Exposing software security and availability risks for commercial mobile devices

R. Johnson, Zhaohui Wang, A. Stavrou, J. Voas
2013 2013 Proceedings Annual Reliability and Maintainability Symposium (RAMS)  
The advent of smaller, faster, and always connected handheld devices along with the ever-increasing reliance on technology for our everyday activities have introduced novel threats and risks. Beyond hardware security another primary factor that affects the reliability of the device is mobile applications. Indeed, the shift to smart commercially available mobile devices has created a pressing need for understanding the risks in using third-party mobile code running on the mobile devices. This
more » ... generation of smart devices and systems, including iPhone and Google Android, are powerful enough to accomplish most of the user tasks previously requiring a personal computer. In our paper, we discuss the cyber threats that stem from these new smart device capabilities and the on-line application markets for mobile devices. These threats include malware, data exfiltration, exploitation through USB, and user and data tracking. In this manuscript, we present our efforts towards a framework for exposing the functionality of a mobile application through a combination of static and dynamic program analysis that attempts to explore all available execution paths including libraries. We verified our approach by testing a large number of Android applications with our dynamic analysis framework to exhibit its functionality and viability. The framework allows complete automation of the execution process so that no user input is required. We also discuss how our static analysis output can be used to inform the execution of the dynamic analysis. Our approach can serve as an extensible basis to fulfill other useful purposes such as symbolic execution, program verification, interactive debugger, and other approaches that require deep inspection of an Android application. In summary, we believe that our efforts are the beginning of a long journey to asserting and exposing the risks of commercially available mobile devices. Our future work will include non-Android platforms.
doi:10.1109/rams.2013.6517735 fatcat:2uoxcvx7snhehmyjp5sparagxm