Publication Type
Conference Proceeding Article
Version
publishedVersion
Publication Date
6-2018
Abstract
Dynamic analysis is an important technique to reveal sensitive behavior of Android apps. Current works require access to the code-level and system-level events (e.g., API calls and system calls) triggered by the running apps and consequently they can only be conducted on in-lab running environments (e.g., emulators and modified OS). The strict requirement of running environment hinders their deployment in scale and makes them vulnerable to anti-analysis techniques. Furthermore, current dynamic analysis of Android apps exploits input generators to invoke app behavior, which, however, cannot provide sufficient code coverage. We propose to dynamically analyze app behavior on non-rooted devices used by the public so that it is possible to analyze dynamically in scale without input generators. By doing so, we also maximize the code coverage since the app behavior is invoked by real users of the apps. To achieve such a goal, we build UpDroid, a system for detecting sensitive behavior without modifying Android OS, rooting the device, or leveraging emulators. UpDroid detects sensitive events by monitoring the changing of public resources on the device, instead of accessing low-level events that require rooting or system modification. To identify the apps that trigger the detected events, UpDroid formulates the identification as a ranking problem and adopts learning to rank technique to solve it. Our experimental results demonstrate that UpDroid can successfully detect the use of 15 out of 26 permissions that are labeled dangerous in the official Android documentation. We also compare UpDroid with API hooking which can theoretically capture all sensitive behavior but requires root permission and system modifications. Results show that UpDroid can still achieve 70% coverage of API hooking even without root permission or any system modifications. © 2018 Association for Computing Machinery.
Keywords
Codes (symbols), Mobile telecommunication systems, Software testing, Wireless networks, Android applications, Code coverage, Current dynamics, Learning to rank, Public resources, Ranking problems, System levels, System modifications, Android (operating system)
Discipline
Information Security
Research Areas
Cybersecurity
Publication
WiSec '18: Proceedings of the 11th ACM Conference on Security and Privacy in Wireless and Mobile Networks, Stockholm, Sweden, June 18-20
First Page
212
Last Page
223
ISBN
9781450357319
Identifier
10.1145/3212480.3212504
Publisher
ACM
City or Country
New York
Citation
TANG, Xiaoxiao; WU, Daoyuan; LIN, Yan; and GAO, Debin.
Towards dynamically monitoring Android applications on non-rooted devices in the wild. (2018). WiSec '18: Proceedings of the 11th ACM Conference on Security and Privacy in Wireless and Mobile Networks, Stockholm, Sweden, June 18-20. 212-223.
Available at: https://ink.library.smu.edu.sg/sis_research/4099
Copyright Owner and License
Publisher
Creative Commons License
This work is licensed under a Creative Commons Attribution-NonCommercial-No Derivative Works 4.0 International License.
Additional URL
https://doi.org/10.1145/3212480.3212504