Security Metrics for the Android Ecosystem

@article{Thomas2015SecurityMF,
  title={Security Metrics for the Android Ecosystem},
  author={Daniel R. Thomas and Alastair R. Beresford and Andrew C. Rice},
  journal={Proceedings of the 5th Annual ACM CCS Workshop on Security and Privacy in Smartphones and Mobile Devices},
  year={2015}
}
  • Daniel R. Thomas, A. Beresford, A. Rice
  • Published 12 October 2015
  • Computer Science
  • Proceedings of the 5th Annual ACM CCS Workshop on Security and Privacy in Smartphones and Mobile Devices
The security of Android depends on the timely delivery of updates to fix critical vulnerabilities. In this paper we map the complex network of players in the Android ecosystem who must collaborate to provide updates, and determine that inaction by some manufacturers and network operators means many handsets are vulnerable to critical vulnerabilities. We define the FUM security metric to rank the performance of device manufacturers and network operators, based on their provision of updates and… 
View on ACM
strathprints.strath.ac.uk
70 Citations
Highly Influential Citations
4
Background Citations
34
Methods Citations
4

70 Citations

Citation Type

Citation Type

An Empirical Study of Android Security Bulletins in Different Vendors
TLDR
A comprehensive study of 3,171 Android-related vulnerabilities is performed and it is found that the studied vendors in the Android ecosystem have adopted different structures for vulnerability reporting, and vendors are less likely to react with delay for CVEs with Android Git repository references.
Honey, I Shrunk Your App Security: The State of Android App Hardening
TLDR
This paper assesses the RASP market for Android by providing an overview of the available products and their features, and describes an in-depth case study for a leading RasP product—namely Promon Shield—which is being used by approximately 100 companies to protect over 100 million end users worldwide.
The Android OS stack and its vulnerabilities: an empirical study
TLDR
The largest study so far aimed at analyzing software vulnerabilities in the Android OS is presented, which analyzes a total of 1,235 vulnerabilities from four different perspectives: vulnerability types and their evolution, CVSS vectors that describe the vulnerabilities, impacted Android OS layers, and their survivability across the AndroidOS history.
LaChouTi: kernel vulnerability responding framework for the fragmented Android devices
TLDR
The results show that: (1) the security risk of unpatched vulnerabilities caused by fragmentation is serious; and (2) the proposed LaChouTi is effective in responding to such security risk.
The Android Platform Security Model
TLDR
This article aims to both document the abstract model of the Android security model and discuss its implications, and analyze how the different security measures in past and current Android implementations work together to mitigate these threats.
Security in Android Applications Master
The ubiquity of smartphones, and their very broad capabilities and usage, make the security of these devices tremendously important. Unfortunately, despite all progress in security and privacy
Deploying Android Security Updates: an Extensive Study Involving Manufacturers, Carriers, and End Users
TLDR
This paper performs an extensive quantitative study to measure the Android security updates and OS upgrades rollout process, and delves into the effectiveness of current Android projects.
Studying TLS Usage in Android Apps
TLDR
This paper uses data collected by Lumen, a mobile measurement platform, to analyze how 7,258 Android apps use TLS in the wild and analyzes and fingerprint handshake messages to characterize the TLS APIs and libraries that apps use, and evaluates weaknesses.
An Economic Study of the Effect of Android Platform Fragmentation on Security Updates
TLDR
A model of the Android ecosystem utilizing the concepts of game theory and product differentiation to capture the competition involving two vendors customizing the AOSP platform and shows how product prices will decrease for the same cost of customization in the presence of a fine, or a higher level of regulator-imposed minimum security.
Systematic discovery of Android customization hazards
The open nature of Android ecosystem has naturally laid the foundation for a highly fragmented operating system. In fact, the official AOSP versions have been aggressively customized into thousands
...
1
2
3
4
5
...

References

SHOWING 1-10 OF 40 REFERENCES
Security Enhanced (SE) Android: Bringing Flexible MAC to Android
TLDR
The work to bring flexible mandatory access control (MAC) to Android is motivated and described by enabling the effective use of Security Enhanced Linux (SELinux) for kernel-level MAC and by developing a set of middleware MAC extensions to the Android permissions model.
Upgrading Your Android, Elevating My Malware: Privilege Escalation through Mobile OS Updating
TLDR
This research brought to light a new type of security-critical vulnerabilities, called Pileup flaws, through which a malicious app can strategically declare a set of privileges and attributes on a low-version operating system (OS) and wait until it is upgraded to escalate its privileges on the new system.
The Attack of the Clones: A Study of the Impact of Shared Code on Vulnerability Patching
TLDR
This first systematic study of patch deployment in client-side vulnerabilities from 10 popular client applications is presented, and several new threats presented by multiple installations of the same program and by shared libraries distributed with several applications are identified.
Critical Vulnerability in Browser Security Metrics
Every time a browser vendor releases a patch for a critical vulnerability, the popular news media publishes a slew of negative press article detailing the security holes that have been announced in
Jekyll on iOS: When Benign Apps Become Evil
TLDR
A novel attack method is presented that allows attackers to reliably hide malicious behavior that would otherwise get their app rejected by the Apple review process, and to introduce malicious control flows by rearranging signed code.
DREBIN: Effective and Explainable Detection of Android Malware in Your Pocket
TLDR
DREBIN is proposed, a lightweight method for detection of Android malware that enables identifying malicious applications directly on the smartphone and outperforms several related approaches and detects 94% of the malware with few false alarms.
Hey, You, Get Off of My Market: Detecting Malicious Apps in Official and Alternative Android Markets
TLDR
A permissionbased behavioral footprinting scheme to detect new samples of known Android malware families and a heuristics-based filtering scheme to identify certain inherent behaviors of unknown malicious families are proposed.
DroidChameleon: evaluating Android anti-malware against transformation attacks
TLDR
This paper evaluates the state-of-the-art commercial mobile antimalware products for Android and test how resistant they are against various common obfuscation techniques and proposes possible remedies for improving the current state of malware detection on mobile devices.
Secure Software Updates: Disappointments and New Challenges
TLDR
This analysis of several popular software update mechanisms shows that deployed systems often rely on trusted networks to distribute critical software updates-despite the research progress in secure content distribution.
ANDRUBIS -- 1,000,000 Apps Later: A View on Current Android Malware Behaviors
TLDR
This paper presents ANDRUBIS, a fully automated, publicly available and comprehensive analysis system for Android apps that combines static analysis with dynamic analysis on both Dalvik VM and system level, as well as several stimulation techniques to increase code coverage.
...
1
2
3
4
...