Towards dynamically monitoring Android applications on non-rooted devices in the wild
Dynamic analysis is an important technique to reveal sensitive behavior of Android apps. Current works require access to the code-level and system-level events (e.g., API calls and system calls) triggered by the running apps and consequently they can only be conducted on in-lab running environments...
Saved in:
Main Authors: | , , , |
---|---|
Format: | text |
Language: | English |
Published: |
Institutional Knowledge at Singapore Management University
2018
|
Subjects: | |
Online Access: | https://ink.library.smu.edu.sg/sis_research/4099 https://ink.library.smu.edu.sg/context/sis_research/article/5102/viewcontent/p212_Tang.pdf |
Tags: |
Add Tag
No Tags, Be the first to tag this record!
|
Institution: | Singapore Management University |
Language: | English |
id |
sg-smu-ink.sis_research-5102 |
---|---|
record_format |
dspace |
spelling |
sg-smu-ink.sis_research-51022018-12-27T07:08:43Z Towards dynamically monitoring Android applications on non-rooted devices in the wild TANG, Xiaoxiao WU, Daoyuan LIN, Yan GAO, Debin Dynamic analysis is an important technique to reveal sensitive behavior of Android apps. Current works require access to the code-level and system-level events (e.g., API calls and system calls) triggered by the running apps and consequently they can only be conducted on in-lab running environments (e.g., emulators and modified OS). The strict requirement of running environment hinders their deployment in scale and makes them vulnerable to anti-analysis techniques. Furthermore, current dynamic analysis of Android apps exploits input generators to invoke app behavior, which, however, cannot provide sufficient code coverage. We propose to dynamically analyze app behavior on non-rooted devices used by the public so that it is possible to analyze dynamically in scale without input generators. By doing so, we also maximize the code coverage since the app behavior is invoked by real users of the apps. To achieve such a goal, we build UpDroid, a system for detecting sensitive behavior without modifying Android OS, rooting the device, or leveraging emulators. UpDroid detects sensitive events by monitoring the changing of public resources on the device, instead of accessing low-level events that require rooting or system modification. To identify the apps that trigger the detected events, UpDroid formulates the identification as a ranking problem and adopts learning to rank technique to solve it. Our experimental results demonstrate that UpDroid can successfully detect the use of 15 out of 26 permissions that are labeled dangerous in the official Android documentation. We also compare UpDroid with API hooking which can theoretically capture all sensitive behavior but requires root permission and system modifications. Results show that UpDroid can still achieve 70% coverage of API hooking even without root permission or any system modifications. © 2018 Association for Computing Machinery. 2018-06-01T07:00:00Z text application/pdf https://ink.library.smu.edu.sg/sis_research/4099 info:doi/10.1145/3212480.3212504 https://ink.library.smu.edu.sg/context/sis_research/article/5102/viewcontent/p212_Tang.pdf http://creativecommons.org/licenses/by-nc-nd/4.0/ Research Collection School Of Computing and Information Systems eng Institutional Knowledge at Singapore Management University Codes (symbols) Mobile telecommunication systems Software testing Wireless networks Android applications Code coverage Current dynamics Learning to rank Public resources Ranking problems System levels System modifications Android (operating system) Information Security |
institution |
Singapore Management University |
building |
SMU Libraries |
continent |
Asia |
country |
Singapore Singapore |
content_provider |
SMU Libraries |
collection |
InK@SMU |
language |
English |
topic |
Codes (symbols) Mobile telecommunication systems Software testing Wireless networks Android applications Code coverage Current dynamics Learning to rank Public resources Ranking problems System levels System modifications Android (operating system) Information Security |
spellingShingle |
Codes (symbols) Mobile telecommunication systems Software testing Wireless networks Android applications Code coverage Current dynamics Learning to rank Public resources Ranking problems System levels System modifications Android (operating system) Information Security TANG, Xiaoxiao WU, Daoyuan LIN, Yan GAO, Debin Towards dynamically monitoring Android applications on non-rooted devices in the wild |
description |
Dynamic analysis is an important technique to reveal sensitive behavior of Android apps. Current works require access to the code-level and system-level events (e.g., API calls and system calls) triggered by the running apps and consequently they can only be conducted on in-lab running environments (e.g., emulators and modified OS). The strict requirement of running environment hinders their deployment in scale and makes them vulnerable to anti-analysis techniques. Furthermore, current dynamic analysis of Android apps exploits input generators to invoke app behavior, which, however, cannot provide sufficient code coverage. We propose to dynamically analyze app behavior on non-rooted devices used by the public so that it is possible to analyze dynamically in scale without input generators. By doing so, we also maximize the code coverage since the app behavior is invoked by real users of the apps. To achieve such a goal, we build UpDroid, a system for detecting sensitive behavior without modifying Android OS, rooting the device, or leveraging emulators. UpDroid detects sensitive events by monitoring the changing of public resources on the device, instead of accessing low-level events that require rooting or system modification. To identify the apps that trigger the detected events, UpDroid formulates the identification as a ranking problem and adopts learning to rank technique to solve it. Our experimental results demonstrate that UpDroid can successfully detect the use of 15 out of 26 permissions that are labeled dangerous in the official Android documentation. We also compare UpDroid with API hooking which can theoretically capture all sensitive behavior but requires root permission and system modifications. Results show that UpDroid can still achieve 70% coverage of API hooking even without root permission or any system modifications. © 2018 Association for Computing Machinery. |
format |
text |
author |
TANG, Xiaoxiao WU, Daoyuan LIN, Yan GAO, Debin |
author_facet |
TANG, Xiaoxiao WU, Daoyuan LIN, Yan GAO, Debin |
author_sort |
TANG, Xiaoxiao |
title |
Towards dynamically monitoring Android applications on non-rooted devices in the wild |
title_short |
Towards dynamically monitoring Android applications on non-rooted devices in the wild |
title_full |
Towards dynamically monitoring Android applications on non-rooted devices in the wild |
title_fullStr |
Towards dynamically monitoring Android applications on non-rooted devices in the wild |
title_full_unstemmed |
Towards dynamically monitoring Android applications on non-rooted devices in the wild |
title_sort |
towards dynamically monitoring android applications on non-rooted devices in the wild |
publisher |
Institutional Knowledge at Singapore Management University |
publishDate |
2018 |
url |
https://ink.library.smu.edu.sg/sis_research/4099 https://ink.library.smu.edu.sg/context/sis_research/article/5102/viewcontent/p212_Tang.pdf |
_version_ |
1770574308703207424 |