Revisiting the Description-to-Behavior Fidelity in Android Applications
作者: Le Yu , Xiapu Luo , Chenxiong Qian , Shuai Wang
关键词: Computer science 、 Computer security 、 Privacy software 、 Bytecode 、 Mobile malware 、 Android (operating system) 、 Permission 、 Static program analysis 、 Privacy policy 、 Malware
摘要: Since more than 96% of mobile malware targets on Android platform, various techniques based static code analysis or dynamic behavior have been proposed to detect malicious applications. As is becoming complicated and stealthy, recent research a promising detection approach that looks for the inconsistency between an application's permissions its description. In this paper, we revisit find using description permission will lead many false positives. Therefore, propose employing app's privacy policy bytecode enhance detection. It non-trivial automatically analyze perform cross-verification among these four kinds software artifacts including, policy, bytecode, description, permissions. We novel data flow model analyzing develop system, named TAPVerifier, carrying out investigation individual conducting cross-verification. The experimental results show TAPVerifier can with high accuracy recall rate. More importantly, integrating level information removes 8.1%-65.5% positives existing systems permission.
sci-hub.se 参考文章(45)
Tao Xie, Rahul Pandita, William Enck, Xusheng Xiao, Wei Yang, WHYPER: towards automating risk assessment of mobile applications usenix security symposium. pp. 527- 542 ,(2013)
Elisa Costante, Jerry den Hartog, Milan Petković, What Websites Know About You DPM/SETOP. pp. 146- 159 ,(2013) , 10.1007/978-3-642-35890-6_11
Norman Sadeh, Rohan Ramanath, Noah A. Smith, Fei Liu, A Step Towards Usable Privacy Policy: Automatic Alignment of Privacy Statements international conference on computational linguistics. pp. 884- 894 ,(2014)
Jianjun Huang, Zhichun Li, Xusheng Xiao, Zhenyu Wu, Kangjie Lu, Xiangyu Zhang, Guofei Jiang, None, SUPOR: precise and scalable sensitive user input detection for android apps usenix security symposium. pp. 977- 992 ,(2015)
Guofei Gu, Zhemin Yang, Yuhong Nan, Shunfan Zhou, Min Yang, XiaoFeng Wang, UIPicker: user-input privacy identification in mobile applications usenix security symposium. pp. 993- 1008 ,(2015)
Marie-Catherine de Marneffe, Daniel Jurafsky, Christopher D. Manning, Daniel M. Cer, Parsing to Stanford Dependencies: Trade-offs between Speed and Accuracy. language resources and evaluation. ,(2010)
Brendan O'Connor, Michael Heilman, ARKref: a rule-based coreference resolution system. arXiv: Computation and Language. ,(2013)
William Enck, Patrick McDaniel, Jaeyeon Jung, Byung-Gon Chun, Peter Gilbert, Anmol N. Sheth, Landon P. Cox, TaintDroid: an information-flow tracking system for realtime privacy monitoring on smartphones operating systems design and implementation. pp. 393- 407 ,(2010) , 10.5555/1924943.1924971
Stephan Arlt, Philipp Rümmer, Martin Schäf, Joogie: from Java through Jimple to Boogie state of the art in java program analysis. pp. 3- 8 ,(2013) , 10.1145/2487568.2487570
Travis D. Breaux, Florian Schaub, Scaling requirements extraction to the crowd: Experiments with privacy policies 2014 IEEE 22nd International Requirements Engineering Conference (RE). pp. 163- 172 ,(2014) , 10.1109/RE.2014.6912258