skip to main content
10.1145/2557547.2557557acmconferencesArticle/Chapter ViewAbstractPublication PagescodaspyConference Proceedingsconference-collections
research-article

Systematic audit of third-party android phones

Published: 03 March 2014 Publication History

Abstract

Android has become the leading smartphone platform with hundreds of devices from various manufacturers available on the market today. All these phones closely resemble each other with similar hardware and software features. Manufacturers must therefore customize the official Android system to differentiate their devices. Unfortunately, such heavily customization by third-party manufacturers often leads to serious vulnerabilities that do not exist in the official Android system. In this paper, we propose a comparative approach to systematically audit software in third-party phones by comparing them side-by-side to the official system. Specifically, we first retrieve pre-loaded apps and libraries from the phone and build a matching base system from the Android open source project repository. We then compare corresponding apps and libraries for potential vulnerabilities. To facilitate this process, we have designed and implemented DexDiff, a system that can pinpoint fine structural differences between two Android binaries and also present the changes in their surrounding contexts. Our experiments show that DexDiff is efficient and scalable. For example, it spends less than two and half minutes to process two 16.5MB (in total) files. DexDiff is also able to reveal a new vulnerability and details of the invasive CIQ mobile intelligence software.

References

[1]
An Assembler/Disassembler for Android's dex Format. http://code.google.com/p/smali/.
[2]
Subgraph Isomorphism Problem. http://en.wikipedia.org/wiki/Subgraph_isomorphism_problem.
[3]
Alfred V. Aho, Monica S. Lam, Ravi Sethi, and Jeffrey D. Ullman. Compilers: Principles, Techniques, and Tools. Prentice Hall, 2006.
[4]
Jeremy Andrus, Christoffer Dall, Alexander Van't Hof, Oren Laadan, and Jason Nieh. Cells: a Virtual Mobile Smartphone Architecture. In Proceedings of the 23rd SOSP, 2011.
[5]
Apache. Apache Harmony: Open Source Java Platform. http://harmony.apache.org/.
[6]
AT&T. Graphviz - Graph Visualization Software. http://www.graphviz.org/.
[7]
Kathy Wain Yee Au, Yi Fan Zhou, Zhen Huang, and David Lie. PScout: Analyzing the Android Permission Specification. In Proceedings of the 19th ACM CCS, 2012.
[8]
Brenda S. Baker. Deducing Similarities in Java Sources from Bytecodes. In Proceedings of the 1998 USENIX ATC, 1998.
[9]
David Brumley, Pongsin Poosankam, Dawn Song, and Jiang Zheng. Automatic Patch-Based Exploit Generation is Possible: Techniques and Implications. In Proceedings of the 29th IEEE S&P, 2008.
[10]
Erika Chin, Adrienne Porter Felt, Kate Greenwood, and David Wagner. Analyzing Inter-Application Communication in Android. In Proceedings of the 9th ACM MobiSys, 2011.
[11]
Anthony Desnos. androguard:Reverse engineering, Malware and goodware analysis of Android applications... and more (ninja!). https://code.google.com/p/androguard/.
[12]
Michael Dietz, Shashi Shekhar, Yuliy Pisetsky, Anhei Shu, and Dan S. Wallach. QUIRE: Lightweight Provenance for Smart Phone Operating Systems. In Proceedings of the 20th USENIX Security Symposium, 2011.
[13]
Trevor Eckhart. CarrierIQ. http://androidsecuritytest.com/features/logs-and-services/loggers/carrieriq/.
[14]
Manuel Egele, Christopher Kruegel, Engin Kirda, and Giovanni Vigna. PiOS: Detecting Privacy Leaks in iOS Applications. In Proceedings of the 18th NDSS, 2011.
[15]
William Enck, Peter Gilbert, Byung-Gon Chun, Landon P. Cox, Jaeyeon Jung, Patrick McDaniel, and Anmol N. Sheth. TaintDroid: an Information-flow Tracking System for Realtime Privacy Monitoring on Smartphones. In Proceedings of 9th USENIX OSDI, 2010.
[16]
William Enck, Damien Octeau, Patrick McDaniel, and Swarat Chaudhuri. A Study of Android Application Security. In Proceedings of the 20th USENIX Security Symposium, 2011.
[17]
Adrienne Porter Felt, Erika Chin, Steve Hanna, Dawn Song, and David Wagner. Android Permissions Demystified. In Proceedings of the 18th ACM CCS, 2011.
[18]
Adrienne Porter Felt, Matthew Finifter, Erika Chin, Steve Hanna, and David Wagner. A Survey of Mobile Malware in the Wild. In Proceedings of the 1st ACM SPSM, 2011.
[19]
Adrienne Porter Felt, Helen J. Wang, Alexander Moshchuk, Steven Hanna, and Erika Chin. Permission Re-Delegation: Attacks and Defenses. In Proceedings of the 20th USENIX Security Symposium, 2011.
[20]
Halvar Flake. Structural Comparison of Executable Objects. In Proceedings of the 1st DIMVA, 2004.
[21]
Debin Gao, Michael K. Reiter, and Dawn Song. BinHunt: Automatically Finding Semantic Differences in Binary Programs. In Proceedings of the 10th ICICS, 2008.
[22]
Gartner. Gartner Says Worldwide Sales of Mobile Phones Declined 2.3 Percent in Second Quarter of 2012. http://www.gartner.com/it/page.jsp?id=2120015.
[23]
Peter Gilbert, Byung-Gon Chun, Landon P. Cox, and Jaeyeon Jung. Vision: Automated Security Validation of Mobile Apps at App Markets. In Proceedings of the second international workshop on Mobile cloud computing and services, 2011.
[24]
Google. Android Developers. http://developer.android.com.
[25]
Google. Android Device Gallery. http://www.android.com/devices/?f=phone.
[26]
Google. Android Open Source Project. http://source.android.com.
[27]
Google. Dalvik Technical Information. http://source.android.com/tech/dalvik/.
[28]
Google. Software Updates: Courgette. http://dev.chromium.org/developers/design-documents/software-updates-courgette.
[29]
Michael Grace, Yajin Zhou, Zhi Wang, and Xuxian Jiang. Systematic Detection of Capability Leaks in Stock Android Smartphones. In Proceedings of the 19th NDSS, 2012.
[30]
Michael Grace, Yajin Zhou, Qiang Zhang, Shihong Zou, and Xuxian Jiang. RiskRanker: Scalable and Accurate Zero-day Android Malware Detection. In Proceedings of the 10th ACM MobiSys, 2012.
[31]
Steve Hanna, Ling Huang, Edward Wu, Saung Li, Charles Chen, and Dawn Song. Juxtapp: A Scalable System for Detecting Code Reuse Among Android Applications. In Proceedings of the 9th DIMVA, 2012.
[32]
Norman Hardy. The Confused Deputy: (or why capabilities might have been invented). ACM SIGOPS Operating Systems Review, 22, October 1998.
[33]
Peter Hornyack, Seungyeop Han, Jaeyeon Jung, Stuart Schechter, and David Wetherall. These Aren't the Droids You're Looking For: Retroffiting Android to Protect Data from Imperious Applications. In Proceedings of the 18th ACM CCS, 2011.
[34]
HTC. HTC EVO 4G. http://www.htc.com/us/smartphones/htc-evo-4g-sprint/.
[35]
Xin Hu, Tzi cker Chiueh, and Kang G. Shin. Large-Scale Malware Indexing Using Function-Call Graphs. In Proceedings of the 16th ACM CCS, 2009.
[36]
Intel. Intel 64 and IA-32 Architectures Software Developer Manuals. August 2012.
[37]
Jiyong Jang, Abeer Agrawal, and David Brumley. ReDeBug: Finding Unpatched Code Clones in Entire OS Distributions. In Proceedings of the 33rd IEEE S&P, 2012.
[38]
Jiyong Jang, David Brumley, and Shobha Venkataraman. BitShred: Feature Hashing Malware for Scalable Triage and Semantic Analysis. In Proceedings of the 18th ACM CCS, 2011.
[39]
Lingxiao Jiang, Ghassan Misherghi, Zhendong Su, and Stephane Glondu. DECKARD: Scalable and Accurate Tree-Based Detection of Code Clones. In Proceedings of the 29th ICSE, 2007.
[40]
Xuxian Jiang. SEND_SMS Capability Leak in Android Open Source Project (AOSP), Affecting Gingerbread, Ice Cream Sandwich, and Jelly Bean. http://www.cs.ncsu.edu/faculty/jiang/send_sms_leak.html.
[41]
Toshihiro Kamiya, Shinji Kusumoto, and Katsuro Inoue. CCFinder: a Multilinguistic Token-based Code Clone Detection System for Large Scale Source Code. IEEE Transactions on Software Engineering, 2002.
[42]
Evgeny B. Krissinel and Kim Henrick. Common Subgraph Isomorphism Detection by Backtracking Search. Software - Practice & Experience, 2004.
[43]
Eric Lafortune. ProGuard. http://proguard.sourceforge.net/.
[44]
Matthias Lange, Steffen Liebergeld, Adam Lackorzynski, Alexander Warg, and Michael Peter. L4Android: A Generic Operating System Framework for Secure Smartphones. In Proceedings of the 1st ACM SPSM, 2011.
[45]
Long Lu, Zhichun Li, Zhenyu Wu, Wenke Lee, and Guofei Jiang. CHEX: Statically Vetting Android Apps for Component Hijacking Vulnerabilities. In Proceedings of the 19th ACM CCS, 2012.
[46]
Mohammad Nauman, Sohail Khan, and Xinwen Zhang. Apex: Extending Android Permission Model and Enforcement with User-Defined Runtime Constraints. In Proceedings of the 5th ACM ASIACCS, 2010.
[47]
Rahul Pandita, Xusheng Xiao, Wei Yang, William Enck, and Tao Xie. WHYPER: Towards Automating Risk Assessment of Mobile Applications. In Proceedings of the 22th USENIX Security Symposium, 2013.
[48]
Paul Pearce, Adrienne Porter Felt, Gabriel Nunez, and David Wagner. AdDroid: Privilege Separation for Applications and Advertisers in Android. In Proceedings of the 7th ACM ASIACCS, 2012.
[49]
Colin Percival. Naive Differences of Executable Code. http://www.daemonology.net/bsdiff/.
[50]
Artem Russakovskii. Massive Security Vulnerability In HTC Android Devices (EVO 3D, 4G, Thunderbolt, Others) Exposes Phone Numbers, GPS, SMS, Emails Addresses, Much More. http://www.androidpolice.com/2011/10/01/massive-security-vulnerability-in-htc-android-devices-evo-3d-4g-thunderbolt-others-exposes-phone-numbers-gps-sms-emails-addresses-much-more.
[51]
Saul Schleimer, Daniel S. Wilkerson, and Alex Aiken. Winnowing: Local Algorithms for Document Fingerprinting. In Proceedings of the 2003 ACM SIGMOD, 2003.
[52]
Edward J. Schwartz, Thanassis Avgerinos, and David Brumley. All You Ever Wanted to Know About Dynamic Taint Analysis and Forward Symbolic Execution (but might have been afraid to ask). In Proceedings of the 31rd IEEE S&P, 2010.
[53]
Shashi Shekhar, Michael Dietz, and Dan S. Wallach. AdSplit: Separating smartphone advertising from applications. In Proceedings of the 21th USENIX Security Symposium, 2012.
[54]
VirusTotal. VirusTotal - Free Online Virus, Malware and URL Scanner. http://www.virustotal.com/.
[55]
Wikipedia. Assignment Problem. http://en.wikipedia.org/wiki/Assignment_problem.
[56]
Wikipedia. Feature Hashing. http://en.wikipedia.org/wiki/Feature_hashing.
[57]
Wikipedia. Hungarian algorithm. http://en.wikipedia.org/wiki/Hungarian_algorithm.
[58]
Allan Wojciechowski. DexDiff. https://github.com/allanwoj/DexDiff.
[59]
Wu Zhou, Yajin Zhou, Xuxian Jiang, and Peng Ning. DroidMOSS: Detecting Repackaged Smartphone Applications in Third-Party Android Marketplaces. In Proceedings of the 2nd ACM CODASPY, 2012.
[60]
Yajin Zhou and Xuxian Jiang. Dissecting Android Malware: Characterization and Evolution. In Proceedings of the 33rd IEEE S&P, 2012.
[61]
Yajin Zhou, Zhi Wang, Wu Zhou, and Xuxian Jiang. Hey, You, Get off of My Market: Detecting Malicious Apps in Official and Alternative Android Markets. In Proceedings of the 19th NDSS, 2012.
[62]
Yajin Zhou, Xinwen Zhang, Xuxian Jiang, and Vincent W. Freeh. Taming Information-Stealing Smartphone Applications (on Android). In Proceedings of the 4th International Conference on Trust and Trustworthy Computing, 2011.

Cited By

View all
  • (2022)A survey for Communication security of the embedded systemCarpathian Journal of Electronic and Computer Engineering10.2478/cjece-2021-000914:2(15-19)Online publication date: 21-Jan-2022
  • (2022)Malware analysis: Reverse engineering tools using santuko linuxMaterials Today: Proceedings10.1016/j.matpr.2021.10.24360(1367-1378)Online publication date: 2022
  • (2017)A Taxonomy and Qualitative Comparison of Program Analysis Techniques for Security Assessment of Android SoftwareIEEE Transactions on Software Engineering10.1109/TSE.2016.261530743:6(492-530)Online publication date: 1-Jun-2017
  • Show More Cited By

Recommendations

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences
CODASPY '14: Proceedings of the 4th ACM conference on Data and application security and privacy
March 2014
368 pages
ISBN:9781450322782
DOI:10.1145/2557547
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Sponsors

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 03 March 2014

Permissions

Request permissions for this article.

Check for updates

Author Tags

  1. android
  2. bindiff
  3. dexdiff
  4. security audit
  5. static analysis

Qualifiers

  • Research-article

Conference

CODASPY'14
Sponsor:

Acceptance Rates

CODASPY '14 Paper Acceptance Rate 19 of 119 submissions, 16%;
Overall Acceptance Rate 149 of 789 submissions, 19%

Contributors

Other Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

  • Downloads (Last 12 months)14
  • Downloads (Last 6 weeks)0
Reflects downloads up to 14 Feb 2025

Other Metrics

Citations

Cited By

View all
  • (2022)A survey for Communication security of the embedded systemCarpathian Journal of Electronic and Computer Engineering10.2478/cjece-2021-000914:2(15-19)Online publication date: 21-Jan-2022
  • (2022)Malware analysis: Reverse engineering tools using santuko linuxMaterials Today: Proceedings10.1016/j.matpr.2021.10.24360(1367-1378)Online publication date: 2022
  • (2017)A Taxonomy and Qualitative Comparison of Program Analysis Techniques for Security Assessment of Android SoftwareIEEE Transactions on Software Engineering10.1109/TSE.2016.261530743:6(492-530)Online publication date: 1-Jun-2017
  • (2016)Attacking Android smartphone systems without permissions2016 14th Annual Conference on Privacy, Security and Trust (PST)10.1109/PST.2016.7906949(147-156)Online publication date: Dec-2016
  • (2015)Harvesting developer credentials in Android appsProceedings of the 8th ACM Conference on Security & Privacy in Wireless and Mobile Networks10.1145/2766498.2766499(1-12)Online publication date: 22-Jun-2015

View Options

Login options

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Figures

Tables

Media

Share

Share

Share this Publication link

Share on social media