Journal of Korea Multimedia Society (한국멀티미디어학회논문지)

Korea Multimedia Society (한국멀티미디어학회)
권호 표지
DOI QR코드

DOI QR Code

Crowdsourced Risk Minimization for Inter-Application Access in Android

  • Lee, Youn Kyu (Computer Science Department, University of Southern California) ;
  • Kim, Tai Suk (Dept. of Computer software Engineering Dongeui university)
  • Received : 2017.02.02
  • Accepted : 2017.04.06
  • Published : 2017.05.31
Download PDF
⟨ Previous Next ⟩

Abstract

Android's inter-application access enriches its application ecosystem. However, it exposes security vulnerabilities where end-user data can be exploited by attackers. While existing techniques have focused on minimizing the risks of inter-application access, they either suffer from inaccurate risk detection or are primarily available to expert users. This paper introduces a novel technique that automatically analyzes potential risks between a set of applications, aids end-users to effectively assess the identified risks by crowdsourcing assessments, and generates an access control policy which prevents unsafe inter-application access at runtime. Our evaluation demonstrated that our technique identifies potential risks between real-world applications with perfect accuracy, supports a scalable analysis on a large number of applications, and successfully aids end-users' risk assessments.

Keywords

References

  1. E. Chin, A.P. Felt, K. Greenwood, and D. Wagner, "Analyzing Inter-Application Communication in Android," Proceeding of the International Conference on Mobile Systems, Applications, and Services, Mobisys, pp. 239-252, 2011.
  2. COVERT, http://www.ics.uci.edu/-seal/projects/covert/ (Accessed 15 September 2016).
  3. S. Bugiel, L. Davi, R. Dmitrienko, and T. Fischer, "Towards Taming Privilege-Escalation Attacks on Android," Proceeding of the Annual Network and Distributed System Security Symposium, 2012. (No Page Info)
  4. L. Li, A. Bartel, J. Klein, Y. L. Traon, and S. Arzt, et al. "I know what leaked in your pocket: uncovering privacy leaks on Android Apps with Static Taint Analysis," No. ISBN: 978-2-87971-129-4, 2014.
  5. S. Rasthofer, S. Arzt, E. Lovat, and E. Bodden, "DroidForce Enforcing Complex, Data-Centric, System-Wide Policies in Android," Proceeding of the International Conference on Availability, Reliability, and Security, pp. 8-12, 2014.
  6. D. Octeau, D. Luchaup, M. Dering, S. Jha, and P. McDaniel, "Composite Constant Propagation: Application to Android Inter-Component Communication Analysis," Proceeding of the International Conference on Software Engineering, pp. 77-88, 2015.
  7. Android. App $\mid$ Android Developers, http://developer.android.com/reference/android/app/package-summary.html (Accessed 10 September 2012).
  8. SuSi, https://github.com/secure-softwareengineering/SuSi (Accessed 10 September 2012).
  9. Q. Ismail, T. Ahmed, A. Kapadia and M.K. Reiter, "Crowdsourced Exploration of Security Configurations," Proceeding of Annual ACM Conference on Human Factors in Computing Systems, pp. 467-476, 2015.
  10. DroidBench-Benchmarks, https://github.com/secure-software-engineering/DroidBench (Accessed 10 September 2012).
  11. F-droid, https://f-droid.org/ (Accessed 10 September 2012).
  12. Google Play, http://play.google.com/store/apps/ (Accessed 10 September 2012).
  13. Y. Zhou and X. Jiang, "Dissecting Android Malware Characterization and Evolution," Proceeding of the IEEE Symposium on Security and Privacy, pp. 22-23, 2012.
  14. Logcat $\mid$ Android Developers, http://developer.android.com/tools/help/logcat.html (Accessed 10 September 2012).
  15. So Many Apps, So Much More Time for Entertainment, http://www.nielsen.com/us/en/insights/news/2015/so-many-apps-somuch-more-time-for-entertainment.html (Accessed 10 September 2012).
  16. H. Kim and J.Choi, "Research on Secure Coding and Weakness for Implementation of Android-based Dynamic Class Loading," Journal of Korea Multimedia Society, pp. 1792-1807, 2016.
  17. H. Hao, V. Singh, and W. Du, "On the Effectiveness of API-Level Access Control Using Bytecode Rewriting in Android," Proceeding of the Symposium on Information, Computer and Communications Security, pp. 25-36, 2013.