research-article

StaDynA: Addressing the Problem of Dynamic Code Updates in the Security Analysis of Android Applications

Authors:
Yury Zhauniarovich

University of Trento, Trento, Italy

University of Trento, Trento, Italy
View Profile

,
Maqsood Ahmad

University of Trento, Trento, Italy

University of Trento, Trento, Italy
View Profile

,
Olga Gadyatskaya

University of Luxembourg, Luxembourg, Luxembourg

University of Luxembourg, Luxembourg, Luxembourg
View Profile

,
Bruno Crispo

University of Trento; DistriNet, KU Leuven, Trento, Italy

University of Trento; DistriNet, KU Leuven, Trento, Italy
View Profile

,
Fabio Massacci

University of Trento, Trento, Italy

University of Trento, Trento, Italy
View Profile

CODASPY '15: Proceedings of the 5th ACM Conference on Data and Application Security and PrivacyMarch 2015Pages 37–48https://doi.org/10.1145/2699026.2699105

Published:02 March 2015Publication History

CODASPY '15: Proceedings of the 5th ACM Conference on Data and Application Security and Privacy

Pages 37–48

ABSTRACT

Static analysis of Android applications can be hindered by the presence of the popular dynamic code update techniques: dynamic class loading and reflection. Recent Android malware samples do actually use these mechanisms to conceal their malicious behavior from static analyzers. These techniques defuse even the most recent static analyzers that usually operate under the "closed world" assumption (the targets of reflective calls can be resolved at analysis time; only classes reachable from the class path at analysis time are used at runtime). Our proposed solution allows existing static analyzers to remove this assumption. This is achieved by combining static and dynamic analysis of applications in order to reveal the hidden/updated behavior and extend static analysis results with this information. This paper presents design, implementation and preliminary evaluation results of our solution called StaDynA.

References

AndroGuard: Reverse engineering, malware and goodware analysis of Android applications. Available Online. https://code.google.com/p/androguard/.Google Scholar
Android - App Manifest - Permission http://developer.android.com/guide/topics/manifest/permission-element.html.Google Scholar
Android Security Tips. Available Online. http://developer.android.com/training/articles/security-tips.html.Google Scholar
AndroidBest -- Android market. http://androidbest.ru/.Google Scholar
AndroidDrawer -- Android market. http://www.androiddrawer.com/.Google Scholar
AndroidLife -- Android market. http://androidlife.ru/.Google Scholar
Anruan -- Android market. http://www.anruan.com/.Google Scholar
AppsApk -- Android market. http://www.appsapk.com/.Google Scholar
F-Droid -- Android market. https://f-droid.org/.Google Scholar
Google Play -- Android official market. https://play.google.com/store/apps.Google Scholar
UI/Application Exerciser Monkey. Available Online. http://developer.android.com/tools/help/monkey.html.Google Scholar
S. Arzt, S. Rasthofer, C. Fritz, E. Bodden, A. Bartel, J. Klein, Y. Le Traon, D. Octeau, and P. McDaniel. FlowDroid: Precise Context, Flow, Field, Object-sensitive and Lifecycle-aware Taint Analysis for Android Apps. In Proceedings of the 35th ACM SIGPLAN Conference on Programming Language Design and Implementation, pages 259--269, 2014. Google ScholarDigital Library
K. W. Y. Au, Y. F. Zhou, Z. Huang, and D. Lie. PScout: Analyzing the Android Permission Specification. In Proceedings of the 2012 ACM Conference on Computer and Communications Security, pages 217--228, 2012. Google ScholarDigital Library
A. Bartel, J. Klein, Y. Le Traon, and M. Monperrus. Automatically Securing Permission-based Software by Reducing the Attack Surface: An Application to Android. In Proceedings of the 27th IEEE/ACM International Conference on Automated Software Engineering, pages 274--277, 2012. Google ScholarDigital Library
R. Bhoraskar, S. Han, J. Jeon, T. Azim, S. Chen, J. Jung, S. Nath, R. Wang, and D. Wetherall. Brahmastra: Driving Apps to Test the Security of Third-Party Components. In 23rd USENIX Security Symposium (USENIX Security 14), pages 1021--1036, August 2014. Google ScholarDigital Library
D. G. Bobrow, R. P. Gabriel, and J. L. White. Object-oriented programming. chapter CLOS in Context: The Shape of the Design Space, pages 29--61. MIT Press, 1993. Google ScholarDigital Library
E. Bodden, A. Sewe, J. Sinschek, H. Oueslati, and M. Mezini. Taming Reflection: Aiding Static Analysis in the Presence of Reflection and Custom Class Loaders. In Proceedings of the 33rd International Conference on Software Engineering, pages 241--250, 2011. Google ScholarDigital Library
J. Bogda and A. Singh. Can a Shape Analysis Work at Run-time? In Proceedings of the 2001 Symposium on\ JavaTM Virtual Machine Research and Technology Symposium - Volume 1, pages 2--2, 2001. Google ScholarDigital Library
F. Chung. Custom Class Loading in Dalvik. Available Online. http://android-developers.blogspot.it/2011/07/custom-class-loading-in-dalvik.html.Google Scholar
M. Conti, B. Crispo, E. Fernandes, and Y. Zhauniarovich. CR-ePE: A System for Enforcing Fine-Grained Context-Related Policies on Android. IEEE Transactions on Information Forensics and Security, 7(5):1426--1438, 2012. Google ScholarDigital Library
M. Egele, D. Brumley, Y. Fratantonio, and C. Kruegel. An Empirical Study of Cryptographic Misuse in Android Applications. In Proceedings of the 2013 ACM SIGSAC Conference on Computer and Communications Security, pages 73--84, 2013. Google ScholarDigital Library
W. Enck, P. Gilbert, B.-G. Chun, L. P. Cox, J. Jung, P. McDaniel, and A. N. Sheth. TaintDroid: An Information-flow Tracking System for Realtime Privacy Monitoring on Smartphones. In Proceedings of the 9th USENIX Conference on Operating Systems Design and Implementation, pages 1--6, 2010. Google ScholarDigital Library
W. Enck, D. Octeau, P. McDaniel, and S. Chaudhuri. A Study of Android Application Security. In Proceedings of the 20th USENIX Conference on Security, pages 21--21, 2011. Google ScholarDigital Library
F-Secure. Trojan:Android/FakeNotify Gets Updated. Available Online, Dec. 2011. http://www.f-secure.com/weblog/archives/00002291.html?tduid=f57e2769518f081721ffca586e797b2a.Google Scholar
A. P. Felt, E. Chin, S. Hanna, D. Song, and D. Wagner. Android Permissions Demystified. In Proceedings of the 18th ACM Conference on Computer and Communications Security, pages 627--638, 2011. Google ScholarDigital Library
E. Fernandes, B. Crispo, and M. Conti. FM 99.9, Radio virus: Exploiting FM radio broadcasts for malware deployment. Information Forensics and Security, IEEE Transactions on, 8(6):1027--1037, 2013. Google ScholarDigital Library
H. Gascon, F. Yamaguchi, D. Arp, and K. Rieck. Structural Detection of Android Malware Using Embedded Call Graphs. In Proceedings of the 2013 ACM Workshop on Artificial Intelligence and Security, pages 45--54, 2013. Google ScholarDigital Library
C. Gibler, J. Crussell, J. Erickson, and H. Chen. AndroidLeaks: Automatically Detecting Potential Privacy Leaks in Android Applications on a Large Scale. In Proceedings of the 5th International Conference on Trust and Trustworthy Computing, pages 291--307, 2012. Google ScholarDigital Library
M. Grace, Y. Zhou, Q. Zhang, S. Zou, and X. Jiang. RiskRanker: Scalable and Accurate Zero-day Android Malware Detection. In Proceedings of the 10th International Conference on Mobile Systems, Applications, and Services, pages 281--294, 2012. Google ScholarDigital Library
M. Hirzel, D. von Dinklage, A. Diwan, and M. Hind.Fast Online Pointer Analysis. ACM Transactions on Programming Languages and Systems, 29(2), 2007. Google ScholarDigital Library
J. Hoffmann, M. Ussath, T. Holz, and M. Spreitzenbarth. Slicing Droids: Program Slicing for Smali Code. In Proceedings of the 28th Annual ACM Symposium on Applied Computing, pages 1844--1851, 2013. Google ScholarDigital Library
C. Hu and I. Neamtiu. Automating GUI Testing for Android Applications. In Proceedings of the 6th International Workshop on Automation of Software Test, pages 77--83, 2011. Google ScholarDigital Library
X. Hu, T.-c. Chiueh, and K. G. Shin. Large-scale Malware Indexing Using Function-call Graphs. In Proceedings of the 16th ACM Conference on Computer and Communications Security, pages 611--620, 2009. Google ScholarDigital Library
S. Liang and G. Bracha. Dynamic Class Loading in the Java Virtual Machine. In Proceedings of the 13th ACM SIGPLAN Conference on Object-oriented Programming, Systems, Languages, and Applications, pages 36--44, 1998. Google ScholarDigital Library
M. Lindorfer, M. Neugschwandtner, L. Weichselbaum, Y. Fratantonio, V. van der Veen, and C. Platzer. Andrubis - 1,000,000 Apps Later: A View on Current Android Malware Behaviors. In Proceedings of the the 3rd International Workshop on Building Analysis Datasets and Gathering Experience Returns forSecurity (BADGERS), 2014.Google Scholar
B. Livshits, J. Whaley, and M. S. Lam. Reflection Analysis for Java. In Proceedings of the Third Asian Conference on Programming Languages and Systems, pages 139--160, 2005. Google ScholarDigital Library
Pandalabs. New Malware Attack through Google Play. Available Online, Feb. 2014.http://pandalabs.pandasecurity.com/new-malware-attack-through-google-play/.Google Scholar
S. Poeplau, Y. Fratantonio, A. Bianchi, C. Kruegel, and G. Vigna. Execute This! Analyzing Unsafe and Malicious Dynamic Code Loading in Android Applications. In Proceedings of the 21st Annual Network & Distributed System Security Symposium, 2014.Google ScholarCross Ref
V. Rastogi, Y. Chen, and W. Enck. AppsPlayground: Automatic Security Analysis of SmartphoneApplications. In Proceedings of the Third ACM Conference on Data and Application Security and Privacy, pages 209--220, 2013. Google ScholarDigital Library
V. Rastogi, Y. Chen, and X. Jiang. DroidChameleon: Evaluating Android Anti-malware Against Transformation Attacks. In Proceedings of the 8th ACM SIGSAC Symposium on Information, Computer and Communications Security, pages 329--334, 2013. Google ScholarDigital Library
D. Sosnoski. Java programming dynamics, Part 1: Java classes and class loading. Available Online. http://www.ibm.com/developerworks/library/j-dyn0429/.Google Scholar
D. Sounthiraraj, J. Sahs, G. Greenwood, Z. Lin, and L. Khan. SMV-Hunter: Large Scale, Automated Detection of SSL/TLS Man-in-the-Middle Vulnerabilities in Android Apps. In Proceedings of the 21st Annual Network and Distributed System Security Symposium, San Diego, CA, February 2014.Google Scholar
T. Wang, K. Lu, L. Lu, S. Chung, and W. Lee. Jekyll on iOS: When Benign Apps Become Evil. In Proceedings of the 22nd USENIX Conference on Security, pages 559--572, 2013. Google ScholarDigital Library
E. R. Wognsen and H. S. Karlsen. Static Analysis of Dalvik Bytecode and Reflection in Android. Master's thesis, Aalborg University, 2012.Google Scholar
L. K. Yan and H. Yin. DroidScope: Seamlessly Reconstructing the OS and Dalvik Semantic Views for Dynamic Android Malware Analysis. In Proceedings of the 21st USENIX Conference on Security Symposium, pages 29--29, 2012. Google ScholarDigital Library
Y. Zhauniarovich, O. Gadyatskaya, and B. Crispo. DEMO: Enabling Trusted Stores for Android. In Proceedings of the 2013 ACM SIGSAC Conference on Computer and Communications Security, pages 1345--1348, 2013. Google ScholarDigital Library
Y. Zhauniarovich, G. Russello, M. Conti, B. Crispo, and E. Fernandes. MOSES: Supporting and Enforcing Security Profiles on Smartphones. IEEE Transactions on Dependable and Secure Computing, 11(3):211--223, May 2014. Google ScholarDigital Library
C. Zheng, S. Zhu, S. Dai, G. Gu, X. Gong, X. Han, and W. Zou. SmartDroid: An Automatic System for Revealing UI-based Trigger Conditions in Android Applications. In Proceedings of the Second ACM\ Workshop on Security and Privacy in Smartphones and Mobile Devices, pages 93--104, 2012. Google ScholarDigital Library
Y. Zhongyang, Z. Xin, B. Mao, and L. Xie. DroidAlarm: An All-sided Static Analysis Tool for Android Privilege-escalation Malware. In Proceedings of the 8th ACM SIGSAC Symposium on Information, Computer and Communications Security, pages 353--358, 2013. Google ScholarDigital Library
Y. Zhou and X. Jiang. An Analysis of the AnserverBot Trojan. Available Online, September 2011. http://www.csc.ncsu.edu/faculty/jiang/ pubs/AnserverBot_Analysis.pdf.Google Scholar
Y. Zhou and X. Jiang. Dissecting Android Malware: Characterization and Evolution. In Proceedings of the 2012 IEEE Symposium on Security and Privacy, pages 95--109, 2012. Google ScholarDigital Library

Index Terms

StaDynA: Addressing the Problem of Dynamic Code Updates in the Security Analysis of Android Applications
1. Security and privacy
  1. Systems security
    1. Operating systems security
2. Software and its engineering
  1. Software creation and management
    1. Software verification and validation
      1. Process validation
        Traceability
        Walkthroughs

Recommendations

StaDART: Addressing the problem of dynamic code updates in the security analysis of android applications
Highlights
- A set of benchmark apps to test static analysis tools for reflection resolution.
Abstract
Dynamic code update techniques (Android Studio – support for dynamic delivery), such as dynamic class loading and reflection, enable Android apps to extend their functionality at runtime. At the same time, these techniques are misused ...
Read More
On the unsoundness of static analysis for Android GUIs
SOAP 2016: Proceedings of the 5th ACM SIGPLAN International Workshop on State Of the Art in Program Analysis

Android software presents exciting new challenges for the static analysis community. However, static analyses for Android are typically unsound. This is due to the lack of specification of the Android framework, the continuous evolution of framework ...
Read More
P/Taint: unified points-to and taint analysis

Static information-flow analysis (especially taint-analysis) is a key technique in software security, computing where sensitive or untrusted data can propagate in a program. Points-to analysis is a fundamental static program analysis, computing what ...
Read More

Comments

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Published in
CODASPY '15: Proceedings of the 5th ACM Conference on Data and Application Security and Privacy
March 2015
362 pages
ISBN:9781450331913
DOI:10.1145/2699026
General Chair:
Jaehong Park
University of Texas at San Antonio, USA
,
Program Chair:
Anna Squicciarini
The Pennsylvania State University, USA
Copyright © 2015 ACM
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].
Sponsors
In-Cooperation
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
- Published: 2 March 2015
Permissions
Request permissions about this article.
Request Permissions

Check for updates
Author Tags
android
dynamic code updates
security analysis
Qualifiers
- research-article
Conference

Acceptance Rates
CODASPY '15 Paper Acceptance Rate19of91submissions,21%Overall Acceptance Rate149of789submissions,19%
More
Upcoming Conference
CODASPY '24

Sponsor:

sigsac

Fourteenth ACM Conference on Data and Application Security and Privacy

June 19 - 21, 2024

Porto , Portugal
Funding Sources
Other Metrics
View Article Metrics

Article Metrics
- 64
  Total Citations
  View Citations
- 756
  Total Downloads
- Downloads (Last 12 months)27
- Downloads (Last 6 weeks)4
Other Metrics
View Author Metrics
Cited By
View all

PDF Format

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

StaDynA: Addressing the Problem of Dynamic Code Updates in the Security Analysis of Android Applications

CODASPY '15: Proceedings of the 5th ACM Conference on Data and Application Security and Privacy

ABSTRACT

References

Cited By

Index Terms

Recommendations

StaDART: Addressing the problem of dynamic code updates in the security analysis of android applications

On the unsoundness of static analysis for Android GUIs

P/Taint: unified points-to and taint analysis

Comments

Login options

Full Access

Published in

Sponsors

In-Cooperation

Publisher

Publication History

Permissions

Check for updates

Author Tags

Qualifiers

Conference

Acceptance Rates

Upcoming Conference

Funding Sources

Other Metrics

Article Metrics

Other Metrics

Cited By

PDF Format

eReader

Digital Edition

Caption

StaDynA: Addressing the Problem of Dynamic Code Updates in the Security Analysis of Android Applications

CODASPY '15: Proceedings of the 5th ACM Conference on Data and Application Security and Privacy

ABSTRACT

References

Cited By

Index Terms

Recommendations

StaDART: Addressing the problem of dynamic code updates in the security analysis of android applications

On the unsoundness of static analysis for Android GUIs

P/Taint: unified points-to and taint analysis

Comments

Login options

Full Access

Published in

Sponsors

In-Cooperation

Publisher

Publication History

Permissions

Check for updates

Author Tags

Qualifiers

Conference

Acceptance Rates

Upcoming Conference

Funding Sources

Article Metrics

Other Metrics

PDF Format

eReader

Digital Edition

Share this Publication link

Share on Social Media