Shinichi Matsumoto
ABSTRACT
Nowadays, smartphone market has been growing rapidly, and smartphone has become essential as a business tool. One of the crucial advantages of a smartphone is an installable third-party application. Number of these has continued to grow explosively.
However, vulnerabilities in smartphone applications are seemed as serious problem. This is not only for the smartphone users, also for smartphone application developers and/or vendors.
Until now, most vulnerability tests on smartphone applications are targeted that has been packaged as a commercial product and distributed in application marketplaces. These tests are performed on dynamically on application binaries.
In this paper, we aim to develop the static vulnerability verification tool that can be utilized for smartphone application developers and/or vendors in the implementation and/or test phase of development process.
This tool intakes source codes and determine where to read the privacy information in the source codes, and determine where to write/send the information in there.
Then analyze the privacy information transfer and/or transform flow and report the possibilities of privacy information leakage to application developers.
- Aho, A. V., Sethi, R. and Ullman, J. D., Compilers: Principles, Techniques, and Tools, Prentice Hall, New Jersey, 2006. Google Scholar
Digital Library
- Appel, A. W. and Palsberg, J., Modern Compiler Implementation in Java, Cambridge University Press, 2002. Google ScholarDigital Library
- Asher, A., Skype-Skype Security blog- {Fixed} Privacy vulnerability in Skype for Android, 2011, http://blogs.skype.com/security/2011/04/privacy_vulnerability_in_skype.htmlGoogle Scholar
- Bugiel, S., Davi, L., Dmitrienko, A., Fischer, T., Sadeghi, A. and Shastry, B., Towards Taming Privilege-Escalation Attacks on Android, in 19th Annual Network & Distributed System Security Symposium, (San Diego, CA, USA, 2012).Google Scholar
- Chaudhuri, A., Language-Based Security on Android, in ACM SIGPLAN Fourth Workshop on Programming Languages and Analysis for Security, (Dublin, Ireland, 2009). 1--7. DOI=http://dx.doi.org/10.1145/1554339.1554341 Google ScholarDigital Library
- Enck, W., Ongtang, M. and McDaniel, P., Understanding Android Security, IEEE Security and Privacy, Volume 7(1). 50--54. Google ScholarDigital Library
- Enck, W., Gilbert, P., Chun, B, Cox, L. P., Jung, J., McDaniel, P. and Sheth, A. N., TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones, in Proceedings of the USENIX Symposium on Operating Systems Design and Implementation, (Vancouver, BC, Canada, 2010). Google ScholarDigital Library
- Felt, A., Chin, E., Hanna, S., Song, D. and Wagner, D., Android permissions demystified, in 18th ACM Conference on Computer and Communications Security (Chicago, IL, USA, 2011). 627--638. DOI=http://dx.doi.org/10.1145/2046707.2046779 Google ScholarDigital Library
- Gosling, J., Joy, B., Steele, G. and Bracha, G., The Java Language Specification (Third Edition). Addison-Wesley, Boston, 2005. Google ScholarDigital Library
- Hiroshi L., Android and Security, 2012, http://googlemobile.blogspot.jp/2012/02/android-and-security.htmlGoogle Scholar
- Hornyack, P., Han, S., Jung, J., Schechtery, S. and Wetherall, D., These aren't the droids you're looking for: retrofitting android to protect data from imperious applications, in 18th ACM Conference on Computer and Communications Security, (Chicago, IL, USA, 2011). 639--652. DOI=http://dx.doi.org/10.1145/2046707.2046780 Google ScholarDigital Library
- Jing, Y., Ahn, G. and Hu, H., Model-Based Conformance Testing for Android, in Advances in Information and Computer Security, 7th International Workshop on Security, IWSEC (Fukuoka, JAPAN, 2012). Springer, 1--18.Google Scholar
- Marforio, C., Aurélien, F. and Capkun, S. 2011. Application collusion attack on the permission-based security model and its implications for modern smartphone systems, Technical Report. Eidgenössische Technische Hochschule Zürich. DOI=http://dx.doi.org/10.3929/ethz-a-006720730Google Scholar
- Oberheide, J., Dissecting, Android's Bouncer, 2012, https://blog.duosecurity.com/2012/06/dissecting-androids-bouncer/Google Scholar
- Schlegel, R., Zhang, K., Zhou, X., Intwala, M., Kapadia, A. and Wang, X. 2011. Soundcomber: A Stealthy and Context-Aware Sound Trojan for Smartphones, in 18th Annual Network and Distributed System Security Symposium, (San Diego, CA, USA, 2011).Google Scholar
- Android SDK --- Android Developers, http://developer.android.com/sdk/index.htmlGoogle Scholar
- Android Security Overview, http://source.android.com/tech/security/index.htmlGoogle Scholar
- Eclipse Java development tools(JDT), 2012, http://www.eclipse.org/jdt/Google Scholar
- Google Play, https://play.google.com/storeGoogle Scholar
- Manifest.permission --- Android Developers, 2012, http://developer.android.com/reference/android/Manifest.permission.htmlGoogle Scholar
- Package Index --- Android Developers, 2012, http://developer.android.com/reference/packages.htmlGoogle Scholar
- (permission) Android developers, 2012, http://developer.android.com/guide/topics/manifest/permission-element.htmlGoogle Scholar
Index Terms
- A proposal for the privacy leakage verification tool for Android application developers
Recommendations
COVERT: Compositional Analysis of Android Inter-App Permission Leakage
Android is the most popular platform for mobile devices. It facilitates sharing of data and services among applications using a rich inter-app communication system. While access to resources can be controlled by the Android permission system, enforcing ...
Android: Changing the Mobile Landscape
The mobile phone landscape changed last year with the introduction of smart phones running Android, a platform marketed by Google. Android phones are the first credible threat to the iPhone market. Not only did Google target the same consumers as iPhone,...
HybriDroid: static analysis framework for Android hybrid applications
ASE '16: Proceedings of the 31st IEEE/ACM International Conference on Automated Software EngineeringMobile applications (apps) have long invaded the realm of desktop apps, and hybrid apps become a promising solution for supporting multiple mobile platforms. Providing both platform-specific functionalities via native code like native apps and user ...
Comments