skip to main content
10.1145/2462456.2464462acmconferencesArticle/Chapter ViewAbstractPublication PagesmobisysConference Proceedingsconference-collections
research-article

RetroSkeleton: retrofitting android apps

Published: 25 June 2013 Publication History

Abstract

An obvious asset of the Android platform is the tremendous number and variety of available apps. There is a less obvious, but potentially even more important, benefit to the fact that nearly all apps are developed using a common platform. We can leverage the relatively uniform nature of Android apps to allow users to tweak applications for improved security, usability, and functionality with relative ease (compared to desktop applications). We design and implement an Android app rewriting framework for customizing behavior of existing applications without requiring source code or app-specific guidance. Following app-agnostic transformation policies, our system rewrites applications to insert, remove, or modify behavior. The rewritten application can run on any unmodified Android device, without requiring rooting or other custom software. This paper describes RetroSkeleton, our app rewriting framework, including static and dynamic interception of method invocations, and creating policies that integrate with each target app. We show that our system is capable of supporting a variety of useful policies, including providing flexible fine-grained network access control, building HTTPS-Everywhere functionality into apps, implementing automatic app localization, informing users of hidden behavior in apps, and updating apps depending on outdated APIs. We evaluate these policies by rewriting and testing more than one thousand real-world apps from Google Play.

References

[1]
Adblock Plus. http://adblockplus.org. Accessed: 2012/12/10.
[2]
Adblock Plus for Android. http://adblockplus.org/en/android-about. Accessed: 2012/12/10.
[3]
Clojure. http://clojure.org. Accessed: 2012/12/10.
[4]
dex2jar: Tools to work with Android .dex and Java .class files. http://code.google.com/p/dex2jar/. Accessed: 2012/12/10.
[5]
Google Play. https://play.google.com/store. Accessed: 2012/12/10.
[6]
NoScript Firefox Extension. http://noscript.net. Accessed: 2012/12/10.
[7]
T.J. Watson Libraries for Analysis (WALA). http://wala.sourceforge.net, 2012. Accessed: 2012/12/10.
[8]
A. R. Beresford, A. Rice, N. Skehin, and R. Sohan. MockDroid: Trading Privacy for Application Functionality on Smartphones. In HotMobile, 2011.
[9]
E. Butler. Firesheep. http://codebutler.com/firesheep/. Accessed: 2012/12/10.
[10]
A. Chander, J. Mitchell, and I. Shin. Mobile Code Security by Java Bytecode Instrumentation. In DARPA Information Survivability Conference & Exposition II, 2001. DISCEX'01. Proceedings, volume 2, pages 27--40. IEEE, 2001.
[11]
B. Davis, B. Sanders, A. Khodaverdian, and H. Chen. I-ARM-Droid: A Rewriting Framework for In-App Reference Monitors for Android Applications. In IEEE Mobile Security Technologies (MoST), May 2012.
[12]
EFF. HTTPS-Everywhere. https://www.eff.org/https-everywhere/. Accessed: 2012/12/10.
[13]
W. Enck, D. Octeau, P. McDaniel, and S. Chaudhuri. A Study of Android Application Security. In Proceedings of the 20th USENIX Security Symposium, August 2011.
[14]
U. Erlingsson. The Inlined Reference Monitor Approach to Security Policy Enforcement. PhD thesis, Cornell University, 2003.
[15]
U. Erlingsson and F. Schneider. IRM Enforcement of Java Stack Inspection. In Security and Privacy, 2000. S P 2000. Proceedings. 2000 IEEE Symposium on, pages 246 --255, 2000.
[16]
S. Fahl, M. Harbach, T. Muders, L. Baumgartner, B. Freisleben, and M. Smith. Why Eve and Mallory Love Android: An Analysis of Android SSL (In)Security. In Proceedings of the 2012 ACM Conference on Computer and Communications Security, CCS '12, pages 50--61. ACM, 2012.
[17]
A. Felt, E. Chin, S. Hanna, D. Song, and D. Wagner. Android Permissions Demystified. In Proceedings of the 18th ACM Conference on Computer and Communications Security, pages 627--638. ACM, 2011.
[18]
B. Gruver. smali: An Assembler/Disassembler for Android's dex Format. https://code.google.com/p/smali/. Accessed: 2012/12/10.
[19]
P. Hornyack, S. Han, J. Jung, S. Schechter, and D. Wetherall. These Aren't the Droids You're Looking For: Retrofitting Android to Protect Data from Imperious Applications. In Proceedings of the 18th ACM Conference on Computer and Communications Security, CCS '11, pages 639--652. ACM, 2011.
[20]
IDC. International Data Corporation Worldwide Quarterly Mobile Phone Tracker. http://www.idc.com/getdoc.jsp?containerId=prUS23638712. Accessed: 2012/12/10.
[21]
J. Jeon, K. K. Micinski, J. A. Vaughan, A. Fogel, N. Reddy, J. S. Foster, and T. Millstein. Dr. Android and Mr. Hide: Fine-Grained Permissions in Android Applications. In Proceedings of the Second ACM Workshop on Security and Privacy in Smartphones and Mobile Devices, SPSM '12, pages 3--14. ACM, 2012.
[22]
M. Nauman, S. Khan, and X. Zhang. Apex: Extending Android Permission Model and Enforcement with User-Defined Runtime Constraints. In Proceedings of the 5th ACM Symposium on Information, Computer and Communications Security, pages 328--332. ACM, 2010.
[23]
V. Rastogi, Y. Chen, and W. Enck. AppsPlayground: Automatic Security Analysis of Smartphone Applications. In Proceedings of the Third ACM Conference on Data and Application Security and Privacy, CODASPY '13, pages 209--220, New York, NY, USA, 2013. ACM.
[24]
D. Reynaud, D. Song, T. Magrino, and R. S. Edward Wu. FreeMarket: Shopping for Free in Android Applications. In Proceedings of the 19th Annual Network & Distributed System Security Symposium, Feb. 2012.
[25]
A. Rudys and D. Wallach. Enforcing Java Run-Time Properties Using Bytecode Rewriting. Software Security Theories and Systems, pages 271--276, 2003.
[26]
B. Womack. Google Says 700,000 Applications Available for Android. http://buswk.co/PDb2tm. Accessed: 2012/12/10.
[27]
R. Xu, H. Saídi, and R. Anderson. Aurasium: Practical Policy Enforcement for Android Applications. In Proceedings of the 21st USENIX Conference on Security Symposium, Security'12, pages 27--27. USENIX Association, 2012.
[28]
Y. Zhou, Z. Wang, W. Zhou, and X. Jiang. Hey, You, Get Off of My Market: Detecting Malicious Apps in Official and Alternative Android Markets. In Proceedings of the 19th Annual Network & Distributed System Security Symposium, Feb. 2012.
[29]
Y. Zhou, X. Zhang, X. Jiang, and V. Freeh. Taming Information-Stealing Smartphone Applications (on Android). Trust and Trustworthy Computing, pages 93--107, 2011.

Cited By

View all
  • (2023)A2P2 - An Android Application Patching Pipeline Based On Generic ChangesetsProceedings of the 18th International Conference on Availability, Reliability and Security10.1145/3600160.3600172(1-11)Online publication date: 29-Aug-2023
  • (2023)‘We are adults and deserve control of our phones’: Examining the risks and opportunities of a right to repair for mobile appsProceedings of the 2023 ACM Conference on Fairness, Accountability, and Transparency10.1145/3593013.3593973(22-34)Online publication date: 12-Jun-2023
  • (2022)CAPEF: Context-Aware Policy Enforcement Framework for Android ApplicationsJournal of Engineering Research and Sciences10.55708/js02010022:1(13-23)Online publication date: Jan-2022
  • Show More Cited By

Index Terms

  1. RetroSkeleton: retrofitting android apps

    Recommendations

    Comments

    Information & Contributors

    Information

    Published In

    cover image ACM Conferences
    MobiSys '13: Proceeding of the 11th annual international conference on Mobile systems, applications, and services
    June 2013
    568 pages
    ISBN:9781450316729
    DOI:10.1145/2462456
    Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

    Sponsors

    In-Cooperation

    Publisher

    Association for Computing Machinery

    New York, NY, United States

    Publication History

    Published: 25 June 2013

    Permissions

    Request permissions for this article.

    Check for updates

    Author Tags

    1. VM
    2. android
    3. bytecode
    4. dalvik
    5. rewriting

    Qualifiers

    • Research-article

    Conference

    MobiSys'13
    Sponsor:

    Acceptance Rates

    MobiSys '13 Paper Acceptance Rate 33 of 211 submissions, 16%;
    Overall Acceptance Rate 274 of 1,679 submissions, 16%

    Contributors

    Other Metrics

    Bibliometrics & Citations

    Bibliometrics

    Article Metrics

    • Downloads (Last 12 months)15
    • Downloads (Last 6 weeks)0
    Reflects downloads up to 20 Jan 2025

    Other Metrics

    Citations

    Cited By

    View all
    • (2023)A2P2 - An Android Application Patching Pipeline Based On Generic ChangesetsProceedings of the 18th International Conference on Availability, Reliability and Security10.1145/3600160.3600172(1-11)Online publication date: 29-Aug-2023
    • (2023)‘We are adults and deserve control of our phones’: Examining the risks and opportunities of a right to repair for mobile appsProceedings of the 2023 ACM Conference on Fairness, Accountability, and Transparency10.1145/3593013.3593973(22-34)Online publication date: 12-Jun-2023
    • (2022)CAPEF: Context-Aware Policy Enforcement Framework for Android ApplicationsJournal of Engineering Research and Sciences10.55708/js02010022:1(13-23)Online publication date: Jan-2022
    • (2022)Mind-proofing Your Phone: Navigating the Digital Minefield with GreaseTerminatorProceedings of the 27th International Conference on Intelligent User Interfaces10.1145/3490099.3511152(523-536)Online publication date: 22-Mar-2022
    • (2022)ReHAna: An Efficient Program Analysis Framework to Uncover Reflective Code in AndroidMobile and Ubiquitous Systems: Computing, Networking and Services10.1007/978-3-030-94822-1_19(347-374)Online publication date: 8-Feb-2022
    • (2021)I Want My App That Way: Reclaiming Sovereignty Over Personal DevicesExtended Abstracts of the 2021 CHI Conference on Human Factors in Computing Systems10.1145/3411763.3451632(1-8)Online publication date: 8-May-2021
    • (2020)A Taxonomy for Security Flaws in Event-Based SystemsApplied Sciences10.3390/app1020733810:20(7338)Online publication date: 20-Oct-2020
    • (2020)Self-Controllable Mobile App Protection Scheme Based on Binary Code SplittingMobile Information Systems10.1155/2020/88132432020(1-11)Online publication date: 10-Oct-2020
    • (2020)Detection of Repackaged Android Malware with Code-Heterogeneity FeaturesIEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2017.274557517:1(64-77)Online publication date: 1-Jan-2020
    • (2019)PerHelper: Helping Developers Make Better Decisions on Permission Uses in Android AppsApplied Sciences10.3390/app91836999:18(3699)Online publication date: 5-Sep-2019
    • Show More Cited By

    View Options

    Login options

    View options

    PDF

    View or Download as a PDF file.

    PDF

    eReader

    View online with eReader.

    eReader

    Media

    Figures

    Other

    Tables

    Share

    Share

    Share this Publication link

    Share on social media