Static Analysis of Android Applications for Finding Bugs and Security Vulnerabilities
‹Programming› Keynote
Mobile applications have become prevalent and they introduce new kinds of problems compared to traditional applications. We present a series of our efforts in statically analyzing Android applications to find bugs and vulnera- bilities in them. We first describe how the powerful Android Debug Bridge (ADB), a command line tool to communicate with Android devices for debugging purposes, can open a gate to adversaries. To protect Android devices from various attacks using ADB, we present several mitigation mechanisms including a static analysis tool that analyzes Android applications to detect possible attacks using ADB capabilities. Then, we present HybriDroid, a static analysis framework for Android hybrid apps. We investigate the semantics of Android hybrid apps especially for the interoperation mechanism of Android Java and JavaScript. Then, we design and implement a static analysis framework that analyzes inter-communication between Android Java and JavaScript. As example analyses supported by HybriDroid, we implement a bug detector that identifies programmer errors due to the hybrid semantics, and a taint analyzer that finds information leaks cross language boundaries. Our empirical evaluation shows that the tools are practically usable in that they found previously uncovered bugs in real-world Android hybrid apps and possible information leaks via a widely-used advertising platform. Finally, we demonstrate Android activity injection attacks with a simple malware, and formally specify the activity activation mechanism using operational semantics. Based on the operational semantics, we develop a static analysis tool, which analyzes Android apps to detect activity injection attacks. Our tool is fast enough to analyze real-world Android apps in 6 seconds on average, and our experiments found that 1,761 apps out of 129,756 real-world Android apps inject their activities into other apps tasks.
Thu 12 AprDisplayed time zone: Amsterdam, Berlin, Bern, Rome, Stockholm, Vienna change
09:00 - 10:00 | |||
09:00 60mTalk | Static Analysis of Android Applications for Finding Bugs and Security Vulnerabilities‹Programming› Keynote Keynotes |