skip to main content
10.1145/3243734.3243842acmconferencesArticle/Chapter ViewAbstractPublication PagesccsConference Proceedingsconference-collections
research-article

Precise Android API Protection Mapping Derivation and Reasoning

Published: 15 October 2018 Publication History

Abstract

The Android research community has long focused on building an Android API permission specification, which can be leveraged by app developers to determine the optimum set of permissions necessary for a correct and safe execution of their app. However, while prominent existing efforts provide a good approximation of the permission specification, they suffer from a few shortcomings. Dynamic approaches cannot generate complete results, although accurate for the particular execution. In contrast, static approaches provide better coverage, but produce imprecise mappings due to their lack of path-sensitivity. In fact, in light of Android's access control complexity, the approximations hardly abstract the actual co-relations between enforced protections. To address this, we propose to precisely derive Android protection specification in a path-sensitive fashion, using a novel graph abstraction technique. We further showcase how we can apply the generated maps to tackle security issues through logical satisfiability reasoning. Our constructed maps for 4 Android Open Source Project (AOSP) images highlight the significance of our approach, as ~41% of APIs' protections cannot be correctly modeled without our technique.

Supplementary Material

MP4 File (p1151-aafer.mp4)

References

[1]
Baksmali: a disassembler for Android's dex format. 2017. (2017). Retrieved May 2, 2018 from https://github.com/JesusFreke/smali
[2]
Yousra Aafer, Jianjun Huang, Yi Sun, Xiangyu Zhang, Ninghui Li, and Chen Tian. 2018. AceDroid: Normalizing Diverse Android Access Control Checks for Inconsistency Detection. In 25th Annual Network and Distributed System Security Symposium, NDSS 2018, San Diego, California, USA, February 18--21, 2018. The Internet Society.
[3]
Yousra Aafer, Nan Zhang, Zhongwen Zhang, Xiao Zhang, Kai Chen, XiaoFeng Wang, Xiaoyong Zhou, Wenliang Du, and Michael Grace. 2015. Hare Hunting in the Wild Android: A Study on the Threat of Hanging Attribute References. In Proceedings of the 22Nd ACM SIGSAC Conference on Computer and Communications Security (CCS '15). ACM, New York, NY, USA, 1248--1259.
[4]
Smali: an assembler for Android's dex format. 2017. (2017). https://github.com/JesusFreke/smali
[5]
Steven Arzt, Siegfried Rasthofer, Christian Fritz, Eric Bodden, Alexandre Bartel, Jacques Klein, Yves Le Traon, Damien Octeau, and Patrick McDaniel. 2014. FlowDroid: Precise Context, Flow, Field, Object-sensitive and Lifecycle-aware Taint Analysis for Android Apps. In Proceedings of the 35th ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI '14). New York, NY, USA, 11.
[6]
Kathy Wain Yee Au, Yi Fan Zhou, Zhen Huang, and David Lie. 2012. PScout: Analyzing the Android Permission Specification. In Proceedings of the 2012 ACM Conference on Computer and Communications Security (CCS '12). ACM, New York, NY, USA, 217--228.
[7]
Michael Backes, Sven Bugiel, Erik Derr, Patrick McDaniel, Damien Octeau, and Sebastian Weisgerber. 2016. On Demystifying the Android Application Framework: Re-Visiting Android Permission Specification Analysis. In 25th USENIX Security Symposium (USENIX Security 16). USENIX Association, Austin, TX, 1101--1118.
[8]
ART compiler. 2017. (2017). https://source.android.com/devices/tech/dalvik/
[9]
Manuel Egele, David Brumley, Yanick Fratantonio, and Christopher Kruegel. 2013. An Empirical Study of Cryptographic Misuse in Android Applications. In Proceedings of the 2013 ACM SIGSAC Conference on Computer & Communications Security (CCS '13). ACM, New York, NY, USA, 73--84.
[10]
Sascha Fahl, Marian Harbach, Marten Oltrogge, Thomas Muders, and Matthew Smith. 2013. Hey, You, Get Off of My Clipboard .Springer Berlin Heidelberg, Berlin, Heidelberg, 144--161.
[11]
Adrienne Porter Felt, Erika Chin, Steve Hanna, Dawn Song, and David Wagner. 2011 a. Android permissions demystified. In Proceedings of the 18th ACM conference on Computer and communications security (CCS '11). ACM, New York, NY, USA, 12.
[12]
Adrienne Porter Felt, Helen J. Wang, Alexander Moshchuk, Steven Hanna, and Erika Chin. 2011 b. Permission Re-delegation: Attacks and Defenses. In Proceedings of the 20th USENIX Conference on Security (SEC'11). USENIX Association, Berkeley, CA, USA, 22--22. http://dl.acm.org/citation.cfm?id=2028067.2028089
[13]
Clint Gibler, Jonathan Crussell, Jeremy Erickson, and Hao Chen. 2012. AndroidLeaks: Automatically Detecting Potential Privacy Leaks in Android Applications on a Large Scale. In Proceedings of the 5th International Conference on Trust and Trustworthy Computing (TRUST'12). Springer-Verlag, Berlin, Heidelberg, 291--307.
[14]
Michael I. Gordon, Deokhwan Kim, Jeff Perkins, Limei Gilham, Nguyen Nguyen, and Martin Rinard. 2015. Information-Flow Analysis of Android Applications in DroidSafe. In Proceedings of the 22nd Annual Network and Distributed System Security Symposium (NDSS).
[15]
Michael Grace, Yajin Zhou, Zhi Wang, and Xuxian Jiang. 2012. Systematic Detection of Capability Leaks in Stock Android Smartphones. In Proceedings of the 19th Network and Distributed System Security Symposium (NDSS). http://www.csc.ncsu.edu/faculty/jiang/pubs/NDSS12_WOODPECKER.pdf
[16]
Jianjun Huang, Zhichun Li, Xusheng Xiao, Zhenyu Wu, Kangjie Lu, Xiangyu Zhang, and Guofei Jiang. 2015. SUPOR: Precise and Scalable Sensitive User Input Detection for Android Apps. In Proceedings of the 24th USENIX Conference on Security Symposium (SEC'15). USENIX Association, Berkeley, CA, USA, 977--992. http://dl.acm.org/citation.cfm?id=2831143.2831205
[17]
Jianjun Huang, Xiangyu Zhang, and Lin Tan. 2016. Detecting Sensitive Data Disclosure via Bi-directional Text Correlation Analysis. In Proceedings of the 2016 24th ACM SIGSOFT International Symposium on Foundations of Software Engineering (FSE 2016). ACM, New York, NY, USA, 169--180.
[18]
Jianjun Huang, Xiangyu Zhang, Lin Tan, Peng Wang, and Bin Liang. 2014. AsDroid: Detecting Stealthy Behaviors in Android Applications by User Interface and Program Behavior Contradiction. In Proceedings of the 36th International Conference on Software Engineering (ICSE 2014). ACM, New York, NY, USA, 1036--1046.
[19]
IBM. 2017. WALA: T.J. Watson Libraries for Analysis. http://wala.sourceforge.net. (2017).
[20]
Soo Hyeon Kim, Daewan Han, and Dong Hoon Lee. 2013. Predictability of Android OpenSSL's Pseudo Random Number Generator. In Proceedings of the 2013 ACM SIGSAC Conference on Computer and Communications Security (CCS '13). ACM, New York, NY, USA, 659--668.
[21]
William Klieber, Lori Flynn, Amar Bhosale, Limin Jia, and Lujo Bauer. 2014. Android Taint Flow Analysis for App Sets. In Proceedings of the 3rd ACM SIGPLAN International Workshop on the State of the Art in Java Program Analysis (SOAP '14). ACM, New York, NY, USA, 1--6.
[22]
Li Li, Alexandre Bartel, Jacques Klein, Yves Le Traon, Steven Arzt, Siegfried Rasthofer, Eric Bodden, Damien Octeau, and Patrick McDaniel. 2014a. I know what leaked in your pocket: uncovering privacy leaks on Android Apps with Static Taint Analysis. arXiv preprint arXiv:1404.7431 (2014).
[23]
Tongxin Li, Xiaoyong Zhou, Luyi Xing, Yeonjoon Lee, Muhammad Naveed, XiaoFeng Wang, and Xinhui Han. 2014b. Mayhem in the Push Clouds: Understanding and Mitigating Security Hazards in Mobile Push-Messaging Services. In Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security (CCS '14). ACM, New York, NY, USA.
[24]
Kangjie Lu, Zhichun Li, Vasileios P Kemerlis, Zhenyu Wu, Long Lu, Cong Zheng, Zhiyun Qian, Wenke Lee, and Guofei Jiang. 2015. Checking More and Alerting Less: Detecting Privacy Leakages via Enhanced Data-flow Analysis and Peer Voting. In the 2015 Network and Distributed System Security Symposium (NDSS '15).
[25]
Long Lu, Zhichun Li, Zhenyu Wu, Wenke Lee, and Guofei Jiang. 2012. CHEX: statically vetting Android apps for component hijacking vulnerabilities. In Proceedings of the 2012 ACM conference on Computer and communications security (CCS '12). ACM, New York, NY, USA, 229--240.
[26]
Microsoft Research. 2017. Z3 Prover. https://github.com/Z3Prover/z3. (2017).
[27]
Damien Octeau, Patrick McDaniel, Somesh Jha, Alexandre Bartel, Eric Bodden, Jacques Klein, and Yves Le Traon. 2013. Effective Inter-component Communication Mapping in Android with Epicc: An Essential Step Towards Holistic Security Analysis. In Proceedings of the 22Nd USENIX Conference on Security (SEC'13). USENIX Association, Berkeley, CA, USA, 543--558. http://dl.acm.org/citation.cfm?id=2534766.2534813
[28]
Rahul Pandita, Xusheng Xiao, Wei Yang, William Enck, and Tao Xie. 2013. WHYPER: Towards Automating Risk Assessment of Mobile Applications. In Proceedings of the 22Nd USENIX Conference on Security (SEC'13). USENIX Association, Berkeley, CA, USA, 527--542. http://dl.acm.org/citation.cfm?id=2534766.2534812
[29]
Zhengyang Qu, Vaibhav Rastogi, Xinyi Zhang, Yan Chen, Tiantian Zhu, and Zhong Chen. 2014. AutoCog: Measuring the Description-to-permission Fidelity in Android Applications. In Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security (CCS '14). ACM, New York, NY, USA, 1354--1365.
[30]
Quine, J. 2017. Quine-McCluskey algorithm. https://en.wikipedia.org/wiki/Quine-McCluskey_algorithm. (2017).
[31]
sdat2img: Convert sparse Android data image (.dat) into filesystem ext4 image (.img). 2016. (2016). https://github.com/xpirt/sdat2img
[32]
Yuru Shao, Jason Ott, Qi Alfred Chen, Zhiyun Qian, and Z Morley Mao. 2016. Kratos: Discovering inconsistent security policy enforcement in the android framework. In 23rd Annual Network and Distributed System Security Symposium, NDSS 2016, San Diego, California, USA, February 21--24, 2016. The Internet Society.
[33]
Android Revolution Mobile Device Technologies. 2017. (2017). Retrieved May 2, 2018 from http://android-revolution-hd.blogspot.com/p/android-revolution-hd-mirror-site-var.html
[34]
Samsung Updates. 2017. Samsung Updates: Latest News and Firmware for your Samsung Devices! (2017). http://samsung-updates.com/
[35]
Official Android Developer Website. 2018. (2018). https://developer.android.com/index.html
[36]
Fengguo Wei, Sankardas Roy, Xinming Ou, and Robby. 2014. Amandroid: A Precise and General Inter-component Data Flow Analysis Framework for Security Vetting of Android Apps. In Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security (CCS '14). ACM, New York, NY, USA, 13.
[37]
Lei Wu, Michael Grace, Yajin Zhou, Chiachih Wu, and Xuxian Jiang. 2013. The impact of vendor customizations on android security. In Proceedings of the 2013 ACM SIGSAC conference on Computer communications security (CCS '13). ACM, New York, NY, USA, 623--634.
[38]
Xiao Zhang, Kailiang Ying, Yousra Aafer, Zhenshen Qiu, and Wenliang Du. 2016. Life after App Uninstallation: Are the Data Still Alive? Data Residue Attacks on Android. In 23rd Annual Network and Distributed System Security Symposium, NDSS 2016, San Diego, California, USA, February 21--24, 2016. The Internet Society.
[39]
Yajin Zhou and Xuxian Jiang. 2013. Detecting Passive Content Leaks and Pollution in Android Applications. In In Proceedings of the 20th Annual Symposium on Network and Distributed System Security, NDSS '13. The Internet Society.

Cited By

View all
  • (2024)A Longitudinal Analysis Of Replicas in the Wild Wild AndroidProceedings of the 39th IEEE/ACM International Conference on Automated Software Engineering10.1145/3691620.3695546(1821-1833)Online publication date: 27-Oct-2024
  • (2024)Measuring and Characterizing (Mis)compliance of the Android Permission SystemIEEE Transactions on Software Engineering10.1109/TSE.2024.336292150:4(742-764)Online publication date: Apr-2024
  • (2024)Privbench: A Benchmark Capturing Privilege Escalation Vulnerabilities in Android2024 21st Annual International Conference on Privacy, Security and Trust (PST)10.1109/PST62714.2024.10788068(1-12)Online publication date: 28-Aug-2024
  • Show More Cited By

Index Terms

  1. Precise Android API Protection Mapping Derivation and Reasoning

    Recommendations

    Comments

    Information & Contributors

    Information

    Published In

    cover image ACM Conferences
    CCS '18: Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security
    October 2018
    2359 pages
    ISBN:9781450356930
    DOI:10.1145/3243734
    Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

    Sponsors

    Publisher

    Association for Computing Machinery

    New York, NY, United States

    Publication History

    Published: 15 October 2018

    Permissions

    Request permissions for this article.

    Check for updates

    Author Tags

    1. access control
    2. android
    3. permission model

    Qualifiers

    • Research-article

    Conference

    CCS '18
    Sponsor:

    Acceptance Rates

    CCS '18 Paper Acceptance Rate 134 of 809 submissions, 17%;
    Overall Acceptance Rate 1,261 of 6,999 submissions, 18%

    Upcoming Conference

    CCS '25

    Contributors

    Other Metrics

    Bibliometrics & Citations

    Bibliometrics

    Article Metrics

    • Downloads (Last 12 months)66
    • Downloads (Last 6 weeks)6
    Reflects downloads up to 17 Feb 2025

    Other Metrics

    Citations

    Cited By

    View all
    • (2024)A Longitudinal Analysis Of Replicas in the Wild Wild AndroidProceedings of the 39th IEEE/ACM International Conference on Automated Software Engineering10.1145/3691620.3695546(1821-1833)Online publication date: 27-Oct-2024
    • (2024)Measuring and Characterizing (Mis)compliance of the Android Permission SystemIEEE Transactions on Software Engineering10.1109/TSE.2024.336292150:4(742-764)Online publication date: Apr-2024
    • (2024)Privbench: A Benchmark Capturing Privilege Escalation Vulnerabilities in Android2024 21st Annual International Conference on Privacy, Security and Trust (PST)10.1109/PST62714.2024.10788068(1-12)Online publication date: 28-Aug-2024
    • (2024)(Deep) Learning of Android Access Control Recommendation from Static Execution Paths2024 IEEE 9th European Symposium on Security and Privacy (EuroS&P)10.1109/EuroSP60621.2024.00047(758-772)Online publication date: 8-Jul-2024
    • (2023)Auditing framework APIs via inferred app-side security specificationsProceedings of the 32nd USENIX Conference on Security Symposium10.5555/3620237.3620576(6061-6077)Online publication date: 9-Aug-2023
    • (2023)Assessing Security, Privacy, User Interaction, and Accessibility Features in Popular E-Payment ApplicationsProceedings of the 2023 European Symposium on Usable Security10.1145/3617072.3617102(143-157)Online publication date: 16-Oct-2023
    • (2023)Demystifying Hidden Sensitive Operations in Android AppsACM Transactions on Software Engineering and Methodology10.1145/357415832:2(1-30)Online publication date: 29-Mar-2023
    • (2023)Runtime Permission Issues in Android Apps: Taxonomy, Practices, and Ways ForwardIEEE Transactions on Software Engineering10.1109/TSE.2022.314825849:1(185-210)Online publication date: 1-Jan-2023
    • (2023)An In-Depth Analysis of Android’s Java Class Library: its Evolution and Security Impact2023 IEEE Secure Development Conference (SecDev)10.1109/SecDev56634.2023.00028(133-144)Online publication date: 18-Oct-2023
    • (2023)SeqAdver: Automatic Payload Construction and Injection in Sequence-based Android Adversarial Attack2023 IEEE International Conference on Data Mining Workshops (ICDMW)10.1109/ICDMW60847.2023.00172(1342-1351)Online publication date: 4-Dec-2023
    • Show More Cited By

    View Options

    Login options

    View options

    PDF

    View or Download as a PDF file.

    PDF

    eReader

    View online with eReader.

    eReader

    Figures

    Tables

    Media

    Share

    Share

    Share this Publication link

    Share on social media