On-the-fly Android static analysis with applications in vulnerability discovery

Author

Daoyuan WU, Singapore Management UniversityFollow

Publication Type

PhD Dissertation

Version

publishedVersion

Publication Date

5-2019

Abstract

Static analysis is a common program analysis technique extensively used in the software security field. Widely-used static analysis tools for Android, e.g., Amandroid and FlowDroid, perform the whole-app analysis which is comprehensive yet at the cost of huge overheads. In this dissertation, we make a first attempt to explore a novel on-demand analysis that creatively leverages bytecode search to guide inter-procedural analysis on the fly or just in time, and develop such on-the-fly analysis into a tool, called BackDroid, for Android apps. We further explore how the core technique of on-the-fly static analysis in BackDroid can enable different vulnerability studies on Android and their corresponding new findings. To this end, we select three vulnerability analysis problems on Android as three representatives, since they require different extents of BackDroid customization in their methodology.

First, we explore how BackDroid can be applied to detect crypto and SSL/TLS misconfigurations in modern Android apps, and compare it with the state-of-the-art Amandroid tool. Second, we explore how an enhanced version of BackDroid and on-device crowdsourcing can facilitate a systematic security study of open ports in Android apps. Third, we explore how a lightweight version of BackDroid with SDK conditional statement checking can benefit a SDK-API inconsistency study that involves the control-flow analysis of multiple sink APIs. With all these works, this dissertation shows that on-the-fly Android static analysis guided by bytecode search can efficiently and effectively analyze the security of modern apps.

Keywords

Android Static Analysis, Android App Vulnerability

Degree Awarded

PhD in Information Systems

Discipline

Information Security | Numerical Analysis and Scientific Computing

Supervisor(s)

GAO, Debin

Publisher

Singapore Management University

City or Country

Singapore

Citation

WU, Daoyuan. On-the-fly Android static analysis with applications in vulnerability discovery. (2019).
Available at: https://ink.library.smu.edu.sg/etd_coll/204

Copyright Owner and License

Author

Creative Commons License

This work is licensed under a Creative Commons Attribution-NonCommercial-No Derivative Works 4.0 International License.