Towards dynamically monitoring Android applications on non-rooted devices in the wild

Author

Xiaoxiao TANG, Singapore Management UniversityFollow
Daoyuan WU, Singapore Management UniversityFollow
Yan LIN, Singapore Management UniversityFollow
Debin GAO, Singapore Management UniversityFollow

Publication Type

Conference Proceeding Article

Version

publishedVersion

Publication Date

6-2018

Abstract

Dynamic analysis is an important technique to reveal sensitive behavior of Android apps. Current works require access to the code-level and system-level events (e.g., API calls and system calls) triggered by the running apps and consequently they can only be conducted on in-lab running environments (e.g., emulators and modified OS). The strict requirement of running environment hinders their deployment in scale and makes them vulnerable to anti-analysis techniques. Furthermore, current dynamic analysis of Android apps exploits input generators to invoke app behavior, which, however, cannot provide sufficient code coverage. We propose to dynamically analyze app behavior on non-rooted devices used by the public so that it is possible to analyze dynamically in scale without input generators. By doing so, we also maximize the code coverage since the app behavior is invoked by real users of the apps. To achieve such a goal, we build UpDroid, a system for detecting sensitive behavior without modifying Android OS, rooting the device, or leveraging emulators. UpDroid detects sensitive events by monitoring the changing of public resources on the device, instead of accessing low-level events that require rooting or system modification. To identify the apps that trigger the detected events, UpDroid formulates the identification as a ranking problem and adopts learning to rank technique to solve it. Our experimental results demonstrate that UpDroid can successfully detect the use of 15 out of 26 permissions that are labeled dangerous in the official Android documentation. We also compare UpDroid with API hooking which can theoretically capture all sensitive behavior but requires root permission and system modifications. Results show that UpDroid can still achieve 70% coverage of API hooking even without root permission or any system modifications. © 2018 Association for Computing Machinery.

Keywords

Codes (symbols), Mobile telecommunication systems, Software testing, Wireless networks, Android applications, Code coverage, Current dynamics, Learning to rank, Public resources, Ranking problems, System levels, System modifications, Android (operating system)

Discipline

Information Security

Research Areas

Cybersecurity

Publication

WiSec '18: Proceedings of the 11th ACM Conference on Security and Privacy in Wireless and Mobile Networks, Stockholm, Sweden, June 18-20

First Page

212

Last Page

223

ISBN

9781450357319

Identifier

10.1145/3212480.3212504

Publisher

ACM

City or Country

New York

Citation

TANG, Xiaoxiao; WU, Daoyuan; LIN, Yan; and GAO, Debin. Towards dynamically monitoring Android applications on non-rooted devices in the wild. (2018). WiSec '18: Proceedings of the 11th ACM Conference on Security and Privacy in Wireless and Mobile Networks, Stockholm, Sweden, June 18-20. 212-223.
Available at: https://ink.library.smu.edu.sg/sis_research/4099

Copyright Owner and License

Publisher

Creative Commons License

This work is licensed under a Creative Commons Attribution-NonCommercial-No Derivative Works 4.0 International License.

Additional URL

https://doi.org/10.1145/3212480.3212504