Automatic Program State Exploration Techniques for Security Analysis of Android Apps
Date
2019
Authors
Journal Title
Journal ISSN
Volume Title
Publisher
Abstract
The usage and ownership of mobile devices is increasing globally. Our reliance on mobile devices and the apps they run warrant novel techniques to explore the behavior of both downloaded and pre-installed apps. Mobile apps are increasing in size and complexity, making them more challenging to design and test. Focusing on Android, the most popular mobile platform, I present methodologies to automatically analyze the states of Android apps without access to source code and from a security perspective. Primarily, my research suggests approaches to overcome the limitations of current binary code analysis techniques to also include external and environmental inputs. I explain how utilizing this augmented set of inputs we can discover unsafe app states that violate end-user security and privacy when abused by an adversary. To that end, I designed and implemented a novel program analysis technique for Android called Forced-Path Execution (FPE). FPE forces execution of code independent of the program state according to an execution strategy exposing program states that are deemed safety critical. Applying FPE on Android apps, I was able to discover unsafe use of sensitive Android Programming Interfaces (APIs) and “leaking” of Personally Identifiable Information (PII) including access to text messages and system logs, among others. In addition, I explore the security and reliability of inter-app communications via the Android Inter-Process Communication (IPC) mechanism, namely the use of Intents. I systematically stress-test this Android IPC mechanism to uncover design flaws within apps and the Android Operating System (OS) itself. My approach scales to scan thousands of apps from Google Play and the official Android Open Source Project (AOSP) code. As a result, I discovered thousands of Intent input validation faults in apps from Google Play and multiple faults in a critical AOSP system process for both the smartphone and embedded Android platforms.