Improving Android Reliability and Security Iulian Neamtiu, Assoc. - PowerPoint PPT Presentation

Improving Android Reliability and Security Iulian Neamtiu, Assoc. Prof. CS Chairs Meeting June 14, 2018

Mobile OSes rapidly expanding their device range and user base…. Android: 2 billion monthly active users … but users/developers/vendors have little insight/assurance of device behavior/reliability/security Third-party apps Core SW stack (AOSP) Preinstalled software ASPLOS’18 EASE’15 OOPSLA’16 ICSE’18 ISSTA’16 ISSRE’15 ICSE’13 MobiCom’12 ACSAC’12

The Nature of Mobile Bugs Study: 22,000 confirmed&fixed mobile bugs (Android, iOS) over 7 years Focus: High-severity bugs (crashes, data loss/corruption) Android iOS Concurrency: 66% Crash (non-concurrency): 52% GUI: 23% App. logic: 32% Security: 5% Build:12% How to find/reproduce/fix these? EASE’15

Concurrency Errors in Android

Harmful race in the Android OS! Main Thread Background Thread LoaderTask.execute() onClick Adapter.add(newslist) adapter.notifyDataSet OK Changed getViewForPosition() scroll validateForPosition() adapter.notifyDataSet onPostExecute Changed https://code.google.com/p/android/issues/detail?id=77846

Our Approach • Prior approaches: all dynamic • Low coverage, high rate of false negatives & false positives • Our approach • Action = context-sensitive event handling • Novel abstraction, reifies Callbacks, Threads, AsyncTasks, MsgHandler • Happens-before (HB): A1 ≺ A2 • A1 is completed before A2 • Bootstrapping via program synthesis è precise static analysis • Backward symbolic execution to refute (most) false positives è Effective and efficient ASPLOS’18

Program Synthesis to “Boot-strap” Precise Static Analysis SyntheticMain.java • Create synthetic “main” activity onCreate onItemClick • Create synthetic method call sites thread 1. Add lifecycle/GUI/system actions onStart Runnable1 onLongPress 2. Build call graph for found actions … … 3. Go back to step 1, iterate until fixpoint onResume onClick Runnable2 AsyncTask … … onPost onCreate Execution OptionsMenu msg1. onLow handleMessage Memory onCreate Prior Android static analyses: imprecise onStart * onResume msg1. onPost onCreate onLow Runnable2 Runnable1 onClick thread onLongPress onItemClick AsyncTask OptionsMenu handleMessage Execution Memory ASPLOS’18 *

Symbolic Execution-based Refutation Path Constraints Method entry void stop(){// action B mIsRunning = false if (mIsRunning) { if (mIsRunning) mIsRunning = false; true mAccumTime=... // 𝜷 B mIsRunning = false mIsRunning = false } Backward symbolic execution mAccumTime = … } Method exit Timer.Runnable runner = { void run() {//action A mIsRunning = true if (mIsRunning) { if (mIsRunning) mAccumTime=... // 𝜷 A mAccumTime = … if (*) { ... postDelayed(runner,...); } else mIsRunning=false; } }} No! Can 𝜷 B occur before 𝜷 A ? ASPLOS’18

Evaluation Effectiveness: races found App Installs Candidate After our True False Event (millions) racy pairs analysis races posi- Racer tives Barcode Scanner > 100 64 15 11 4 7 VLC > 100 202 35 32 3 0 ≫ FB Reader > 10 836 106 93 13 5 K-9 > 5 1,347 89 72 17 1 NPR > 1 607 21 21 0 3 Across 20 apps 431 33 29 4 4 13x Best prior Dataset: 194 open-source apps; 20 analyzed manually work (dynamic) Analysis time: about 30 minutes/apps ASPLOS’18 Skype > 1,000 178 Snapchat > 500 464 793 Netflix > 100 Acrobat Reader > 100 3,134 (paper in PayPal > 50 51 preparation) Walmart > 10 48

GUI bugs

GUI Bugs: Restart Errors Earlier version of Alarm Clock Plus app, more than 5 million installs APK change phone orientation, alarm is reset ! C o Data-flow analysis n a t n r a o l l y - s f l i o s w KR data Catch-22? Changed data or send app to background, Data save then bring to foreground Data restore alarm is reset! Exit Restart is good: cleans the state Kill-and-restart (KR) errors in Android apps Error Restart is bad: cleans the state Desktop/server programs can assume to “run forever” summary Mobile apps can be paused/killed at any time Our approach exposes data kept/lost upon restart Android saves GUI state, invokes user-defined callbacks Google Developers must do the rest ; confusing and error-prone Research Award 2015 Our approach: define KR hierarchy, static analysis to find KR errors Results: 49 confirmed bugs in 37 apps , including in well-known apps: OOPSLA’16 Dr.WebAnti-virusLight, Symantec Norton Snap, Motorola Camera, Alarm Clock Plus, OI File Manager

Security

‘Self Hiding’ Behavior (SHB) SHB = Behavior meant to hide an app’s presence or actions ⇒ A malicious app has This phone has 8 Fundamentally Deceptive deleted a user’s There are running apps installed but Our approach detects and characterizes this behavior messages without apps that the user the user can only Missing SMS! cannot see their knowledge or see 6 consent App stores do not disclose such behavior WARNING!! ICSE’18

SHB#6: Delete Message Malware DroidKungFu1 deletes SMS messages Specialinvoke $r3.<java.lang.StringBuilder: void <init>(java.lang.String>(“content://sms/”) Control & BroadcastReceiver.onReceive(SMS data flow $r4 = virtualinvoke $r3.<java.lang.StringBuilder: java.lang.StringtoString() >() _RECEIVED/ACTION_VIEW) Control & $r5 = staticinvoke <android.net.Uri:android.net.Uri parse (java.lang.String)>($r4) data flow Control & virtualinvoke $r2.<android.content.ContentResolver: int data flow delete(android.net.Uri.java.lang.String.java.lang.String[])>($r5, null , null ) Essentially, the SMS messages self NOT user-initiated! destruct! ICSE’18

For “user convenience” Results: “Good” Apps Behave Badly Dataset: 3,219 malicious apps; 6,233 benign apps Our static analysis can separate benign from malicious with 87.19% F-measure Malware employs self-hiding (1.5 SH/app; unsurprising) Some good apps employ self-hiding (0.2 SH/app) Accesses and initializes HIDE RUNNING APP location without user’s knowledge Not a False BLOCK CALL Positive! Manipulates the MUTE PHONE ringer mode Blocks notifications HIDE NOTIFICATION / BLOCK without user consent MESSAGE Interposes between LURK/HOVER for a File user and app Explorer? ICSE’18