DroidChecker: analyzing android applications for capability leak
作者: Patrick P.F. Chan , Lucas C.K. Hui , S. M. Yiu
关键词: Source lines of code 、 Android (operating system) 、 Operating system 、 Android application 、 Computer science 、 App store 、 Control flow graph 、 Taint checking 、 Exploit 、 Computer security 、 Phone
摘要: While Apple has checked every app available on the App Store, Google takes another approach that allows anyone to publish apps Android Market. The openness of Market attracts both benign and malicious developers. security platform relies mainly sandboxing applications restricting their capabilities such no application, by default, can perform any operations would adversely impact other applications, operating system, or user. However, a recent research reported genuine but vulnerable application may leak its applications. When being leveraged, gain extra which they are not granted originally. We present DroidChecker, an analyzing tool searches for aforementioned vulnerability in DroidChecker uses interprocedural control flow graph searching static taint checking detect exploitable data paths application. analyzed more than 1100 using found 6 previously unknown including re-nowned Adobe Photoshop Express have also developed exploits show is permissions, access contacts phone with just few lines code.
hku.hk
acm.org 
sci-hub.se 参考文章(26)
Damien Octeau, William Enck, Patrick McDaniel, Swarat Chaudhuri, A study of android application security usenix security symposium. pp. 21- 21 ,(2011)
V. Benjamin Livshits, Monica S. Lam, Finding security vulnerabilities in java applications with static analysis usenix security symposium. pp. 18- 18 ,(2005)
Anh Nguyen-Tuong, Salvatore Guarnieri, Doug Greene, Jeff Shirley, David Evans, Automatically Hardening Web Applications Using Precise Tainting information security conference. pp. 295- 307 ,(2004) , 10.1007/0-387-25660-1_20
David Wagner, Kunal Talwar, Jeffrey S. Foster, Umesh Shankar, Detecting format string vulnerabilities with type qualifiers usenix security symposium. pp. 16- 16 ,(2001)
T. Jensen, D. Le Metayer, T. Thorn, Verification of control flow based security properties ieee symposium on security and privacy. pp. 89- 103 ,(1999) , 10.1109/SECPRI.1999.766902
Alexander Moshchuk, Adrienne Porter Felt, Helen J. Wang, Erika Chin, Steven Hanna, Permission re-delegation: attacks and defenses usenix security symposium. pp. 22- 22 ,(2011)
William Enck, Patrick McDaniel, Jaeyeon Jung, Byung-Gon Chun, Peter Gilbert, Anmol N. Sheth, Landon P. Cox, TaintDroid: an information-flow tracking system for realtime privacy monitoring on smartphones operating systems design and implementation. pp. 393- 407 ,(2010) , 10.5555/1924943.1924971
Aubrey-Derrick Schmidt, Hans-Gunther Schmidt, Leonid Batyuk, Jan Hendrik Clausen, Seyit Ahmet Camtepe, Sahin Albayrak, Can Yildizli, Smartphone malware evolution revisited: Android next target? international conference on malicious and unwanted software. pp. 1- 7 ,(2009) , 10.1109/MALWARE.2009.5403026
Yao-Wen Huang, Fang Yu, Christian Hang, Chung-Hung Tsai, Der-Tsai Lee, Sy-Yen Kuo, Securing web application code by static analysis and runtime protection Proceedings of the 13th conference on World Wide Web - WWW '04. pp. 40- 52 ,(2004) , 10.1145/988672.988679
Erika Chin, Adrienne Porter Felt, Kate Greenwood, David Wagner, Analyzing inter-application communication in Android Proceedings of the 9th international conference on Mobile systems, applications, and services - MobiSys '11. pp. 239- 252 ,(2011) , 10.1145/1999995.2000018