How dangerous is your Android app?
[9 January 2015]
Lo scorso dicembre si è tenuta a Londra l'11th International Conference on Mobile and Ubiquitous Systems: Computing, Networking and Services (MobiQuitous 2014); nell'ambito nella sessione "Security and Privacy", il mio co-tesista Tao ha presentato una pubblicazione dal titolo "How dangerous is your Android app? An evaluation methodology", nata dalla nostra tesi e scritta assieme ai nostri relatori.
E' stata una grande soddisfazione vedere il nostro lavoro accolto e apprezzato anche al di fuori dell'ambito accademico; certamente però il mondo del mobile malware è costantemente in evoluzione, e per quanto il nostro possa essere un utile contributo bisognerebbe continuare ad aggiornarlo e svilupparlo... ma non lavorando nell'ambito della ricerca o sul tema della sicurezza, mi è difficile dedicarci le energie necessarie!
L'articolo si può trovare tramite il DOI 10.4108/icst.mobiquitous.2014.257832.
Riporto in seguito l'abstract:
In the last decade, we have witnessed an unprecedented increase in the adoption of mobile devices. A substantial number of these devices run on the Android operating system. Android is an open-source operating system based on Linux, which provides a permission-based security model that demands each application to request explicit permissions (approved by the user) before it can be installed to run. However, end users cannot estimate application risk, so the user's decision is almost completely unrelated to the application risk level. Moreover, due to the platform openness and the plethora of available software, dangerous apps (even if not necessarily malware) are now also very common for Android devices. In this paper we propose a new approach and a tool to evaluate the potential risk of Android application packages to help end user security awareness. The tool exploits both static and dynamic analysis techniques. It examines the correlations between app required permissions and the invoked APIs, as well as the contents in the package, and subsequently it uses a dynamic analysis module to confirm the suspicions proposed by static modules. The risk activities detected by analysis modules are then mapped into finer-grained risk categories and further evaluated using the fuzzy logic algorithm. Fuzzy logic aims to deal with uncertainty which arises from the nature of automatic analysis, as not all detected activities intend to cause harm. For the sake of both tech-uninterested and tech-savvy users, the results contain a simple numerical value showing the risk level plus a detailed report of detected activities and their mappings to the risk categories. Finally, we tested our software on a large set of real-world samples, demonstrating its efficiency and showing a reasonable capacity to identify and evaluate the potential risk of application packages, both the benign and the malicious ones.
L'articolo è stato citato in:
- Magnitude-based inference and its application in user research (International Journal of Human-Computer Studies - Gennaio 2016) - DOI: 10.1016/j.ijhcs.2016.01.002
- Examining the Relationship between Security Metrics andUser Ratings of Mobile Apps: A Case Study (WAMA 2016 - Proceedings of the International Workshop on App Market Analytics - Novembre 2016) - DOI: 10.1145/2993259.2993260
- Privacy Capsules: Preventing Information Leaks by Mobile Apps (MobiSys 2016 - Proceedings of the 14th Annual International Conference on Mobile Systems, Applications, and Services - Giugno 2016) - DOI: 10.1145/2906388.2906409
- Andrana: Quick and Accurate Malware Detection for Android (Foundations and Practice of Security - Dicembre 2016) - DOI: 10.1007/978-3-319-51966-1_2
- Predicting Android Application Security and Privacy Risk with Static Code Metrics (2017 IEEE/ACM 4th International Conference on Mobile Software Engineering and Systems (MOBILESoft) - Maggio 2017) - DOI: 10.1109/MOBILESoft.2017.14
- TPII: tracking personally identifiable information via user behaviors in HTTP traffic (June 2020 Frontiers of Computer Science (print) 14(3)) - DOI: 10.1007/s11704-018-7451-z
- Enforcing Information-Flow Policies by Combining Static and Dynamic Analyses (February 2019 - PhD Thesis of Andrew Bedford - Laval University)
- DPerm: Assisting the Migration of Android Apps to Runtime Permissions (June 2017 - Article by Denis Bogdanas)