Exposing software security and availability risks for commercial mobile devices

2013 Proceedings Annual Reliability and Maintainability Symposium (RAMS) Pub Date : 2013-05-23 DOI:10.1109/RAMS.2013.6517735

Ryan V. Johnson, Zhaohui Wang, A. Stavrou, J. Voas

{"title":"Exposing software security and availability risks for commercial mobile devices","authors":"Ryan V. Johnson, Zhaohui Wang, A. Stavrou, J. Voas","doi":"10.1109/RAMS.2013.6517735","DOIUrl":null,"url":null,"abstract":"The advent of smaller, faster, and always connected handheld devices along with the ever-increasing reliance on technology for our everyday activities have introduced novel threats and risks. Beyond hardware security another primary factor that affects the reliability of the device is mobile applications. Indeed, the shift to smart commercially available mobile devices has created a pressing need for understanding the risks in using third-party mobile code running on the mobile devices. This new generation of smart devices and systems, including iPhone and Google Android, are powerful enough to accomplish most of the user tasks previously requiring a personal computer. In our paper, we discuss the cyber threats that stem from these new smart device capabilities and the on-line application markets for mobile devices. These threats include malware, data exfiltration, exploitation through USB, and user and data tracking. In this manuscript, we present our efforts towards a framework for exposing the functionality of a mobile application through a combination of static and dynamic program analysis that attempts to explore all available execution paths including libraries. We verified our approach by testing a large number of Android applications with our dynamic analysis framework to exhibit its functionality and viability. The framework allows complete automation of the execution process so that no user input is required. We also discuss how our static analysis output can be used to inform the execution of the dynamic analysis. Our approach can serve as an extensible basis to fulfill other useful purposes such as symbolic execution, program verification, interactive debugger, and other approaches that require deep inspection of an Android application. In summary, we believe that our efforts are the beginning of a long journey to asserting and exposing the risks of commercially available mobile devices. Our future work will include non-Android platforms.","PeriodicalId":189714,"journal":{"name":"2013 Proceedings Annual Reliability and Maintainability Symposium (RAMS)","volume":"8 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2013-05-23","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"11","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"2013 Proceedings Annual Reliability and Maintainability Symposium (RAMS)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/RAMS.2013.6517735","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 11

Abstract

The advent of smaller, faster, and always connected handheld devices along with the ever-increasing reliance on technology for our everyday activities have introduced novel threats and risks. Beyond hardware security another primary factor that affects the reliability of the device is mobile applications. Indeed, the shift to smart commercially available mobile devices has created a pressing need for understanding the risks in using third-party mobile code running on the mobile devices. This new generation of smart devices and systems, including iPhone and Google Android, are powerful enough to accomplish most of the user tasks previously requiring a personal computer. In our paper, we discuss the cyber threats that stem from these new smart device capabilities and the on-line application markets for mobile devices. These threats include malware, data exfiltration, exploitation through USB, and user and data tracking. In this manuscript, we present our efforts towards a framework for exposing the functionality of a mobile application through a combination of static and dynamic program analysis that attempts to explore all available execution paths including libraries. We verified our approach by testing a large number of Android applications with our dynamic analysis framework to exhibit its functionality and viability. The framework allows complete automation of the execution process so that no user input is required. We also discuss how our static analysis output can be used to inform the execution of the dynamic analysis. Our approach can serve as an extensible basis to fulfill other useful purposes such as symbolic execution, program verification, interactive debugger, and other approaches that require deep inspection of an Android application. In summary, we believe that our efforts are the beginning of a long journey to asserting and exposing the risks of commercially available mobile devices. Our future work will include non-Android platforms.

查看原文本刊更多论文

暴露商业移动设备的软件安全性和可用性风险

更小、更快、始终连接的手持设备的出现，以及我们日常活动对技术的日益依赖，带来了新的威胁和风险。除了硬件安全之外，影响设备可靠性的另一个主要因素是移动应用程序。事实上，随着向智能商用移动设备的转变，我们迫切需要了解在移动设备上运行第三方移动代码的风险。包括iPhone和谷歌安卓(Google Android)在内的新一代智能设备和系统功能强大，足以完成以前需要个人电脑才能完成的大部分用户任务。在我们的论文中，我们讨论了源于这些新的智能设备功能和移动设备在线应用市场的网络威胁。这些威胁包括恶意软件、数据泄露、利用USB、用户和数据跟踪。在这份手稿中，我们展示了我们对一个框架的努力，该框架通过静态和动态程序分析的组合来展示移动应用程序的功能，该框架试图探索包括库在内的所有可用的执行路径。我们通过使用动态分析框架测试大量Android应用程序来验证我们的方法，以展示其功能和可行性。该框架允许执行过程完全自动化，因此不需要用户输入。我们还讨论了如何使用静态分析输出来通知动态分析的执行。我们的方法可以作为一个可扩展的基础，以实现其他有用的目的，如符号执行、程序验证、交互式调试器和其他需要深入检查Android应用程序的方法。总之，我们相信，我们的努力是断言和揭露商用移动设备风险的漫长旅程的开始。我们未来的工作将包括非android平台。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

2013 Proceedings Annual Reliability and Maintainability Symposium (RAMS)

自引率

0.00%

发文量