Journal Home > Volume 25 , Issue 5
Tsinghua Science and Technology 2020, 25(5): 589-603 https://doi.org/10.26599/TST.2019.9010067
Open Access | Issue | Published: 16 March 2020

A Novel Hybrid Method to Analyze Security Vulnerabilities in Android Applications

Show Author's Information Junwei Tang Ruixuan Li( ) Kaipeng Wang Xiwu Gu Zhiyong Xu
School of Computer Science and Technology, Huazhong University of Science and Technology, Wuhan 430074, China.
Math and Computer Science Department, Suffolk University, Boston, MA 02101, USA
Shenzhen Institute of Advanced Technology, Chinese Academy of Science, Shenzhen 518055, China.
Keywords:
Android security, vulnerability analysis, static analysis, dynamic analysis
Cite this article:
Tang J, Li R, Wang K, et al. A Novel Hybrid Method to Analyze Security Vulnerabilities in Android Applications. Tsinghua Science and Technology, 2020, 25(5): 589-603. https://doi.org/10.26599/TST.2019.9010067
Download citation
EndNote(RIS)
BibTeX

617

Views

33

Downloads

Citations

27

Crossref

N/A

WoS

28

Scopus

2

CSCD

Abstract Full text About this article

We propose a novel hybrid method to analyze the security vulnerabilities in Android applications. Our method combines static analysis, which consists of metadata and data flow analyses with dynamic analysis, which includes dynamic executable scripts and application program interface hooks. Our hybrid method can effectively analyze nine major categories of important security vulnerabilities in Android applications. We design dynamic executable scripts that record and perform manual operations to customize the execution path of the target application. Our dynamic executable scripts can replace most manual operations, simplify the analysis process, and further verify the corresponding security vulnerabilities. We successfully statically analyze 5547 malwares in Drebin and 10 151 real-world applications. The average analysis time of each application in Drebin is 4.52 s, whereas it reaches 92.02 s for real-word applications. Our system can detect all the labeled vulnerabilities among 56 labeled applications. Further dynamic verification shows that our static analysis accuracy approximates 95% for real-world applications. Experiments show that our dynamic analysis can effectively detect the vulnerability named input unverified, which is difficult to be detected by other methods. In addition, our dynamic analysis can be extended to detect more types of vulnerabilities.


menu
Abstract
Full text
Outline
About this article

A Novel Hybrid Method to Analyze Security Vulnerabilities in Android Applications

Show Author's information Junwei TangRuixuan Li( )Kaipeng WangXiwu GuZhiyong Xu
School of Computer Science and Technology, Huazhong University of Science and Technology, Wuhan 430074, China.
Math and Computer Science Department, Suffolk University, Boston, MA 02101, USA
Shenzhen Institute of Advanced Technology, Chinese Academy of Science, Shenzhen 518055, China.

Abstract

We propose a novel hybrid method to analyze the security vulnerabilities in Android applications. Our method combines static analysis, which consists of metadata and data flow analyses with dynamic analysis, which includes dynamic executable scripts and application program interface hooks. Our hybrid method can effectively analyze nine major categories of important security vulnerabilities in Android applications. We design dynamic executable scripts that record and perform manual operations to customize the execution path of the target application. Our dynamic executable scripts can replace most manual operations, simplify the analysis process, and further verify the corresponding security vulnerabilities. We successfully statically analyze 5547 malwares in Drebin and 10 151 real-world applications. The average analysis time of each application in Drebin is 4.52 s, whereas it reaches 92.02 s for real-word applications. Our system can detect all the labeled vulnerabilities among 56 labeled applications. Further dynamic verification shows that our static analysis accuracy approximates 95% for real-world applications. Experiments show that our dynamic analysis can effectively detect the vulnerability named input unverified, which is difficult to be detected by other methods. In addition, our dynamic analysis can be extended to detect more types of vulnerabilities.

Keywords: Android security, vulnerability analysis, static analysis, dynamic analysis

References(24)

[1]
Y. J. Zhou and X. X. Jiang, Detecting passive content leaks and pollution in android applications, in Proc. 20th Ann Network and Distributed System Security Symp., San Diego, CA, USA, 2013.
[2]
W. Enck, P. Gilbert, S. Han, V. Tendulkar, B. G. Chun, L. P. Cox, J. Jung, P. McDaniel, and A. N. Sheth, TaintDroid: An information-flow tracking system for realtime privacy monitoring on smartphones, ACM Trans. Comput. Syst., vol. 32, no. 2, pp. 1-19, 2014.
DOI Google Scholar
[3]
D. Arp, M. Spreitzenbarth, M. Hubner, H. Gascon, and K. Rieck, Drebin: Effective and explainable detection of android malware in your pocket, in Proc. 21st Ann. Network and Distributed System Security Symp., San Diego, CA, USA, 2014, pp. 23-26.
DOI
[4]
J. Hoffmann, M. Ussath, T. Holz, and M. Spreitzenbarth, Slicing droids: Program slicing for smali code, in Proc. 28th Ann. ACM Symp. on Applied Computing, Coimbra, Portugal, 2013, pp. 1844-1851.
DOI
[5]
AXMLPrinter2, https://github.com/rednaga/axmlprinter, 2015.
[6]
Smali/baksmali, https://github.com/JesusFreke/smali, 2014.
[7]
Soot, https://github.com/Sable/soot, 2009.
[8]
S. Arzt, S. Rasthofer, C. Fritz, E. Bodden, A. Bartel, J. Klein, Y. Le Traon, D. Octeau, and P. McDaniel, FlowDroid: Precise context, flow, field, object-sensitive and lifecycle-aware taint analysis for android apps, ACM SIGPLAN Not., vol. 49, no. 6, pp. 259-269, 2014.
DOI Google Scholar
[9]
Robotium, https://github.com/RobotiumTech/robotium, 2010.
[10]
Cafe, https://github.com/BaiduQA/Cafe, 2013.
[11]
Xposed, https://github.com/rovo89/Xposed, 2011.
[12]
I. Muslukhov, Y. Boshmaf, and K. Beznosov, Source attribution of cryptographic API misuse in android applications, in Proc. 2018 on Asia Conf, on Computer and Communications Security, Incheon, Republic of Korea, 2018, pp. 133-146.
DOI
[13]
L. Lu, Z. C. Li, Z. Y. Wu, W. Lee, and G. F. Jiang, CHEX: Statically vetting android apps for component hijacking vulnerabilities, in Proc. 2012 ACM Conf. on Computer and Communications Security, Raleigh, NC, USA, 2012, pp. 229-240.
DOI
[14]
F. Liu, C. Wang, A. Pico, D. F. Yao, and G. Wang, Measuring the insecurity of mobile deep links of android, in Proc. 26th USENIX Security Symp., Vancouver, Canada, 2017, pp. 953-969.
[15]
S. Aonzo, A. Merlo, G. Tavella, and Y. Fratantonio, Phishing attacks on modern android, in Proc. 2018 ACM SIGSAC Conf. on Computer and Communications Security, Toronto, Canada, 2018, pp. 1788-1801.
DOI
[16]
A. Possemato, A. Lanzi, S. P. H. Chung, W. Lee, and Y. Fratantonio, Clickshield: Are you hiding something? Towards eradicating Clickjacking on Android, in Proc. 2018 ACM SIGSAC Conf. on Computer and Communications Security, Toronto, Canada, 2018, pp. 1120-1136.
DOI
[17]
E. Pariwono, D. Chiba, M. Akiyama, and T. Mori, Don’t throw me away: Threats caused by the abandoned internet resources used by Android apps, in Proc. 2018 on Asia Conf. on Computer and Communications Security, Incheon, Republic of Korea, 2018, pp. 147-158.
DOI
[18]
Y. H. Nan, M. Yang, Z. M. Yang, S. F. Zhou, G. F. Gu, and X. F. Wang, Uipicker: User-input privacy identification in mobile applications, in Proc. 24th USENIX Conf. on Security Symp., Washington, DC, USA, 2015, pp. 993-1008.
[19]
Z. W. Zhang, P. Liu, J. Xiang, J. W. Jing, and L. G. Lei, How your phone camera can be used to stealthily spy on you: Transplantation attacks against android camera service, in Proc. 5th ACM Conf. on Data and Application Security and Privacy, San Antonio, TX, USA, 2015, pp. 99-110.
DOI
[20]
N. Zhang, K. Yuan, M. Naveed, X. Y. Zhou, and X. F. Wang, Leave me alone: App-level protection against runtime information gathering on android, in Proc. 2015 IEEE Symp. on Security and Privacy, San Jose, CA, USA, 2015, pp. 915-930.
DOI
[21]
C. Ma, T. Wang, L. M. Shen, D. K. Liang, S. P. Chen, and D. L. You, Communication-based attacks detection in android applications, Tsinghua Sci. Technol., vol. 24, no. 5, pp. 596-614, 2019.
DOI Google Scholar
[22]
Z. L. Yuan, Y. Q. Lu, and Y. B. Xue, Droiddetector: Android malware characterization and detection using deep learning, Tsinghua Sci. Technol., vol. 21, no. 1, pp. 114-123, 2016.
DOI Google Scholar
[23]
R. B. Yan, X. Xiao, G. W. Hu, S. C. Peng, and Y Jiang, New deep learning method to detect code injection attacks on hybrid applications, J. Syst. Software, vol. 137, pp. 67-77, 2018.
DOI Google Scholar
[24]
D. Maier, M. Protsenko, and T. Müller, A game of Droid and Mouse: The threat of split-personality malware on Android, Comput. Secur., vol. 54, pp. 2-15, 2015.
DOI Google Scholar
Publication history
Copyright
Acknowledgements
Rights and permissions

Publication history

Received: 30 October 2019
Accepted: 04 November 2019
Published: 16 March 2020
Issue date: October 2020

Copyright

© The author(s) 2020

Acknowledgements

This work was supported by the National Key Research and Development Program of China (Nos. 2016YFB0800402 and 2016QY01W0202), the National Natural Science Foundation of China (Nos. U1836204, U1936108, 61572221, 61433006, U1401258, 61572222, and 61502185), and the Major Projects of the National Social Science Foundation (No. 16ZDA092).

Rights and permissions

The articles published in this open access journal are distributed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/).

Return