‹Programming› 2018
Mon 9 - Thu 12 April 2018 Nice, France

Mobile applications have become prevalent and they introduce new kinds of problems compared to traditional applications. We present a series of our efforts in statically analyzing Android applications to find bugs and vulnera- bilities in them. We first describe how the powerful Android Debug Bridge (ADB), a command line tool to communicate with Android devices for debugging purposes, can open a gate to adversaries. To protect Android devices from various attacks using ADB, we present several mitigation mechanisms including a static analysis tool that analyzes Android applications to detect possible attacks using ADB capabilities. Then, we present HybriDroid, a static analysis framework for Android hybrid apps. We investigate the semantics of Android hybrid apps especially for the interoperation mechanism of Android Java and JavaScript. Then, we design and implement a static analysis framework that analyzes inter-communication between Android Java and JavaScript. As example analyses supported by HybriDroid, we implement a bug detector that identifies programmer errors due to the hybrid semantics, and a taint analyzer that finds information leaks cross language boundaries. Our empirical evaluation shows that the tools are practically usable in that they found previously uncovered bugs in real-world Android hybrid apps and possible information leaks via a widely-used advertising platform. Finally, we demonstrate Android activity injection attacks with a simple malware, and formally specify the activity activation mechanism using operational semantics. Based on the operational semantics, we develop a static analysis tool, which analyzes Android apps to detect activity injection attacks. Our tool is fast enough to analyze real-world Android apps in 6 seconds on average, and our experiments found that 1,761 apps out of 129,756 real-world Android apps inject their activities into other apps tasks.