Vision: Automated Security Validation of Mobile Apps at App Markets

1. Vision: Automated Security Validation of Mobile Apps atApp Markets Presented by: Tom Staley

2. Introduction • Rising security concerns in the smartphone app community • Use of private data: • Passwords • Financial records • GPS locations • Malware attacks have been found targeting smartphones

3. TaintDroid • Previous attempt by presenters to address security problems • Tracks sensitive data as it flows between apps • Raises an alert when sensitive data is transmitted off the phone • Leaks are only found after the data has been lost

4. Current Security Methods • Unlike PCs, the app market is highly centralized • Scan apps as they join the market • Currently applied manually, if at all • Some banned behavior still slips through the cracks

5. Proposed Solution • AppInspector • Service run by market providers or by a third-party • Uses multiple virtual smartphones to run instances of apps before they reach the market • Entire process is automated to ensure thorough testing

6. Challenges • Three challenges with AppInspector • How to track and log data • How to determine security violations using the logs • How to ensure all branches of code are covered

7. AppInspector Components • Four main components • Input generator • Execution explorer • Information flow tracker • Security analyzer

8. Types of violations • Security violation - when an app accesses data without permissions to do so • Privacy violation – when an app discloses information without prompting the user • AppInspector focuses on privacy violations

9. Tracking Data • Log data about explicit and implicit data flows • Various actions also logged, like methods that access disk memory or device sensors • Action logging has to be limited to reduce overhead

10. Data Flows • Explicit data flow – following data through use of data dependencies • Attach a “label” to data as it leaves the source of the data • Track the label through the program until it reaches a “sink” • Implicit data flow – when sensitive information can be found by looking at control flow • if (w == 0) x = y; else z = y; • If w is privacy-sensitive, looking at values of x and z can determine if w == 0;

11. Violation Detection • Two methods to detect privacy violations • When sensitive data is disclosed: • Use data dependency graph to trace sensitive data back to source • Check for user notifications or search license agreements for permissions

12. Input Generation • App are event-driven • Two types of events: • UI inputs • Callback triggers from device sensors • These inputs can be randomly generated to test apps

13. Concrete Execution • Randomly generating input is known as Concrete Execution • Developers tested this approach on 9 apps • Fed constant stream of input for 30 minutes • 40% or lower code coverage found

14. Symbolic Execution • Another type of input testing known as symbolic testing • Systematically tests all possible execution paths • Highly inefficient

15. Concolic Execution • Mix of concrete and symbolic execution • Run symbolic execution on main application code • All other code (code libraries, system code, etc.) tested with concrete execution • Switch between the two methods as required during testing

16. Conclusion • The app market is at risk for security and privacy violations • AppInspector developed to scan apps before they reach marketplace • Uses concolic execution to generate input • Tracks sensitive data as it propagates through app • Uses logs to determine if privacy violation has occurred

17. Bibliography Peter Gilbert, "Vision: Automated Security Validation of Mobile Apps at App Markets", MCS’11, June 28, 2011, Bethesda, Maryland, USA.