Abdallah Dawoud (CISPA Helmholtz Center for Information Security), Sven Bugiel (CISPA Helmholtz Center for Information Security)

Android's application framework plays a crucial part in protecting users' private data and the system integrity. Consequently, it has been the target of various prior works that analyzed its security policy and enforcement. Those works uncovered different security problems, including incomplete documentation, permission re-delegation within the framework, and inconsistencies in access control. However, all but one of those prior works were based on static code analysis. Thus, their results provide a one-sided view that inherits the limitations and drawbacks of applying static analysis to the vast, complex code base of the application framework. Even more, the performances of different security applications---including malware classification and least-privileged apps---depend on those analysis results, but those applications are currently tarnished by imprecise and incomplete results as a consequence of this imbalanced analysis methodology. To complement and refine this methodology and consequently improve the applications that are dependent on it, we add dynamic analysis of the application framework to the current research landscape and demonstrate the necessity of this move for improving the quality of prior results and advancing the field. Applying our solution, called Dynamo, to four prominent use-cases from the literature and taking a synoptical view on the results, we verify but also refute and extend the existing results of prior static analysis solutions. From the manual investigation of the root causes of discrepancies between results, we draw new insights and expert knowledge that can be valuable in improving both static and dynamic testing of the application framework.

View More Papers

Demo #1: Curricular Reinforcement Learning for Robust Policy in...

Yunzhe Tian, Yike Li, Yingxiao Xiang, Wenjia Niu, Endong Tong, and Jiqiang Liu (Beijing Jiaotong University)

Read More

CROW: Code Diversification for WebAssembly

Javier Cabrera Arteaga, Orestis Floros, Benoit Baudry, Martin Monperrus (KTH Royal Institute of Technology), Oscar Vera Perez (Univ Rennes, Inria, CNRS, IRISA)

Read More

More than a Fair Share: Network Data Remanence Attacks...

Leila Rashidi (University of Calgary), Daniel Kostecki (Northeastern University), Alexander James (University of Calgary), Anthony Peterson (Northeastern University), Majid Ghaderi (University of Calgary), Samuel Jero (MIT Lincoln Laboratory), Cristina Nita-Rotaru (Northeastern University), Hamed Okhravi (MIT Lincoln Laboratory), Reihaneh Safavi-Naini (University of Calgary)

Read More

Improving Signal's Sealed Sender

Ian Martiny (University of Colorado Boulder), Gabriel Kaptchuk (Boston University), Adam Aviv (The George Washington University), Dan Roche (U.S. Naval Avademy), Eric Wustrow (University of Colorado Boulder)

Read More