research-article

ReDroid: Prioritizing Data Flows and Sinks for App Security Transformation

Authors:

Danfeng Daphne Yao,

Barbara G. RyderAuthors Info & Claims

FEAST '17: Proceedings of the 2017 Workshop on Forming an Ecosystem Around Software Transformation

Pages 35 - 41

https://doi.org/10.1145/3141235.3141239

Published: 03 November 2017 Publication History

Abstract

Security transformation is to transfer applications to meet security guarantees. How to prioritize Android apps and find suitable transformation options is a challenging problem. Typical real-world apps have a large number of sensitive flows and sinks. Thus, security analysts need to prioritize these flows and data sinks according to their risks, i.e., flow ranking and sink ranking. We present an efficient graph-algorithm based risk metric for prioritizing risky flows and sinks in Android grayware apps. Our risk prioritization produces orderings that are consistent with published security reports.

We demonstrate a new automatic app transformation framework that utilizes the above prioritization technique to improve app security. The framework provides more rewriting options than the state-of-art solutions by supporting flow-and sink-based security checks. Our prototype ReDroid is designed for security analysts who manage organizational app repositories and customize third-party apps to satisfy organization imposed security requirements. Our framework enables application transformation for both benchmark apps and real-world grayware to strengthen their security guarantees.

References

[1]

Android Root privilege. https://blog.lookout.com/droiddream/. Accessed: 2017-05-02.

[2]

Android trojan genimi. https://nakedsecurity.sophos.com/2010/12/31/geinimi-android-trojan-horse-discovered/. Accessed: 2017-05-02.

[3]

Android trojan plankton. https://www.csc.ncsu.edu/faculty/jiang/Plankton/. Accessed: 2017-05-02.

[4]

Department of defense app store. http://mashable.com/2013/10/30/department-of-defense-app-store/#INyfw4BG2aq7. Accessed: 2017-05-02.

[5]

ICC Benchmark Apps. https://github.com/fgwei/ICC-Bench. Accessed: 2017-05-01.

[6]

IccTA Benchmark Apps. https://github.com/secure-software-engineering/DroidBench/tree/iccta. Accessed: 2017-05-01.

[7]

Monkey Automatic input generation. https://developer.android.com/studio/test/monkey.html. Accessed: 2017-05-01.

[8]

Virusl Total. https://www.virustotal.com. Accessed: 2017-05-01.

[9]

Arp, D., Spreitzenbarth, M., Hübner, M., Gascon, H., Rieck, K., and Siemens, C. Drebin: Effective and explainable detection of Android malware in your pocket. In Proc. of NDSS (2014).

[10]

Arzt, S., Rasthofer, S., and Bodden, E. Instrumenting Android and java applications as easy as abc. In International Conference on Runtime Verification (2013).

[11]

Arzt, S., Rasthofer, S., Fritz, C., Bodden, E., Bartel, A., Klein, J., Le Traon, Y., Octeau, D., and McDaniel, P. FlowDroid: Precise context, flow, field, object-sensitive and lifecycle-aware taint analysis for Android apps. In Conference on Programming Language Design and Implementation (PLDI) (2014).

Digital Library

[12]

Au, K. W. Y., Zhou, Y. F., Huang, Z., and Lie, D. Pscout: analyzing the Android permission specification. In Proc. of CCS (2012).

Digital Library

[13]

Backes, M., Bugiel, S., Schranz, O., von Styp-Rekowsky, P., and Weisgerber, S. ARTist: The Android runtime instrumentation and security toolkit.

[14]

Bastani, O., Anand, S., and Aiken, A. Interactively verifying absence of explicit information flows in Android apps. In Proc. of OOPLSA (2015).

Digital Library

[15]

Bosu, A., Liu, F., Yao, D. D., and Wang, G. Collusive data leak and more: Large-scale threat analysis of inter-app communications. In Proc. of AisaCCS (2017).

Digital Library

[16]

Bugiel, S., Davi, L., Dmitrienko, A., Fischer, T., Sadeghi, A.-R., and Shastry, B. Towards taming privilege-escalation attacks on Android. In Proc. of NDSS (2012).

[17]

Chin, E., Felt, A. P., Greenwood, K., and Wagner, D. Analyzing inter-application communication in Android. In Proc. of MobiSys (2011).

Digital Library

[18]

Davis, B., and Chen, H. RetroSkeleton: Retrofitting Android Apps. In Proc. of MobiSys (2013).

Digital Library

[19]

Davis, B., Sanders, B., Khodaverdian, A., and Chen, H. I-ARM-Droid: A rewriting framework for in-app reference monitors for Android applications. Proc. of MoST (2012).

[20]

Elish, K. O., Shu, X., Yao, D. D., Ryder, B. G., and Jiang, X. Profiling user-trigger dependence for Android malware detection. Computers & Security (2015), 255--273.

Digital Library

[21]

Elish, K. O., Yao, D. D., Ryder, B. G., and Jiang, X. A static assurance analysis of Android applications. In Technical Report., Department of Computer Science (2013).

[22]

Fratantonio, Y., Bianchi, A., Robertson, W., Egele, M., Kruegel, C., Kirda, E., Vigna, G., Kharraz, A., Robertson, W., Balzarotti, D., et al. On the security and engineering implications of finer-grained access controls for Android developers and users. In Proc. of DIMVA (2015).

Digital Library

[23]

Gibler, C., Crussell, J., Erickson, J., and Chen, H. AndroidLeaks: Automatically detecting potential privacy leaks in Android applications on a large scale. In Proc. of Trust and Trustworthy Computing (2012).

Digital Library

[24]

Gordon, M. I., Kim, D., Perkins, J., Gilham, L., Nguyen, N., and Rinard, M. Information-flow analysis of Android applications in DroidSafe. In Proc. of NDSS (2015).

[25]

Lu, L., Li, Z., Wu, Z., Lee, W., and Jiang, G. CHEX: statically vetting Android apps for component hijacking vulnerabilities. In Proc. of CCS (2012).

Digital Library

[26]

Rasthofer, S., Arzt, S., and Bodden, E. A machine-learning approach for classifying and categorizing Android sources and sinks. In Proc. of NDSS (2014).

[27]

Reynaud, D., Song, D. X., Magrino, T. R., Wu, E. X., and Shin, E. C. R. Freemarket: Shopping for free in Android applications. In Proc. of NDSS (2012).

[28]

Tian, K., Yao, D. D., Ryder, B. G., and Tan, G. Analysis of code heterogeneity for high-precision classification of repackaged malware. In Proc. of MoST (2016).

[29]

Tian, K., Yao, D. D., Ryder, B. G., Tan, G., and Peng, G. Code-heterogeneity aware detection for repackaged malware. In Proc. of IEEE Transactions TDSC (2017).

[30]

Xu, R., Saïdi, H., and Anderson, R. Aurasium: Practical policy enforcement for Android applications. In Proc. of USENIX Security (2012).

Digital Library

[31]

Zhang, H., Yao, D. D., and Ramakrishnan, N. Detection of stealthy malware activities with traffic causality and scalable triggering relation discovery. In Proc. of AsiaCCS (2014).

Digital Library

[32]

Zhang, H., Yao, D. D., and Ramakrishnan, N. Causality-based sensemaking of network traffic for Android application security. In Proc. of AISec (2016).

Digital Library

[33]

Zhang, H., Yao, D. D., Ramakrishnan, N., and Zhang, Z. Causality reasoning about network events for detecting stealthy malware activities. Computers & Security (2016).

Digital Library

[34]

Zhang, M., and Yin, H. AppSealer: Automatic generation of vulnerability-specific patches for preventing component hijacking attacks in Android applications. In Proc. of NDSS (2014).

[35]

Zhou, Y., and Jiang, X. Dissecting Android malware: Characterization and evolution. In Proc. of IEEE (S&P) (2012).

Digital Library

Cited By

Zhang XFan LChen SSu YLi BBissyandé TKlein JBird CSarro F(2023)Scene-Driven Exploration and GUI Modeling for Android AppsProceedings of the 38th IEEE/ACM International Conference on Automated Software Engineering10.1109/ASE56229.2023.00179(1251-1262)Online publication date: 11-Nov-2023
https://dl.acm.org/doi/10.1109/ASE56229.2023.00179
Luo LBodden ESpäth JZimmermann TLawall JMarinov D(2019)A qualitative analysis of Android taint-analysis resultsProceedings of the 34th IEEE/ACM International Conference on Automated Software Engineering10.1109/ASE.2019.00020(102-114)Online publication date: 10-Nov-2019
https://dl.acm.org/doi/10.1109/ASE.2019.00020

Index Terms

ReDroid: Prioritizing Data Flows and Sinks for App Security Transformation
1. Security and privacy
  1. Software and application security
    1. Software security engineering

Recommendations

Change that Respects Business Expertise: Stories as Prompts for a Conversation about Organisation Security
NSPW '21: Proceedings of the 2021 New Security Paradigms Workshop

Leaders of organisations must make investment decisions relating to the security of their organisation. This often happens through consultation with a security specialist. Consultations may be regarded as conversations taking place in a trading zone ...
An Explorative Study of the Mobile App Ecosystem from App Developers' Perspective
WWW '17: Proceedings of the 26th International Conference on World Wide Web

With the prevalence of smartphones, app markets such as Apple App Store and Google Play has become the center stage in the mobile app ecosystem, with millions of apps developed by tens of thousands of app developers in each major market. This paper ...
A Measurement-based Study on Application Popularity in Android and iOS App Stores
Mobidata '15: Proceedings of the 2015 Workshop on Mobile Big Data

Mobile application stores (appstores) are emerging digital distribution platforms with explosive growth. Although there have been some observations on the mobile application (app) popularity in Android appstores, there is no report on the app popularity ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

FEAST '17: Proceedings of the 2017 Workshop on Forming an Ecosystem Around Software Transformation

November 2017

78 pages

ISBN:9781450353953

DOI:10.1145/3141235

General Chairs:
Taesoo Kim
Georgia Tech, USA
,
Cliff Wang
Army Research Office, USA
,
Program Chairs:
Taesoo Kim
Georgia Tech, USA
,
Dinghao Wu
Penn State University, USA

Copyright © 2017 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 03 November 2017

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

CCS '17

Sponsor:

SIGSAC

CCS '17: 2017 ACM SIGSAC Conference on Computer and Communications Security

November 3, 2017

Texas, Dallas, USA

Acceptance Rates

Overall Acceptance Rate 4 of 4 submissions, 100%

Upcoming Conference

CCS '25

Sponsor:
sigsac

ACM SIGSAC Conference on Computer and Communications Security

October 13 - 17, 2025

Taipei , Taiwan

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

2
Total Citations
View Citations
105
Total Downloads

Downloads (Last 12 months)5
Downloads (Last 6 weeks)0

Reflects downloads up to 08 Feb 2025

Other Metrics

View Author Metrics

Citations

Cited By

Zhang XFan LChen SSu YLi BBissyandé TKlein JBird CSarro F(2023)Scene-Driven Exploration and GUI Modeling for Android AppsProceedings of the 38th IEEE/ACM International Conference on Automated Software Engineering10.1109/ASE56229.2023.00179(1251-1262)Online publication date: 11-Nov-2023
https://dl.acm.org/doi/10.1109/ASE56229.2023.00179
Luo LBodden ESpäth JZimmermann TLawall JMarinov D(2019)A qualitative analysis of Android taint-analysis resultsProceedings of the 34th IEEE/ACM International Conference on Automated Software Engineering10.1109/ASE.2019.00020(102-114)Online publication date: 10-Nov-2019
https://dl.acm.org/doi/10.1109/ASE.2019.00020

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Figures

Tables

Media

View Table of Conten