Android Security via Static Analysis Techniques

Abstract

Android is a popular platform designed for mobile devices. It consists of a customized Linux kernel, middleware, and a few core applications such as the Phone application. The middleware, commonly referred to as the Android framework, provides libraries and runtime services to applications. Applications in Android are written mainly in Java. Once compiled, Android transforms its applications into the Dalvik Executable (or DEX) format to minimize the memory footprint. Android uses a Java VM called Dalvik to execute DEX bytecode.Unlike other mobile OSes, Android has a unique permission mechanism. At development time, an application developer needs to explicitly request permissions by including them in an application configuration file (AndroidManifest.xml). We refer to this configuration file simply as the manifest in the remainder of the paper. At installation time, each user needs to review the permissions that the application requests and explicitly grant them.Android currently has over 130 permissions applications can request in API level 17. These permissions are API-oriented and access-based, i.e., permissions control access to sensitive APIs (referred to as protected APIs). Generally, an application can ask for permissions to use protected APIs for phone resources (e.g, storage, NFC, WiFi, etc.) or information available on the phone (e.g., contacts, location, call logs, etc.).While this permission mechanism is effective in pinpointing which sensitive APIs that an application uses, it does not provide any insight into what the application actually does with the APIs. Thus, our goal is to complement the existing mechanism by providing both behavioral information of a single application as well as the interactions among multiple applications.This thesis proposes Flow Permissions, an extension to the Android permission mechanism. Unlike the existing permission mechanism, our permission mechanism contains semantic information based on information flows. Flow Permissions allow users to examine and grant per-app information flows within an application (e.g., a permission for reading the phone number and sending it over the network) as well as cross-app information flows across multiple applications (e.g., a permission for reading the phone number and sending it to another application already installed on the user's phone). Our goal with Flow Permissions is to provide visibility into the holistic behavior of the applications installed on a user's phone. In order to support Flow Permissions on Android, we have developed a static analysis engine that detects flows within an Android application. We have also modified Android's existing permission mechanism and installation procedure to support Flow Permissions.Along with rapid growth of Android market, both Android malware and benignware have been evolved and become more complicated. Due to the diverse functionalities modern apps provide, the benign apps are more complex and it is common for a benign app to leverage multiple sensitive data sources for normal usage. Besides, malware apps disguise themselves as benign apps and hide the malicious code among benign code. It becomes more and more difficult to distinguish malware apps from benign apps. As a result, mobile malware detection continues to be a challenging problem, with security researchers estimating new malware being created and deployed every 4.2 seconds. To combat this problem, there have been many different proposed approaches and tools proposed in recent years. However, all these tools are evaluated on hand selected or private data sets, making comparison across tools and techniques very difficult. The only common comparison point is a public malware benchmark set gathered in 2012. To tackle these issues, this paper introduces a new benchmark app set for comparing and contrasting Android malware detection strategies. We begin with a survey and systematic study of 56,000 modern malware apps. We discuss current Android malware detection tools and synthesize a set of features/metrics that these tools leverage. Next, we statistically analyze our dataset based on these metrics. We consider the evolution of both malware and benign applications with respect to these metrics. Based on these studies and comparisons, we select a representative 1,000 malware apps and 1,000 benign apps as a modern app benchmark.Along with the explosive growth of smartphone sales, the threat of Android malware is spreading rapidly, especially those repackaged Android malware. This thesis proposes a new technique to detect mobile malware based on information flow analysis. Our approach examines the structure of information flows to identify patterns of behavior present in them and which flows are related, those that share partial computation paths. We call such flows Complex-Flows, as their structure, patterns, and relations accurately capture the complex behavior exhibited by both recent malware and benign applications. {N-gram analysis} is used to identify unique and common behavioral patterns present in Complex-Flows. The N-gram analysis is performed on sequences of API calls that occur along Complex-Flows' control flow paths. We show the effectiveness and precision of our technique by applying it to multiple different data sets.