Peter Gilbert
ABSTRACT
Smartphones and "app" markets are raising concerns about how third-party applications may misuse or improperly handle users' privacy-sensitive data. Fortunately, unlike in the PC world, we have a unique opportunity to improve the security of mobile applications thanks to the centralized nature of app distribution through popular app markets. Thorough validation of apps applied as part of the app market admission process has the potential to significantly enhance mobile device security. In this paper, we propose AppInspector, an automated security validation system that analyzes apps and generates reports of potential security and privacy violations. We describe our vision for making smartphone apps more secure through automated validation and outline key challenges such as detecting and analyzing security and privacy violations, ensuring thorough test coverage, and scaling to large numbers of apps.
- Amazon mechanical turk. www.mturk.com.Google Scholar
- Android market. market.android.com.Google Scholar
- Apple sued over apps privacy issues; google may be next. www.reuters.com/assets/print?aid=USTRE6BR1Y820101228.Google Scholar
- iphone and android apps breach privacy. www.foxnews.com/scitech/2010/12/18/apps-watching/.Google Scholar
- Malware infects more than 50 android apps. www.msnbc.msn.com/id/41867328/ns/technology_and_science-security/.Google Scholar
- More than 60 apps have been downloaded for every iOS device sold. http://www.asymco.com/2011/01/16/more-than-60-apps-have-been-downloaded-for-every-ios-device-sold/.Google Scholar
- P3P 1.1 Specification. http://www.w3.org/TR/P3P11/.Google Scholar
- Your apps are watching you. online.wsj.com/article/SB10001424052748704694004576020083703574602.html.Google Scholar
- Flashlight app sneaks tethering into app store (for now) {pulled}. www.macrumors.com, July 2010.Google Scholar
- J. Burnim and K. Sen. Heuristics for scalable dynamic test generation. In TR UCB/EECS-2008-123, 2008.Google Scholar
- C. Cadar, D. Dunbar, and D. R. Engler. Klee: Unassisted and automatic generation of high-coverage tests for complex systems programs. In OSDI, 2008. Google ScholarDigital Library
- C. Cadar, V. Ganesh, P. M. Pawlowski, D. L. Dill, and D. R. Engler. EXE: Automatically generating inputs of death. In ACM CCS, 2006. Google ScholarDigital Library
- G. Candea, S. Bucur, and C. Zamfir. Automated software testing as a service. In ACM SOCC, 2010. Google ScholarDigital Library
- V. Chipounov, V. Kuznetsov, and G. Candea. S2E: A platform for in-vivo multi-path analysis of software systems. In ASPLOS, 2011. Google ScholarDigital Library
- B.-G. Chun, S. Ihm, P. Maniatis, M. Naik, and A. Patti. CloneCloud: Elastic execution between mobile device and cloud. In EuroSys, 2011. Google ScholarDigital Library
- L. Ciortea, C. Zamfir, S. Bucur, V. Chipounov, and G. Candea. Cloud9: A software testing service. In LADIS, 2009.Google Scholar
- J. Clause, W. Li, and A. Orso. Dytan: A generic dynamic taint analysis framework. In ISSTA, 2007. Google ScholarDigital Library
- M. Egele, C. Kruegel, E. Kirda, and G. Vigna. PiOS: Detecting privacy leaks in ios applications. In NDSS, 2011.Google Scholar
- W. Enck, P. Gilbert, B.-G. Chun, L. P. Cox, J. Jung, P. McDaniel, and A. N. Sheth. TaintDroid: An information-flow tracking system for realtime privacy monitoring on smartphones. In OSDI, 2010. Google ScholarDigital Library
- M. G. Kang, S. McCamant, P. Poosankam, and D. Song. DTA++: Dynamic taint analysis with targeted control-flow propagation. In NDSS, 2011.Google Scholar
- J. C. King. Symbolic execution and program testing. Communications of the ACM, 1976. Google ScholarDigital Library
- S. T. King and P. M. Chen. Backtracking intrusions. In SOSP, 2003. Google ScholarDigital Library
- J. Newsome and D. Song. Dynamic taint analysis: Automatic detection, analysis, and signature generation of exploit attacks on commodity software. In NDSS, 2005.Google Scholar
- J. Oberheide, E. Cooke, and F. Jahanian. CloudAV: N-version antivirus in the network cloud. In USENIX Security, 2008. Google ScholarDigital Library
- G. Portokalidis, P. Homburg, K. Anagnostakis, and H. Bos. Paranoid android: Versatile protection for smartphones. In ACSAC, 2010. Google ScholarDigital Library
- K. Sen, D. Marinov, and G. Agha. CUTE: A concolic unit testing engine for c. In FSE, 2005. Google ScholarDigital Library
- E. Smith. iPhone applications & privacy issues: An analysis of application transmission of iPhone unique device identifiers (UDIDs). In Technical Report, 2010.Google Scholar
- H. Yin, D. Song, M. Egele, C. Kruegel, and E. Kirda. Panorama: Capturing system-wide information flow for malware detection and analysis. In ACM CCS, 2007. Google ScholarDigital Library
Index Terms
- Vision: automated security validation of mobile apps at app markets
Recommendations
Enforcing fine-grained security and privacy policies in an ecosystem within an ecosystem
MobileDeLi 2015: Proceedings of the 3rd International Workshop on Mobile Development LifecycleSmart home automation and IoT promise to bring many advantages but they also expose their users to certain security and privacy vulnerabilities. For example, leaking the information about the absence of a person from home or the medicine somebody is ...
Permission recommender system for Android
SIN '17: Proceedings of the 10th International Conference on Security of Information and NetworksThere are 1.4 billion Android devices around the globe. With so many users and apps comes the question of privacy and security. Some permissions are critical to the operation of any app. A system is required which can tell whether an app X should be ...
An investigation into Android run-time permissions from the end users' perspective
MOBILESoft '18: Proceedings of the 5th International Conference on Mobile Software Engineering and SystemsTo protect the privacy of end users from intended or unintended malicious behaviour, the Android operating system provides a permissions-based security model that restricts access to privacy-relevant parts of the platform. Starting with Android 6, the ...
Comments