={978-989-758-167-0},
}


in EndNote Style

TY - CONF
JO - Proceedings of the 2nd International Conference on Information Systems Security and Privacy - Volume 1: ICISSP,
TI - Tracking Explicit and Control Flows in Java and Native Android Apps Code
SN - 978-989-758-167-0
AU - Graa M.
AU - Cuppens-Boulahia N.
AU - Cuppens F.
AU - Lanet J.
PY - 2016
SP - 307
EP - 316
DO - 10.5220/0005686603070316