Browse > Article
http://dx.doi.org/10.9717/kmms.2016.19.10.1792

Research on Secure Coding and Weakness for Implementation of Android-based Dynamic Class Loading  

Kim, Hyunjo (Division of Information Security, Graduate School, Korea University)
Choi, Jin-Young (Division of Information Security, Graduate School, Korea University)
Publication Information
Journal of Korea Multimedia Society / v.19, no.10, 2016 , pp. 1792-1807 More about this Journal
Abstract
Android application is vulnerable to reverse engineering attack. And by this, it is easy to extract significant module from source code and repackage it. To prevent this problem, dynamic class loading technique, which is able to exclude running code from distributed source code and is able to load running code dynamically during runtime can be used. Recently, this technique was adapted on variety of fields and applications like updating pre-loaded android application, preventing from repacking malicious application, etc. Despite the fact that this technique is used on variety of fields and applications, there is fundamental lack on the study of potential weakness or related secure coding. This paper would deal with potential weaknesses during the implementation of dynamic class loading technique with analysing related international/domestic standard of weaknesses and suggest a secure way for the implementation of dynamic class loading technique. Finally, we believe that this technique described here could increase the level of trust by decreasing the weakness related to dynamic class loading technique.
Keywords
Mobile Security; Secure Coding; Weakness; Dynamic Class Loading;
Citations & Related Records
Times Cited By KSCI : 2  (Citation Analysis)
연도 인용수 순위
1 Ministry Of Security And Public Administration, Guidelines for Development and Operation of Systems Involved in Administrative Agencies and Public Institutions, Notification No. 2013-36 of the Ministry Of Security And Public Administration, 2013.
2 2011 CWE/SANS Top 25 Most Dangerous Software Errors, http://cwe.mitre.org/top25/(accessed Aug., 26, 2016).
3 J. Bang, Development Trend of Open Static Analysis Tool for Source Code Security Weakness, Internet & Securety Focus, 2014.
4 OWASP Top Ten Project, https://www.owasp.org/index.php/Top10#OWASP_Top_10_for_2013 (accessed Aug., 26, 2016).
5 Projects/OWASP Mobile Security Project - Top Ten Mobile Risks, https://www.owasp.org/index.php/Projects/OWASP_Mobile_Security_Project_-_Top_Ten_Mobile_Risks (accessed Aug., 26, 2016).
6 D. Chell, T. Erasmus, S. Colley, and O. Whitehouse, The Mobile Application Hacker's Handbook, John Wiley & Sons Publishers, Indianapolis, Indiana, 2015.
7 CWE-114: Process Control. https://cwe.mitre.org/data/definitions/114.html (accessed Jun., 10, 2016).
8 G. Nolan, Decompile Android, Apress Publishers, New York, NY, 2012.
9 Binary Planting, https://www.owasp.org/index.php/Binary_planting (accessed Aug., 26, 2016).
10 Binary Planting-The Official Web Site, http://www.binaryplanting.com/ (accessed Aug., 26, 2016).
11 M. Kolsek, Remote Binary Planting, An Overlooked Vulnerability Affair, OWASP Maribor, 2010.
12 M. Kolsek, Binary Planting, The Forgotten Vulnerability Affair, Slovenian Foreplay, 2010.
13 Ilyong Mun and Seman Oh. “Design and Implementation of A Weakness Analyzer for Mobile Applications.” Journal of Korea Multimedia Society, Vol. 14, No. 10, pp. 1335-1347, 2011.   DOI
14 Ministry Of Security And Public Administration, Secure Coding Guidelines for Android-Java, 2011.
15 Blueprint for a Secure Cyber Future, https://www.dhs.gov/blueprint-secure-cyberfuture (accessed Aug., 26, 2016).
16 H. Kim and J. Choi, “Weaknesses Occurred Android-based Dynamic Class Loading Implementation,” Proceeding of the Summer Conference of the Korea Institute of Information Security and Cryptology, pp. 309-312, 2016.
17 H. Song, T. Kim, J. Park, B. Lee, and K. Lim, Inside the Android Framework, Wikibooks Publishers, Paju, Kyonggi-do, 2010.
18 T. Jensen, D. Le Metayer, and T. Thorn, "Verification of Control Flow Based Security Properties," Proceedings of the 1999 IEEE Symposium, pp. 89-103, 1999.
19 J. Jeong, D. Seo, C. Lee, J. Kwon, H. Lee, and J. Milburn, "MysteryChecker: Unpredictable Attestation to Detect Repackaged Malicious Applications in Android," Proceeding of IEEE Malicious and Unwanted Software, pp. 50-57, 2014.
20 S. Kim, S. Kim, and D. Lee, "A Study on the Vulnerability of Integrity Verification Functions of Android-based Smartphone Banking Applications," Journal of the Korea Institute of Information Security & Cryptology, Vol. 23, No. 4, pp. 743-755, 2013.   DOI
21 Ministry Of Security And Public Administration, Fundamental Practices for Secure Software Development, 2013.
22 Ministry Of Security And Public Administration, Secure Coding Guidelines for Java used by Developer and Operator of e-Government, 2012.
23 DHS, Build Security In(2011), https://buildsecurityin.us-cert.gov (accessed Aug., 26, 2016).