AppsPlayground: Automatic Security Analysis of Smartphone - - PowerPoint PPT Presentation

AppsPlayground: Automatic Security Analysis of Smartphone Applications

Vaibhav Rastogi, Yan Chen, and William Enck†

Lab for Internet and Security Technology, Northwestern University

†

h li S i i

†North Carolina State University

1

Android Threats Android Threats

• Privacy leakage

Privacy leakage

– Users often have no way to know if there are privacy leaks privacy leaks – Even legitimate apps may leak private information without informing user without informing user

• Malware

Number increasing consistently – Number increasing consistently – Need to analyze new kinds

2

flickr.com/photos/panda_security_france/

Requirements Requirements

• Large number of apps in online app stores

Large number of apps in online app stores

– Google Play has over 700,000 apps This number is constantly increasing – This number is constantly increasing

• Offline analysis is important to protect users
• Need a scalable and automatic approach to

tackle threats

• Possible techniques: dynamic analysis and

static analysis

3

Dynamic vs. Static Dynamic vs. Static

Dynamic Analysis Static Analysis y a c a ys s Stat c a ys s Coverage Some code not executed Mostly sound Accuracy False negatives False positives Dynamic Aspects Handled without Possibly unsound (reflection, dynamic loading) additional effort for these E i E il h dl d Diffi l h dl Execution context Easily handled Difficult to handle Performance Usually slower Usually faster

4

AppsPlayground AppsPlayground

• A system for offline dynamic analysis

A system for offline dynamic analysis

– Includes multiple detection techniques for dynamic analysis dynamic analysis

• Challenges
• Challenges

– Techniques must be light‐weight A t ti i d l ti t h i – Automation requires good exploration techniques

5

Outline Outline

• Architecture

Architecture li i d l

• Applications and Results
• Related Work
• Conclusion and Future Work

6

Outline Outline

• Architecture

Architecture li i d l

• Applications and Results
• Related Work
• Conclusion and Future Work

7

Architecture Architecture

Event

ues

…

Intelligent triggering

• n Techniqu

AppsPlayground

Fuzzing input

Exploratio

Virtualized Dynamic Analysis Environment

Kernel‐level monitoring Taint tracking API monitoring … g g g Disguise techniques

Detection Techniques

8

techniques

Architecture Architecture

Event

ues

…

Intelligent Intelligent i i triggering

• n Techniqu

AppsPlayground

input input Fuzzing

Exploratio

Virtualized Dynamic Analysis Environment

Kernel Kernel‐level level monitoring monitoring Taint tracking API monitoring …

Contributions

g g Disguise techniques

Detection Techniques

9

techniques

Kernel‐level Monitoring Kernel level Monitoring

• Useful for malware detection

Useful for malware detection

• Most root‐capable malware can be logged for

vulnerability conditions vulnerability conditions

• Rage‐against‐the‐cage

– Number of live processes for a user reaches a Number of live processes for a user reaches a threshold

• Exploid / Gingerbreak

p / g

– Netlink packets sent to system daemons y

10

Intelligent Input Intelligent Input

• Fuzzing is good but has limitations

Fuzzing is good but has limitations

• Another black‐box GUI exploration technique

C bl f filli i f l b i f i

• Capable of filling meaningful text by inferring

surrounding context

– Automatically fill out zip codes, phone numbers and even login credentials – Sometimes increases coverage greatly

11

Disguise Techniques Disguise Techniques

• Make the virtualized environment look like a

real phone real phone

– Phone identifiers and properties D h h SMS fil – Data on phone, such as contacts, SMS, files – Data from sensors like GPS – Cannot be perfect

12

Outline Outline

• Architecture

Architecture li i d l

• Applications and Results
• Related Work
• Conclusion and Future Work

13

Privacy Leakage Results Privacy Leakage Results

• AppsPlayground automates TaintDroid

AppsPlayground automates TaintDroid l 3 968 f

• Large scale measurements ‐ 3,968 apps from

Android Market (Google Play)

– 946 leak some info – 844 leak phone identifiers – 212 leak geographic location – Leaks to a number of ad and analytics domains

14

Malware Detection Malware Detection

• Case studies on DroidDream, FakePlayer, and

DroidKungfu DroidKungfu

• AppsPlayground’s detection techniques are

ff i d i li i f i li effective at detecting malicious functionality

• Exploration techniques can help discover

more sophisticated malware

15

Exploration Effectiveness Exploration Effectiveness

• Measured in terms of code coverage

easu ed te s o code co e age

– 33% mean code coverage

• More than double than trivial
• Black box technique
• Some code may be dead code
• Use symbolic execution in the future

y

• Fuzzing and intelligent input both important

– Fuzzing helps when intelligent input can’t model GUI – Intelligent input could sign up automatically for 34 different services in large scale experiments

16

Outline Outline

• Architecture

Architecture li i d l

• Applications and Results
• Related Work
• Conclusion and Future Work

17

Related Work Related Work

• Google Bouncer

Google Bouncer

– Similar aims; closed system

• DroidScope Usenix Security’12
• DroidScope, Usenix Security’12

– Malware forensics – Mostly manual

• SmartDroid, SPSM’12

– Uses static analysis to guide dynamic exploration – Complementary to our approach

18

Conclusions and Future Work Conclusions and Future Work

• AppsPlayground is a system for large‐scale,

pps ayg ou d s a syste

• a ge sca e,

automatic dynamic analysis of Android apps

– Multiple detection, exploration, and disguise techniques

• Future work

S b li i – Symbolic execution – Improve disguise techniques

• Release
• Release

– Check back soon at http://list.northwestern.edu/mobile.html p // /

19