Publication Type

PhD Dissertation

Version

publishedVersion

Publication Date

4-2025

Abstract

The Android ecosystem’s openness and extensibility have fueled its dominance in the mobile market, but they also broaden the attack surface of applications by introducing insecure or redundant methods. Vulnerabilities arise from various sources, including insecure API usage, code cloning, and feature bloat, especially from unneeded components introduced during development. To address these challenges, this dissertation presents a systematic, three-phase pipeline that transitions seamlessly from vulnerability discovery to clone-based detection and, ultimately, to dynamic mitigation through runtime debloating. Each phase builds upon the insights and limitations of the previous, collectively forming a practical approach to improving Android app security.

In the first phase, we initiate our exploration with an empirical study focused on uncovering security issues in in-app browsing interfaces (IABIs), a widely used yet under-scrutinized component in both Android and iOS apps. We analyze 25 high-profile applications across five categories, including Facebook and Gmail, using eight carefully designed security tests that span the full interaction lifecycle of embedded web pages. Our findings reveal systemic usability-security flaws: (1) nearly 30% of apps fail to display sufficient URL information, impairing user judgment; (2) most custom IABIs lack trustworthy indicators for safe browsing, whereas those based on Chrome Custom Tabs and SFSafariViewController generally fare better; and (3) only a small subset of IABIs provide warnings when entering sensitive data, such as passwords, on potentially malicious pages. Despite acknowledgment from developers, usability-related fixes are often lowered in priority, highlighting a critical gap in the current mobile security mindset. To guide future improvements, we propose a set of design principles for secure IABIs. These results serve as a foundational motivation for the next phase: the scalable detection of known insecure methods.

Building on the vulnerabilities identified in the first phase, the second phase addresses the need to systematically detect vulnerable methods. Traditional static analysis tools approaches are prone to some inherent false negatives: taint analysis tools may neglect third-party libraries or face timeouts/errors in whole app-based analysis, and TPL detection tools are not designed for pinpointing specific vulnerable methods. Therefore, we aim to complement the identification of missed false negatives in both TPL detection and taint analysis by directly identifying clones of insecure methods, regardless of whether they are in the host app code or a shrunk library. To this end, we propose MtdScout, a novel cross-layer, method-level clone detection tool for Android apps. MtdScout generates bytecode signatures for flawed source methods using compiler-style interpretation and abstraction, and efficiently matches them with target app bytecode using signature-mapped search trees. Our experiment using ground-truth apps shows that MtdScout achieves the highest accuracy among three tested clone detection tools, with a precision of 92.5% and recall of 87.2%. A large-scale experiment with 23.9K apps from Google Play demonstrates MtdScout's effectiveness in complementing both LibScout and CryptoGuard by identifying numerous false negatives they missed due to app shrinking, method-only cloning, and inherent timeouts and failures in expensive taint analysis. Additionally, our experiment uncovers four security findings that highlight the disparities between MtdScout's method-level clone detection and package-level library detection. These insights lay the groundwork for the final phase: removing or neutralizing vulnerable methods in deployed apps.

Guided by the vulnerable methods detection, in the third phase, we shift from detection to mitigation by targeting the undesired functionality within Android apps that contributes to vulnerability exposure and resource inefficiency. To accommodate diverse user needs, developers often bundle numerous features, many of which are rarely used, leading to bloated apps with larger attack surfaces. In urgent security scenarios, users may need to disable risky components immediately; however, existing debloating approaches rely on static modification and APK repackaging, which compromise usability and Android's security model. A pilot study found that 40% of high-profile apps cannot be reliably repackaged, and current tools lack support for fine-grained debloating across both DEX and native code. To address the above issues, we propose 3DNDroid, a Dynamic Debloating solution that debloats unneeded DEX and Native methods at runtime without altering APKs. 3DNDroid leverages a customized Android OS and an unprivileged management app to debloat code based on a pre-generated schema. 3DNDroid intercepts invocations of to-be-debloated DEX methods and thus blocking them from being interpreted or compiled by the ART; whereas for native methods of such kind, it zero-fills their memory spaces during the loading of the corresponding executable code. It also supports recoverability, allowing debloated methods to be restored without app reinstalls. Evaluated across 55 real-world apps, 3DNDroid debloated 924 DEX and 30 native methods while eliminating over 76K potential Return-Oriented Programming (ROP) gadgets. Further analysis shows that debloating under 5% of methods can neutralize the entire category of ROP gadgets, with case studies demonstrating its effectiveness in mitigating vulnerabilities with reduced resource overhead.

Together, these three interconnected phases form a robust and scalable approach to improving Android app security. By tightly interlinking testing‑based discovery, clone‑driven detection, and schema‑guided dynamic debloating, this dissertation substantially improves the detection and mitigation of Android app vulnerabilities, empowering developers, vendors, and users to more effectively secure and harden Android applications.

Keywords

Android App, Security, Debloating, Code Clone Detection, In-app Browsing Interfaces

Degree Awarded

PhD in Computer Science

Discipline

Numerical Analysis and Scientific Computing | Software Engineering

Supervisor(s)

GAO, Debin

First Page

1

Last Page

164

Publisher

Singapore Management University

City or Country

Singapore

Copyright Owner and License

Author

Download

Share

COinS