Steve Hanna scite author profile

Android provides third-party applications with an extensive API that includes access to phone hardware, settings, and user data. Access to privacy-and security-relevant parts of the API is controlled with an install-time application permission system. We study Android applications to determine whether Android developers follow least privilege with their permission requests. We built Stowaway, a tool that detects overprivilege in compiled Android applications. Stowaway determines the set of API calls that an application uses and then maps those API calls to permissions. We used automated testing tools on the Android API in order to to build the permission map that is necessary for detecting overprivilege. We apply Stowaway to a set of 940 applications and find that about one-third are overprivileged. We investigate the causes of overprivilege and find evidence that developers are trying to follow least privilege but sometimes fail due to insufficient API documentation.

show abstract

A Symbolic Execution Framework for JavaScript

Saxena

et al. 2010

View full text Add to dashboard Cite

Abstract-As AJAX applications gain popularity, client-side JavaScript code is becoming increasingly complex. However, few automated vulnerability analysis tools for JavaScript exist. In this paper, we describe the first system for exploring the execution space of JavaScript code using symbolic execution. To handle JavaScript code's complex use of string operations, we design a new language of string constraints and implement a solver for it. We build an automatic end-to-end tool, Kudzu, and apply it to the problem of finding client-side code injection vulnerabilities. In experiments on 18 live web applications, Kudzu automatically discovers 2 previously unknown vulnerabilities and 9 more that were previously found only with a manually-constructed test suite.

show abstract

A survey of mobile malware in the wild

et al. 2011

View full text Add to dashboard Cite

Juxtapp: A Scalable System for Detecting Code Reuse among Android Applications

et al. 2013

View full text Add to dashboard Cite

Abstract. Mobile application markets such as the Android Marketplace and the Amazon Android store provide a centralized showcase of applications that end users can purchase or download for free onto their mobile phones. Despite the influx of applications to the markets, applications are either largely unreviewed or only cursorily reviewed by marketplace maintainers due to the vast number of submissions; furthermore, they rely on user policing and reporting to detect misbehaving applications. This reactive approach to application security, especially when programs can contain bugs, malware, or pirated (inauthentic) code, puts too much responsibility on the end users. In light of this, we propose Juxtapp, a scalable infrastructure for code similarity analysis among Android applications. Juxtapp provides a key solution to a number of problems in Android security, including determining if apps contain copies of buggy code, have significant code reuse that indicates piracy, or are instances of known malware. We evaluate our system using more than 58,000 Android applications and demonstrate that our system scales well and is effective. Our results show that Juxtapp is able to detect: 1) 463 applications with confirmed buggy code reuse of Google-provided sample code that lead to serious vulnerabilities in real-world apps, 2) 34 instances of known malware and variants (including 13 distinct variants of the GoldDream malware), and 3) pirated variants of a popular paid game.

show abstract

scite is a Brooklyn-based organization that helps researchers better discover and understand research articles through Smart Citations–citations that display the context of the citation and describe whether the article provides supporting or contrasting evidence. scite is used by students and researchers from around the world and is funded in part by the National Science Foundation and the National Institute on Drug Abuse of the National Institutes of Health.

Contact Info

customersupport@researchsolutions.com

10624 S. Eastern Ave., Ste. A-614

Henderson, NV 89052, USA

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Blog Terms and Conditions API Terms Privacy Policy Contact Cookie Preferences Do Not Sell or Share My Personal Information

Made with 💙 for researchers

Part of the Research Solutions Family.

Steve Hanna

Android permissions demystified

A Symbolic Execution Framework for JavaScript

A survey of mobile malware in the wild

Juxtapp: A Scalable System for Detecting Code Reuse among Android Applications

Contact Info

Product

Resources

About