Towards Automatic Generation of Security-Centric Descriptions for Android Apps

@article{Zhang2015TowardsAG,
  title={Towards Automatic Generation of Security-Centric Descriptions for Android Apps},
  author={Mu Zhang and Yue Duan and Qian Feng and Heng Yin},
  journal={Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security},
  year={2015}
}
  • Mu Zhang, Yue Duan, +1 author Heng Yin
  • Published 2015
  • Computer Science
  • Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security
To improve the security awareness of end users, Android markets directly present two classes of literal app information: 1) permission requests and 2) textual descriptions. [...] Key Method We implement a prototype system, DescribeME, and evaluate our system using both DroidBench and real-world Android apps. Experimental results demonstrate that DescribeME enables a promising technique which bridges the gap between descriptions and permissions. A further user study shows that automatically produced descriptions…Expand
Security-oriented view of app behaviour using textual descriptions and user-granted permission requests
TLDR
This paper proposes exploiting an enhanced app description to improve malware detection based on app descriptions and permissions and shows that analysing sensitive permissions requested and UI textual descriptions provides a promising avenue for sustainable Android malware detection. Expand
Catering to Your Concerns
TLDR
An innovative scheme to help users avoid malware and privacy-breaching apps by generating security descriptions that explain the privacy and security related aspects of an Android app in clear and understandable terms is developed. Expand
Efficient Permission-Aware Analysis of Android Apps
TLDR
PATDroid, the last proposed approach in this dissertation, is intended to help app developers with this challenge and can significantly reduce the testing effort by performing a hybrid program analysis that determines which tests should be executed on what permission combinations. Expand
Code Between the Lines: Semantic Analysis of Android Applications
TLDR
A machine learning-based system that is capable of generating natural language text describing the purpose and core functionality of Android apps based on their actual code and can predict precise, human-readable keywords and short phrases that indicate the main use-cases apps are designed for is introduced. Expand
Detecting Permission Over-claim of Android Applications with Static and Semantic Analysis Approach
TLDR
The evaluation results show the method can efficiently detect the above three kinds of permission over claim problems which indicates that the method would be helpful for normal users to have a clear understanding of permission usage of Android applications. Expand
AutoPPG: Towards Automatic Generation of Privacy Policy for Android Applications
TLDR
A novel system named AutoPPG is proposed and developed to automatically construct correct and readable descriptions to facilitate the generation of privacy policy for Android applications and results indicate that the privacy policies constructed by the system usually reveal more operations related to users' private information than existing privacy policies. Expand
Toward Automatically Generating Privacy Policy for Android Apps
TLDR
A novel system named AutoPPG is proposed and developed to automatically construct correct and readable descriptions to facilitate the generation of privacy policy for Android applications and results indicate that most developers, who reply us, would like to use autoPPG to facilitate them. Expand
Static analysis of android apps: A systematic literature review
TLDR
The research community is still facing a number of challenges for building approaches that are aware altogether of implicit-Flows, dynamic code loading features, reflective calls, native code and multi-threading, in order to implement sound and highly precise static analyzers. Expand
Systematic discovery of Android customization hazards
The open nature of Android ecosystem has naturally laid the foundation for a highly fragmented operating system. In fact, the official AOSP versions have been aggressively customized into thousandsExpand
GUILeak: Tracing Privacy Policy Claims on User Input Data for Android Applications
TLDR
This paper proposes a novel approach that automatically detects privacy leaks of user-entered data for a given Android app and determines whether such leakage may violate the app's privacy policy claims. Expand
...
1
2
3
4
5
...

References

SHOWING 1-10 OF 53 REFERENCES
AppSealer: Automatic Generation of Vulnerability-Specific Patches for Preventing Component Hijacking Attacks in Android Applications
TLDR
This paper proposes a technique for automatic patch generation that automatically generates a patch to disable a vulnerable Android app and a discovered component hijacking vulnerability, and evaluation on 16 real-world vulnerable Android apps shows that the generated patches can effectively track and mitigate component hijacked vulnerabilities. Expand
PScout: analyzing the Android permission specification
TLDR
An analysis of the permission system of the Android smartphone OS is performed and it is found that a trade-off exists between enabling least-privilege security with fine-grained permissions and maintaining stability of the permissions specification as the Android OS evolves. Expand
Amandroid: A Precise and General Inter-component Data Flow Analysis Framework for Security Vetting of Android Apps
TLDR
Amandroid's analysis is sound in that it can provide assurance of the absence of the specified security problems in an app with well-specified and reasonable assumptions on Android runtime system and its library. Expand
CHEX: statically vetting Android apps for component hijacking vulnerabilities
TLDR
This paper proposes CHEX, a static analysis method to automatically vet Android apps for component hijacking vulnerabilities, and prototyped CHEX based on Dalysis, a generic static analysis framework that was built to support many types of analysis on Android app bytecode. Expand
DexHunter: Toward Extracting Hidden Code from Packed Android Applications
TLDR
The first systematic investigation on packing services to protect Android apps by hiding the original executable file, dex file, is performed and a novel system, named DexHunter, is proposed and developed to extract dex files protected by these services. Expand
FlowDroid: precise context, flow, field, object-sensitive and lifecycle-aware taint analysis for Android apps
TLDR
FlowDroid is presented, a novel and highly precise static taint analysis for Android applications that successfully finds leaks in a subset of 500 apps from Google Play and about 1,000 malware apps from the VirusShare project. Expand
AsDroid: detecting stealthy behaviors in Android applications by user interface and program behavior contradiction
TLDR
This paper uses static program analysis to attribute a top level function that is usually a user interaction function with the behavior it performs, and analyzes the text extracted from the user interface component associated with the toplevel function to detect stealthy behavior. Expand
Detecting Passive Content Leaks and Pollution in Android Applications
TLDR
The presence of a large number of vulnerable apps in popular Android markets as well as the variety of private data for leaks and manipulation reflect the severity of these two vulnerabilities. Expand
Effective Real-Time Android Application Auditing
TLDR
AppAudit is designed that relies on the synergy of static and dynamic analysis to provide effective real-time app auditing and serves as an effective tool to identify data-leaking apps and provides implications to design promising runtime techniques against data leaks. Expand
Contextual Policy Enforcement in Android Applications with Permission Event Graphs
TLDR
This work centres around a new abstraction of Android applications, called a Permission Event Graph, which is constructed with static analysis, and query using model checking, and can detect, or prove the absence of malicious behaviour beyond the reach of existing techniques. Expand
...
1
2
3
4
5
...