research-article

Public Access

SMARTGEN: Exposing Server URLs of Mobile Apps With Selective Symbolic Execution

Authors:

Zhiqiang LinAuthors Info & Claims

WWW '17: Proceedings of the 26th International Conference on World Wide Web

Pages 867 - 876

https://doi.org/10.1145/3038912.3052609

Published: 03 April 2017 Publication History

Abstract

Server URLs including domain names, resource path, and query parameters are important to many security applications such as hidden service identification, malicious website detection, and server vulnerability fuzzing. Unlike traditional desktop web apps in which server URLs are often directly visible, the server URLs of mobile apps are often hidden, only being exposed when the corresponding app code gets executed. Therefore, it is important to automatically analyze the mobile app code to expose the server URLs and enable the security applications with them. We have thus developed SMARTGEN to feature selective symbolic execution for the purpose of automatically generate server request messages to expose the server URLs by extracting and solving user input constraints in mobile apps. Our evaluation with 5,000 top-ranked mobile apps (each with over one million installs) in Google Play shows that with SMARTGEN we are able to reveal 297,780 URLs in total for these apps. We have then submitted all of these exposed URLs to a harmful URL detection service provided by VirusTotal, which further identified 8634 URLs being harmful. Among them, Phising belong to phishing sites, 3,722 malware sites and 3,228 malicious sites (there are 387 overlapped sites between malware and malicious sites).

References

[1]

Automatic sql injection and database takeover tool. http://sqlmap.org/.

[2]

A framework for analyzing and transforming java and an- droid apps. https://sable.github.io/soot/.

[3]

Owasp fiddler addons for security testing project. https://www.owasp.org/index.php/OWASP_Fiddler_ Addons_for_Security_Testing_Project.

[4]

Robotium: User scenario testing for android. https://github.com/RobotiumTech/robotium.

[5]

Scrapy, a fast high-level web crawling & scraping frame- work for python. https://github.com/scrapy/scrapy.

[6]

Statistics and facts about mobile app usage. http://www.statista.com/topics/1002/ mobile-app-usage/.

[7]

Ui/application exerciser monkey. https://developer. android.com/tools/help/monkey.html.

[8]

Xposed module repository. http://repo.xposed.info/.

[9]

The z3 theorem prover. https://github.com/ Z3Prover/z3.

[10]

S. Anand, M. Naik, M. J. Harrold, and H. Yang. Automated concolic testing of smartphone apps. In Proceedings of the ACM SIGSOFT 20th International Symposium on the Foundations of Software Engineering, FSE '12, pages 59:1--59:11, New York, NY, USA, 2012. ACM.

Digital Library

[11]

S. Arzt, S. Rasthofer, C. Fritz, E. Bodden, A. Bartel, J. Klein, Y. Le Traon, D. Octeau, and P. McDaniel. Flow-droid: Precise context, flow, field, object-sensitive and lifecycle-aware taint analysis for android apps. In Proceed- ings of the 35th ACM SIGPLAN Conference on Program- ming Language Design and Implementation, PLDI '14, pages 259--269, New York, NY, USA, 2014. ACM.

Digital Library

[12]

T. Avgerinos, S. K. Cha, A. Rebert, E. J. Schwartz, M. Woo, and D. Brumley. Automatic exploit generation. Communications of the ACM, 57(2):74--84, 2014.

Digital Library

[13]

T. Azim and I. Neamtiu. Targeted and depth-first exploration for systematic testing of android apps. In Proceedings of the 2013 ACM SIGPLAN International Conference on Object Oriented Programming Systems Languages & Applications, OOPSLA '13, pages 641--660, New York, NY, USA, 2013. ACM.

Digital Library

[14]

R. Bhoraskar, S. Han, J. Jeon, T. Azim, S. Chen, J. Jung, S. Nath, R. Wang, and D. Wetherall. Brahmastra: Driving apps to test the security of third-party components. In 23rd USENIX Security Symposium (USENIX Security 14), pages 1021--1036, 2014.

Digital Library

[15]

C. Cadar, D. Dunbar, and D. Engler. Klee: Unassisted and automatic generation of high-coverage tests for complex systems programs. In Proceedings of the 8th USENIX Conference on Operating Systems Design and Implementation, OSDI'08, pages 209--224, Berkeley, CA, USA, 2008. USENIX Association.

Digital Library

[16]

Y. Cao, Y. Fratantonio, A. Bianchi, M. Egele, C. Kruegel, G. Vigna, and Y. Chen. Edgeminer: Automatically detecting implicit control flow transitions through the android frame- work. In Proceedings of the 20th Annual Network and Dis- tributed System Security Symposium (NDSS'15), 2015.

[17]

W. Enck, P. Gilbert, B. Chun, L. Cox, J. Jung, P. McDaniel, and A. Sheth. TaintDroid: an information-flow tracking system for realtime privacy monitoring on smartphones. In OSDI, 2010.

Digital Library

[18]

S. Hao, B. Liu, S. Nath, W. G. Halfond, and R. Govindan. Puma: Programmable ui-automation for large-scale dynamic analysis of mobile apps. In Proceedings of the 12th Annual International Conference on Mobile Systems, Applications, and Services, MobiSys '14, pages 204--217, New York, NY, USA, 2014. ACM.

Digital Library

[19]

G. Hunt and D. Brubacher. Detours: Binaryinterception ofwin 3 2 functions. In 3rd USENIX Windows NT Symposium, 1999.

Digital Library

[20]

B. Liu, S. Nath, R. Govindan, and J. Liu. Decaf: Detecting and characterizing ad fraud in mobile apps. In Proceedings of the 11th USENIX Conference on Networked Systems Design and Implementation, NSDI'14, pages 57--70, Berkeley, CA, USA, 2014. USENIX Association.

Digital Library

[21]

A. Machiry, R. Tahiliani, and M. Naik. Dynodroid: An input generation system for android apps. In Proceedings of the 2013 9th Joint Meeting on Foundations of Software Engineering, pages 224--234. ACM, 2013.

Digital Library

[22]

G. McCluskey. Using java reflection. Java Developer Connection, 1998.

[23]

N. Mirzaei, S. Malek, C. S. Păsăreanu, N. Esfahani, and R. Mahmood. Testing android apps through symbolic execution. ACM SIGSOFT Software Engineering Notes, 37(6):1--5, 2012.

Digital Library

[24]

A. Moser, C. Kruegel, and E. Kirda. Exploring multiple ex- ecution paths for malware analysis. In Security and Privacy, 2007. SP'07. IEEE Symposium on, pages 231--245. IEEE, 2007.

Digital Library

[25]

V. Rastogi, Y. Chen, and W. Enck. Appsplayground: Automatic security analysis of smartphone applications. In Proceedings of the Third ACM Conference on Data and Appli- cation Security and Privacy, CODASPY '13, pages 209--220, New York, NY, USA, 2013. ACM.

Digital Library

[26]

V. Rastogi, R. Shao, Y. Chen, X. Pan, S. Zou, and R. Riley. Are these ads safe: Detecting hidden attacks through the mobile app-web interfaces. In Proceedings of the 21st Annual Network and Distributed System Security Symposium (NDSS'16), San Diego, CA, February 2016.

[27]

L. Ravindranath, S. Nath, J. Padhye, and H. Balakrishnan. Automatic and scalable fault detection for mobile applications. In Proceedings of the 12th annual international conference on Mobile systems, applications, and services, pages 190--203. ACM, 2014.

Digital Library

[28]

D. Sounthiraraj, J. Sahs, G. Greenwood, Z. Lin, and L. Khan. Smv-hunter: Large scale, automated detection of ssl/tls man-in-the-middle vulnerabilities in android apps. In Proceedings of the 21st Annual Network and Distributed System Security Symposium (NDSS'14), San Diego, CA, February 2014.

[29]

M. Y. Wong and D. Lie. Intellidroid: A targeted input gen- erator for the dynamic analysis of android malware. In Proceedings of the 21st Annual Network and Distributed System Security Symposium (NDSS'16), San Diego, CA, February 2016.

[30]

Y. Zheng, X. Zhang, and V. Ganesh. Z3-str: A z3-based string solver for web application analysis. In Proceedings of the 2013 9th Joint Meeting on Foundations of Software Engi- neering, pages 114--124. ACM, 2013.

Digital Library

[31]

C. Zuo, W. Wang, R. Wang, and Z. Lin. Automatic forgery of cryptographically consistent messages to identify security vulnerabilities in mobile services. In Proceedings of the 21st Annual Network and Distributed System Security Symposium (NDSS'16), San Diego, CA, February 2016.

Cited By

Ren PZuo CLiu XDiao WZhao QGuo SRoychoudhury APaiva AAbreu RStorey M(2024)DEMISTIFY: Identifying On-device Machine Learning Models Stealing and Reuse Vulnerabilities in Mobile AppsProceedings of the IEEE/ACM 46th International Conference on Software Engineering10.1145/3597503.3623325(1-13)Online publication date: 20-May-2024
https://dl.acm.org/doi/10.1145/3597503.3623325
Chen YTang RZuo CZhang XXue LLuo XZhao QRoychoudhury APaiva AAbreu RStorey M(2024)Attention! Your Copied Data is Under Monitoring: A Systematic Study of Clipboard Usage in Android AppsProceedings of the IEEE/ACM 46th International Conference on Software Engineering10.1145/3597503.3623317(1-13)Online publication date: 20-May-2024
https://dl.acm.org/doi/10.1145/3597503.3623317
Almashor MAhmed EPick BXue JAbuadbba SGaire RWang SCamtepe SNepal S(2023)Unraveling Threat Intelligence Through the Lens of Malicious URL CampaignsProceedings of the 18th Asian Internet Engineering Conference10.1145/3630590.3630600(78-86)Online publication date: 12-Dec-2023
https://dl.acm.org/doi/10.1145/3630590.3630600
Show More Cited By

Index Terms

SMARTGEN: Exposing Server URLs of Mobile Apps With Selective Symbolic Execution
1. Security and privacy
  1. Intrusion/anomaly detection and malware mitigation
    1. Malware and its mitigation
    2. Social engineering attacks
      1. Phishing
      2. Spoofing attacks

Recommendations

Beyond web/native/hybrid: a new taxonomy for mobile app development
MOBILESoft '18: Proceedings of the 5th International Conference on Mobile Software Engineering and Systems

Currently, mobile operating systems are dominated by the duopoly of iOS and Android. App projects that intend to reach a high number of customers need to target these two platforms foremost. However, iOS and Android do not have an officially supported ...
A Mobile App Search Engine

With the popularity of mobile apps on mobile devices based on iOS, Android, Blackberry and Windows Phone operating systems, the numbers of mobile apps in each of the respective native app stores are increasing in leaps and bounds. Currently there are ...
Is this app safe for children?: a comparison study of maturity ratings on Android and iOS applications
WWW '13: Proceedings of the 22nd international conference on World Wide Web

There is a rising concern among parents who have experienced unreliable content maturity ratings for mobile applications (apps) that result in inappropriate risk exposure for their children and adolescents. In reality, there is no consistent maturity ...

Comments

Information & Contributors

Information

Published In

cover image ACM Other conferences

WWW '17: Proceedings of the 26th International Conference on World Wide Web

April 2017

1678 pages

ISBN:9781450349130

General Chairs:
Rick Barrett
W3Events
,
Rick Cummings
Murdoch University
,
Program Chairs:
Eugene Agichtein
Emory University
,
Evgeniy Gabrilovich
Google Research

Copyright © 2017 Copyright is held by the International World Wide Web Conference Committee (IW3C2).

Sponsors

IW3C2: International World Wide Web Conference Committee

In-Cooperation

SIGWEB: ACM Special Interest Group on Hypertext, Hypermedia, and Web

Publisher

International World Wide Web Conferences Steering Committee

Republic and Canton of Geneva, Switzerland

Publication History

Published: 03 April 2017

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

AFOSR
NSF

Conference

WWW '17

Sponsor:

IW3C2

WWW '17: 26th International World Wide Web Conference

April 3 - 7, 2017

Perth, Australia

Acceptance Rates

WWW '17 Paper Acceptance Rate 164 of 966 submissions, 17%;

Overall Acceptance Rate 1,899 of 8,196 submissions, 23%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

28
Total Citations
View Citations
792
Total Downloads

Downloads (Last 12 months)127
Downloads (Last 6 weeks)10

Reflects downloads up to 30 Aug 2024

Other Metrics

View Author Metrics

Citations

Cited By

Ren PZuo CLiu XDiao WZhao QGuo SRoychoudhury APaiva AAbreu RStorey M(2024)DEMISTIFY: Identifying On-device Machine Learning Models Stealing and Reuse Vulnerabilities in Mobile AppsProceedings of the IEEE/ACM 46th International Conference on Software Engineering10.1145/3597503.3623325(1-13)Online publication date: 20-May-2024
https://dl.acm.org/doi/10.1145/3597503.3623325
Chen YTang RZuo CZhang XXue LLuo XZhao QRoychoudhury APaiva AAbreu RStorey M(2024)Attention! Your Copied Data is Under Monitoring: A Systematic Study of Clipboard Usage in Android AppsProceedings of the IEEE/ACM 46th International Conference on Software Engineering10.1145/3597503.3623317(1-13)Online publication date: 20-May-2024
https://dl.acm.org/doi/10.1145/3597503.3623317
Almashor MAhmed EPick BXue JAbuadbba SGaire RWang SCamtepe SNepal S(2023)Unraveling Threat Intelligence Through the Lens of Malicious URL CampaignsProceedings of the 18th Asian Internet Engineering Conference10.1145/3630590.3630600(78-86)Online publication date: 12-Dec-2023
https://dl.acm.org/doi/10.1145/3630590.3630600
Wang JWang LDong FWang HMontpetit MLeivadeas AUhlig SJaved M(2023)Re-measuring the Label Dynamics of Online Anti-Malware Engines from Millions of SamplesProceedings of the 2023 ACM on Internet Measurement Conference10.1145/3618257.3624800(253-267)Online publication date: 24-Oct-2023
https://dl.acm.org/doi/10.1145/3618257.3624800
Pandey MLitoriya RPandey P(2023)An integrated MCDM approach for mobile app cost predictor based on DEMATEL extended with choquet integralMultimedia Tools and Applications10.1007/s11042-023-16856-y83:12(34943-34962)Online publication date: 28-Sep-2023
https://doi.org/10.1007/s11042-023-16856-y
Jin XManandhar SKafle KLin ZNadkarni AYin HStavrou ACremers CShi E(2022)Understanding IoT Security from a Market-Scale PerspectiveProceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security10.1145/3548606.3560640(1615-1629)Online publication date: 7-Nov-2022
https://dl.acm.org/doi/10.1145/3548606.3560640
Xie WChen JWang ZFeng CWang EGao YWang BLu K(2022)Game of Hide-and-Seek: Exposing Hidden Interfaces in Embedded Web Applications of IoT DevicesProceedings of the ACM Web Conference 202210.1145/3485447.3512213(524-532)Online publication date: 25-Apr-2022
https://dl.acm.org/doi/10.1145/3485447.3512213
Xue LZhou HLuo XYu LWu DZhou YMa X(2022)PackerGrind: An Adaptive Unpacking System for Android AppsIEEE Transactions on Software Engineering10.1109/TSE.2020.299643348:2(551-570)Online publication date: 1-Feb-2022
https://doi.org/10.1109/TSE.2020.2996433
Luo LZeng QYang BZuo FWang J(2021)Westworld: Fuzzing-Assisted Remote Dynamic Symbolic Execution of Smart Apps on IoT Cloud PlatformsProceedings of the 37th Annual Computer Security Applications Conference10.1145/3485832.3488022(982-995)Online publication date: 6-Dec-2021
https://dl.acm.org/doi/10.1145/3485832.3488022
Gadient PTarnutzer MNierstrasz OGhafari MLanubile F(2021)Security Smells Pervade Mobile App ServersProceedings of the 15th ACM / IEEE International Symposium on Empirical Software Engineering and Measurement (ESEM)10.1145/3475716.3475780(1-10)Online publication date: 11-Oct-2021
https://dl.acm.org/doi/10.1145/3475716.3475780
Show More Cited By

View Options

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Media

Figures

Other

Tables

View Table of Contents