309 Hits in 7.7 sec

A Systematic Study of Android Non-SDK (Hidden) Service API Security [article]

Yi He, Yacong Gu, Purui Su, Kun Sun, Yajin Zhou, Zhi Wang, Qi Li
2022 arXiv   pre-print
In this paper, we systematically study the vulnerabilities due to the hidden API exploitation and analyze the effectiveness of Google's countermeasures.  ...  However, the developers can still figure out new ways of exploiting these hidden APIs to evade the non-SDKs restrictions.  ...  CONCLUSION We systematically study the non-SDK service API security and focus on the vulnerabilities of bypassing service helpers and corresponding countermeasures in various Android versions.  ... 
arXiv:2203.09374v1 fatcat:z4xtohsoqjdp3puxqaqednzir4

Hidden in Plain Sight: Exploring Encrypted Channels in Android apps [article]

Sajjad Pourali, Nayanamana Samarasinghe, Mohammad Mannan
2022 arXiv   pre-print
In this study, we design and implement, ThirdEye, to significantly extend the visibility of current privacy analysis tools, in terms of the exposures that happen across various non-standard and covert  ...  Our findings can provide valuable insights into the evolving field of non-standard and covert channels, and help spur new countermeasures against such privacy leakage and security issues.  ...  We also appreciate the help we received from the members of Concordia's Madiba Security Research Group. The third author is supported in part by an NSERC Discovery Grant.  ... 
arXiv:2209.15107v1 fatcat:lyagga54tjffrnofj6mopivyva

Difuzer: Uncovering Suspicious Hidden Sensitive Operations in Android Apps [article]

Jordan Samhi, Li Li, Tegawendé F. Bissyandé, Jacques Klein
2022 arXiv   pre-print
In this work, we propose to investigate Suspicious Hidden Sensitive Operations (SHSOs) as a step towards triaging logic bombs.  ...  We evaluate our prototype and show that it yields a precision of 99.02% to detect SHSOs among which 29.7% are logic bombs.  ...  Hence, we performed a systematic mapping of the Android framework from SDK version 3 to 30 (versions 1 and 2 were unavailable) to gather a comprehensive list of source methods.  ... 
arXiv:2112.10470v2 fatcat:swwv7d7375aodhtqaq46txpv6q

Exploiting Android System Services Through Bypassing Service Helpers [chapter]

Yacong Gu, Yao Cheng, Lingyun Ying, Yemian Lu, Qi Li, Purui Su
2017 Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering  
In this paper, we perform the first systematic study on such vulnerabilities and investigate their impacts. We develop a tool to analyze all system services in the newly released Android system.  ...  Meanwhile, system services leverage the service helpers to enforce security mechanisms, e.g. input parameter validation, to protect themselves against attacks.  ...  In this paper, we perform a systematic study on the above security breaches related to service helper bypass.  ... 
doi:10.1007/978-3-319-59608-2_3 fatcat:pwtlflmqe5f3pex3jlx4tydj6e

On the (in)security of service APIs [article]

Martin Hristov Georgiev
Contributions and impact In this dissertation, we provide the first systematic study of service APIs exposed by today's systems.  ...  Our second contribution is a large-scale study of insecure usage of service APIs in modern applications and software packages.  ...  Service APIs must never be designed and implemented in an ad hoc manner. Instead, principled security mechanisms must be developed across all layers of the software stack.  ... 
doi:10.15781/t2d34b fatcat:bznhtaddivfyhchykatka4rx4m

On Demystifying the Android Application Framework: Re-Visiting Android Permission Specification Analysis

Michael Backes, Sven Bugiel, Erik Derr, Patrick D. McDaniel, Damien Octeau, Sebastian Weisgerber
2016 USENIX Security Symposium  
We demonstrate the benefits of our insights for security-focused analysis of the framework by re-visiting the important use-case of mapping Android permissions to framework/SDK API methods.  ...  In contrast to the Android application layer, Android's application framework's internals and their influence on the platform security and user privacy are still largely a black box for us.  ...  , Privacy and Accountability (CISPA) and the initiative for excellence of the German federal government.  ... 
dblp:conf/uss/0001BDMOW16 fatcat:aejniabhxje23dkcoyaq4yjqvu

CiD: automating the detection of API-related compatibility issues in Android apps

Li Li, Tegawendé F. Bissyandé, Haoyu Wang, Jacques Klein
2018 Proceedings of the 27th ACM SIGSOFT International Symposium on Software Testing and Analysis - ISSTA 2018  
This API thus evolves rapidly to meet new requirements for security, performance and advanced features, creating a race for developers to update apps.  ...  We propose in this paper an automated approach named CiD for systematically modelling the lifecycle of the Android APIs and analysing app bytecode to flag usages that can lead to potential compatibility  ...  [8] , hidden Android APIs are also subject to removal or invasive changes due to the rapid evolution of Android systems.  ... 
doi:10.1145/3213846.3213857 dblp:conf/issta/0029BWK18 fatcat:ip75ikisrvgx5hw32fvs34wkf4

Understanding Malicious Cross-library Data Harvesting on Android

Jice Wang, Yue Xiao, Xueqiang Wang, Yuhong Nan, Luyi Xing, Xiaojing Liao, Jinwei Dong, Nicolás Serrano, Haoran Lu, XiaoFeng Wang, Yuqing Zhang
2021 USENIX Security Symposium  
Using a methodology that incorporates semantic analysis on an SDK's Terms of Services (ToS, which describes restricted data access and sharing policies) and code analysis on cross-library interactions,  ...  affect more than 19K apps with a total of 9 billion downloads.  ...  The authors of Indiana University are supported in part by Indiana University FRSP-SF and NSF CNS-1618493, 1801432 and 1838083.  ... 
dblp:conf/uss/WangXWNXLDSL0Z21 fatcat:shna4yft3nhcxn76hpitmzpihi

Explicating SDKs: Uncovering Assumptions Underlying Secure Authentication and Authorization

Rui Wang, Yuchen Zhou, Shuo Chen, Shaz Qadeer, David Evans, Yuri Gurevich
2013 USENIX Security Symposium  
Our work focuses on systematically explicating implicit assumptions that are necessary for secure use of an SDK.  ...  We verified that many apps constructed with these SDKs (indeed, the majority of apps in our study) are vulnerable to serious exploits because of these implicit assumptions, and we built a prototype testing  ...  Yuchen Zhou was also supported in part by a Microsoft Research internship.  ... 
dblp:conf/uss/0010ZCQEG13 fatcat:g4gd7tol4bbnran7fnbicidfb4

The Misuse of Android Unix Domain Sockets and Security Implications

Yuru Shao, Jason Ott, Yunhan Jack Jia, Zhiyun Qian, Z. Morley Mao
2016 Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security - CCS'16  
In this work, we conduct the first systematic study in understanding the security properties of the usage of Unix domain sockets by both Android apps and system daemons as an IPC (Inter-process Communication  ...  We propose a tool called SInspector to expose potential security vulnerabilities in using Unix domain sockets through the process of identifying socket addresses, detecting authentication checks, and performing  ...  This research was supported in part by the National Science Foundation under grants CNS-1318306 and CNS-1526455, as well as by the Office of Naval Research under grant N00014-14-1-0440.  ... 
doi:10.1145/2976749.2978297 dblp:conf/ccs/ShaoOJQM16 fatcat:7pt3xrfbvfhhdiemch55goqpqa

Detecting Malicious Collusion Between Mobile Software Applications: The Android TM Case [chapter]

Irina Măriuca Asăvoae, Jorge Blasco, Thomas M. Chen, Harsha Kumara Kalutarage, Igor Muttik, Hoang Nga Nguyen, Markus Roggenbach, Siraj Ahmed Shaikh
2017 Data Analytics and Decision Support for Cybersecurity  
Catesbeiana (Jr) for pointing out the importance of intention in malware analysis.  ...  Whereas the machine learning approach uses Android permissions to systematically assign the degree of collusion potential a set of apps may pose.  ...  Semantics for the Android APIs Regarding the semantics of the Android APIs which encompasses a rich set of predefined classes and methods, API classes and methods usually come together with Android OS  ... 
doi:10.1007/978-3-319-59439-2_3 fatcat:fd6dz47f7bbtpm5nz4bdu6q5ou

AndroZoo++: Collecting Millions of Android Apps and Their Metadata for the Research Community [article]

Li Li, Jun Gao, Médéric Hurier, Pingfan Kong, Tegawendé F. Bissyandé, Alexandre Bartel, Jacques Klein, Yves Le Traon
2017 arXiv   pre-print
We present a growing collection of Android apps collected from several sources, including the official Google Play app market and a growing collection of various metadata of those collected apps aiming  ...  Our objective of collecting this dataset is to contribute to ongoing research efforts, as well as to enable new potential research topics on Android Apps.  ...  Conclusion We have presented the AndroZoo dataset of millions of Android apps collected from various data sources and their metadata collected via various means.  ... 
arXiv:1709.05281v1 fatcat:fizz6iwbuvbehgckc5iexj3x2a

"Won't Somebody Think of the Children?" Examining COPPA Compliance at Scale

Irwin Reyes, Primal Wijesekera, Joel Reardon, Amit Elazari Bar On, Abbas Razaghpanah, Narseo Vallina-Rodriguez, Serge Egelman
2018 Proceedings on Privacy Enhancing Technologies  
We present a scalable dynamic analysis framework that allows for the automatic evaluation of the privacy behaviors of Android apps.  ...  Worse, we observed that 19% of children's apps collect identifiers or other personally identifiable information (PII) via SDKs whose terms of service outright prohibit their use in child-directed apps.  ...  ) Protect the security or integrity of the user, Web site, or online service; (vi) Ensure legal or regulatory compliance; or (vii) Fulfill a request of a child as permitted by §312. 5(c) (3) and (  ... 
doi:10.1515/popets-2018-0021 dblp:journals/popets/ReyesWRORVE18 fatcat:66ut7sv7tvectclwmttcr6eqdq

On the effectiveness of API-level access control using bytecode rewriting in Android

Hao Hao, Vicky Singh, Wenliang Du
2013 Proceedings of the 8th ACM SIGSAC symposium on Information, computer and communications security - ASIA CCS '13  
We have provided a systematic evaluation to assess the effectiveness of API-level access control using bytecode rewriting on Android Operating System.  ...  This work is the first systematic study on the effectiveness of using bytecode rewriting for API-level access control.  ...  Our evaluation is performed based on Android 4.0.3 [1] SDK. All case studies are tested on a Android 4.0.3 ARM emulator.  ... 
doi:10.1145/2484313.2484317 dblp:conf/ccs/HaoSD13 fatcat:geln44uynngopptsdqdne6y7ba

Associated Risks in Mobile Applications Permissions

Mohammed Al Jutail, Mousa Al-Akhras, Abdulaziz Albesher
2019 Journal of Information Security  
This research is supported by a study that was conducted on 100 participants in Saudi Arabia to show the level of users' awareness of associated risks in mobile applications permissions.  ...  Mobile applications affect user's privacy based on the granted application's permissions as attackers exploit mobile application permissions in Android and other mobile operating systems.  ...  Conflicts of Interest The authors declare no conflicts of interest regarding the publication of this paper.  ... 
doi:10.4236/jis.2019.102004 fatcat:beqzyupdjffe7ezdpdmtimk4rm
« Previous Showing results 1 — 15 out of 309 results