skip to main content
10.1145/2857705.2857712acmconferencesArticle/Chapter ViewAbstractPublication PagescodaspyConference Proceedingsconference-collections
research-article

On the Origin of Mobile Apps: Network Provenance for Android Applications

Published: 09 March 2016 Publication History

Abstract

Many mobile services consist of two components: a server providing an API, and an application running on smartphones and communicating with the API. An unresolved problem in this design is that it is difficult for the server to authenticate which app is accessing the API. This causes many security problems. For example, the provider of a private network API has to embed secrets in its official app to ensure that only this app can access the API; however, attackers can uncover the secret by reverse-engineering. As another example, malicious apps may send automatic requests to ad servers to commit ad fraud.
In this work, we propose a system that allows network API to authenticate the mobile app that sends each request so that the API can make an informed access control decision. Our system, the Mobile Trusted-Origin Policy, consists of two parts: 1) an app provenance mechanism that annotates outgoing HTTP(S) requests with information about which app generated the network traffic, and 2) a code isolation mechanism that separates code within an app that should have different app provenance signatures into mobile origin. As motivation for our work, we present two previously-unknown families of apps that perform click fraud, and examine how the lack of mobile origin information enables the attacks. Based on our observations, we propose Trusted Cross-Origin Requests to handle point (1), which automatically includes mobile origin information in outgoing HTTP requests. Servers may then decide, based on the mobile origin data, whether to process the request or not. We implement a prototype of our system for Android and evaluate its performance, security, and deployability. We find that our system can achieve our security and utility goals with negligible overhead.

References

[1]
Eric Chien. Motivations of Recent Android Malware. Tech. rep. Technical Report, Symantec Security, 2013.
[2]
Jonathan Crussell, Clint Gibler, and Hao Chen. AnDarwin: Scalable Detection of Semantically Similar Android Applications". In: Computer Security--ESORICS 2013. Springer, 2013, pp. 182--199.
[3]
Jonathan Crussell, Ryan Stevens, and Hao Chen. MAd-Fraud: Investigating Ad Fraud in Android Applications". In: Proceedings of 12th International Conference on Mobile Systems, Applications and Services. 2014.
[4]
Shuaifu Dai, Alok Tongaonkar, Xiaoyin Wang, Antonio Nucci, and Dawn Song. Networkprofiler: Towards automatic fingerprinting of android apps". In: INFO-COM, 2013 Proceedings IEEE. IEEE. 2013, pp. 809--817.
[5]
Benjamin Davis and Hao Chen.RetroSkeleton: Retro-fitting Android Apps". In: Proceeding of the 11th annual international conference on Mobile systems, applications, and services. ACM. 2013, pp. 181--192.
[6]
Daniel DeFreez, Bhargava Shastry, Hao Chen, and Jean- Pierre Seifert. A First Look at Firefox OS Security". In: Workshop on Mobile Security Technologies. 2014.
[7]
Michael Dietz, Shashi Shekhar, Yuliy Pisetsky, Anhei Shu, and Dan S Wallach. QUIRE: Lightweight Provenance for Smart Phone Operating Systems." In: USENIX Security Symposium. 2011.
[8]
William Enck et al. TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones."In: Proceedings of the 9th USENIX Symposium on Operating Systems Design and Implementation. Vol. 10. 2010, pp. 1--6.
[9]
Sascha Fahl et al. Why Eve and Mallory love Android: An analysis of Android SSL (in) security". In: Proceedings of the 2012 ACM conference on Computer and communications security. ACM. 2012, pp. 50--61.
[10]
Felix C. Freiling, Thorsten Holz, and Georg Wicherski. Botnet Tracking: Exploring a Root-Cause Methodology to Prevent Distributed Denial-of-Service Attacks". In: Computer Security--ESORICS 2005. Vol. 3679. Lecture Notes in Computer Science. Springer Berlin Heidelberg, 2005, pp. 319--335.
[11]
Sean Gallagher. Snapchat images stolen from third-party Web app using hacked API". In: Ars Technica (Oct. 2014). url: http://arstechnica.com/security/2014/10/snapchat-images-stolen-from-third-party-web-app-using-hacked-api/.
[12]
John Gamble. MaClickFraud: Counterfeit Clicks and Search Queries. 2013. url: https://blog.lookout.com/blog/2013/11/01 /maclickfraud-counterfeit-clicks-and-search-queries/.
[13]
Clint Gibler, Jonathan Crussell, Jeremy Erickson, and Hao Chen. AndroidLeaks: Automatically detecting potential privacy leaks in Android applications on a large scale". In: Trust and Trustworthy Computing. Springer,2012, pp. 291--307.
[14]
Michael C Grace,Wu Zhou, Xuxian Jiang, and Ahmad-Reza Sadeghi. Unsafe exposure analysis of mobile in app advertisements". In: Proceedings of the Fifth ACM conference on Security and Privacy in Wireless and Mobile Networks. ACM. 2012, pp. 101--112.
[15]
Kristen Kennedy, Eric Gustafson, and Hao Chen.Quantifying the Effects of Removing Permissions from An- droid Applications". In: Workshop on Mobile Security Technologies. 2013.
[16]
Anne van Kesteren.Cross-Origin Resoucrce Sharing". In: World Wide Web Consortium W3C (Jan. 2014). url: http://www.w3.org/TR/cors/.
[17]
Wenhao Li, Haibo Li, Haibo Chen, and Yubin Xia. AdAttester: Secure Online Mobile Advertisement Attestation Using TrustZone". In: Proceedings of the 13th Annual International Conference on Mobile Systems, Applications, and Services. ACM. 2015, pp. 75--88.
[18]
Bin Liu, Suman Nath, Ramesh Govindan, and Jie Liu. DECAF: Detecting and Characterizing Ad Fraud in Mobile Apps". In: Presented as part of the 11th USENIX Symposium on Networked Systems Design and Implementation (NSDI 14). Seattle, WA: USENIX, 2014.
[19]
Alexander Moshchuk, Helen J Wang, and Yunxin Liu. Content-based isolation: rethinking isolation policy design on client systems". In: Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security. ACM. 2013, pp. 1167--1180.
[20]
Franziska Roesner, James Fogarty, and Tadayoshi Kohno. User Interface Toolkit Mechanisms for Securing Interface Elements". In: Symposium on User Interface Software and Technology (2012).
[21]
Franziska Roesner and Tadayoshi Kohno. Securing Embedded User Interfaces: Android and Beyond". In: Proceedings of the 22nd USENIX Security Symposium (2013).
[22]
Shashi Shekhar, Michael Dietz, and Dan S. Wallach. AdSplit: Separating smartphone advertising from applications". In: Proceedings of the 21st USENIX Security Symposium. 2012.
[23]
Ryan Stevens, Clint Gibler, Jonathan Crussell, Jeremy Erickson, and Hao Chen. Investigating User Privacy in Android Ad Libraries". In: Workshop on Mobile Security Technologies. 2012.
[24]
Brett Stone-Gross et al.\Understanding fraudulent activities in online ad exchanges". In: Proceedings of the 2011 ACM SIGCOMM conference on Internet measurement conference. ACM. 2011, pp. 279--294.
[25]
Gianluca Stringhini, Oliver Hohlfeld, Christopher Kruegel, and Giovanni Vigna. The Harvester, the Botmaster, and the Spammer: On the Relations Between the Different Actors in the Spam Landscape". In: Proceedings of the 9th ACM Symposium on Information, Computer, and Communication Security. ACM. 2014.
[26]
Nicolas Viennot, Edward Garcia, and Jason Nieh. A measurement study of Google Play". In: The 2014 ACM international conference on Measurement and modeling of computer systems. ACM. 2014, pp. 221--233.
[27]
Xiao Zhang, Amit Ahlawat, andWenliang Du.AFrame: isolating advertisements from mobile applications in Android". In: Proceedings of the 29th Annual Computer Sec

Cited By

View all
  • (2018)Don't throw me awayProceedings of the 2018 on Asia Conference on Computer and Communications Security10.1145/3196494.3196554(147-158)Online publication date: 29-May-2018

Recommendations

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences
CODASPY '16: Proceedings of the Sixth ACM Conference on Data and Application Security and Privacy
March 2016
340 pages
ISBN:9781450339353
DOI:10.1145/2857705
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 09 March 2016

Permissions

Request permissions for this article.

Check for updates

Author Tags

  1. advertising security
  2. app authentication
  3. mobile advertising
  4. mobile security

Qualifiers

  • Research-article

Funding Sources

  • Intel Science and Technology Center for Secure Computing
  • UC Davis RISE award

Conference

CODASPY'16
Sponsor:

Acceptance Rates

CODASPY '16 Paper Acceptance Rate 22 of 115 submissions, 19%;
Overall Acceptance Rate 149 of 789 submissions, 19%

Contributors

Other Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

  • Downloads (Last 12 months)4
  • Downloads (Last 6 weeks)0
Reflects downloads up to 20 Jan 2025

Other Metrics

Citations

Cited By

View all
  • (2018)Don't throw me awayProceedings of the 2018 on Asia Conference on Computer and Communications Security10.1145/3196494.3196554(147-158)Online publication date: 29-May-2018

View Options

Login options

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Media

Figures

Other

Tables

Share

Share

Share this Publication link

Share on social media