Marc Miltenberger
ABSTRACT
Dynamic analysis is an important tool for assessing software quality during testing. It not only helps analysts identify performance bottlenecks and functional errors, but also provides a means for finding security vulnerabilities. For example, analysts can determine the servers to which a mobile app connects, which sensitive data it transfers, and which cryptographic protocols it uses for the transfer. While many approaches for monitoring a running Android app exist, most work silently assumes that a suitable execution environment is available. When analyzing hundreds of apps at the same time, however, a single phone on the analyst's desk is not enough. Emulators are not always an alternative as we show, because apps can behave differently on real hardware.
In this paper, we discuss the challenges for providing a large-scale testing environment with real Android devices on physical hardware. We further present DFarm, a software and hardware system to configure and control hundreds of Android phones in a private testing cloud. We discuss electrical wiring, USB and WiFi connectivity, automatic configuration, and load balancing. We evaluate DFarm on a range between 1 and more than 70 devices. We show that it provides near-linear scaling for dynamic app analysis when adding new devices, while retaining the original device's computation and network performance.
- S. R. Choudhary, A. Gorla, and A. Orso. 2015. Automated Test Input Generation for Android: Are We There Yet? (E). In 2015 30th IEEE/ACM International Conference on Automated Software Engineering (ASE). 429--440. Google Scholar
Digital Library
- Yiming Jing, Ziming Zhao, Gail-Joon Ahn, and Hongxin Hu. 2014. Morpheus: Automatically Generating Heuristics to Detect Android Emulators. In Proceedings of the 30th Annual Computer Security Applications Conference (New Orleans, Louisiana, USA) (ACSAC '14). Association for Computing Machinery, New York, NY, USA, 216--225. Google ScholarDigital Library
- Siegfried Rasthofer, Steven Arzt, Enrico Lovat, and Eric Bodden. 2014. Droidforce: Enforcing complex, data-centric, system-wide policies in android. In 2014 Ninth International Conference on Availability, Reliability and Security. IEEE, 40--49.Google ScholarDigital Library
- Siegfried Rasthofer, Steven Arzt, Marc Miltenberger, and Eric Bodden. 2016. Harvesting Runtime Values in Android Applications That Feature Anti-Analysis Techniques.. In NDSS.Google Scholar
- Siegfried Rasthofer, Steven Arzt, Stefan Triller, and Michael Pradel. 2017. Making malory behave maliciously: Targeted fuzzing of android execution environments. In 2017 IEEE/ACM 39th International Conference on Software Engineering (ICSE). IEEE, 300--311.Google ScholarDigital Library
- Timothy Vidas and Nicolas Christin. 2014. Evading Android Runtime Analysis via Sandbox Detection. In Proceedings of the 9th ACM Symposium on Information, Computer and Communications Security (Kyoto, Japan) (ASIA CCS '14). Association for Computing Machinery, New York, NY, USA, 447--458. Google ScholarDigital Library
- Nicolas Viennot, Edward Garcia, and Jason Nieh. 2014. A measurement study of google play. In ACM SIGMETRICS Performance Evaluation Review, Vol. 42. ACM, 221--233.Google ScholarDigital Library
Index Terms
- DFarm: massive-scaling dynamic Android app analysis on real hardware
Recommendations
To Update or Not to Update: Insights From a Two-Year Study of Android App Evolution
ASIA CCS '17: Proceedings of the 2017 ACM on Asia Conference on Computer and Communications SecurityAlthough there are over 1,900,000 third-party Android apps in the Google Play Store, little is understood about how their security and privacy characteristics, such as dangerous permission usage and the vulnerabilities they contain, have evolved over ...
REAPER: Real-time App Analysis for Augmenting the Android Permission System
CODASPY '19: Proceedings of the Ninth ACM Conference on Data and Application Security and PrivacyAndroid's app ecosystem relies heavily on third-party libraries as they facilitate code development and provide a steady stream of revenue for developers. However, while Android has moved towards a more fine-grained run time permission system, users ...
Enforcing fine-grained security and privacy policies in an ecosystem within an ecosystem
MobileDeLi 2015: Proceedings of the 3rd International Workshop on Mobile Development LifecycleSmart home automation and IoT promise to bring many advantages but they also expose their users to certain security and privacy vulnerabilities. For example, leaking the information about the absence of a person from home or the medicine somebody is ...
Comments