Paper Summary on Mobile Security in 2013 Discovering new research topics Bob Mingshen Sun [email protected] October 30, 2014 

Conference Coverage 0 paper in S&P 14 (May 19-22) 5 papers in USENIX Sec 14 (Aug 14-16) 5 papers in CCS 14 (Nov 4-8) 5 papers in ACSAC 14 (Aug 14-16) Bob (CUHK) Paper Summaries October 30, 2014 2 / 93 

Summary Template Take-away Message: One take-away message. Motivation: Why doesn’t the people problem/technical problem have a trivial solution? Why are the previous solutions and why are they inadequate? Proposed Solution: Why is it believed it will work? How does it represent an improvement? How is the solution achieved? Evaluation: What logic, argument, evidence, artifacts(e.g., a proof-of-concept system),or experiments are presented in support of the idea? Analysis Is this a good idea? What flaws do you perceive in the work?What are the most interesting or controversial ideas? For work that has practical implications, ask whether this will work,who would want it, what it will take to give it to them, and when might it become a reality? Contributions: Ideas, methods, software, experimental results, experimental techniques…? Directions: author’s and yours, perhaps driven by shortcomings or other critiques Questions: What questions would you like to raise in an open discussion of the work(review interesting and controversial points, above)? What do you find difficult to understand? List as many as you can. Bob (CUHK) Paper Summaries October 30, 2014 3 / 93 

Outline I 1 USENIX Security ’13 Securing Embedded User Interfaces: Android and Beyond Automatic Mediation of Privacy-Sensitive Resource Access in Smartphone Applications Flexible and Fine-grained Mandatory Access Control on Android for Diverse Security and Privacy Policies WHYPER: Towards Automating Risk Assessment of Mobile Applications Jekyll on iOS: When Benign Apps Become Evil 2 CCS ’13 The Impact of Vendor Customizations on Android Security Unauthorized Origin Crossing on Mobile Platforms: Threats and Mitigation Identity, Location, Disease and More: Inferring Your Secrets from Android Public Resources Vetting Undesirable Behaviors in Android Apps with Permission Use Analysis AppIntent: Analyzing Sensitive Data Transmission in Android for Privacy Leakage Detection 3 ACSAC ’13 Bob (CUHK) Paper Summaries October 30, 2014 4 / 93 

Outline II PatchDroid: Scalable Third-Party Security Patches for Android Devices AFrame: Isolating Advertisements from Mobile Applications in Android The Man Who Was There: Validating Check-ins in Location-Based Services FireDroid: Hardening Security in Almost-Stock Android Bob (CUHK) Paper Summaries October 30, 2014 5 / 93 

Securing Embedded User Interfaces: Android and Beyond1 Take-away Message: The authors implement a modified Android system (LayerCake) to tackle the security issues of embedded user interfaces. 1Franziska Roesner and Tadayoshi Kohno. “Securing embedded user interfaces: Android and beyond”. In: Proceedings of the 22nd USENIX conference on Security. USENIX Association. 2013, pp. 97–112. Bob (CUHK) Paper Summaries October 30, 2014 6 / 93 

Securing Embedded User Interfaces: Android and Beyond Background Embedded user interfaces - Embedded third-party UIs are common on websites and in smartphone apps. Bob (CUHK) Paper Summaries October 30, 2014 7 / 93 

Securing Embedded User Interfaces: Android and Beyond Security and Embedding Browsers provide secure isolation between an embedding page and embedded content. Android does not. Third-party libraries run in app’s context. No true cross-application UI embedding. Bob (CUHK) Paper Summaries October 30, 2014 8 / 93 

Securing Embedded User Interfaces: Android and Beyond Motivation: Android does not have a secured embedded user interface, we need to redesign secure embedded interfaces from scratch. Proposed Solution Modify Android system and add an embedded activity to achieve process isolation between application and embedded view. Managing windows. Handling focus. Supporting cross-principal APIs. Handling size conflicts. Support for clickjacking prevention. A malicious application may make a sensitive UI element transparent or very small, obscure, scroll off-screen. Covered, not the minimum requested size, not fully visible preventing ancestor redirection. Bob (CUHK) Paper Summaries October 30, 2014 9 / 93 

Securing Embedded User Interfaces: Android and Beyond Evaluation Case studies Performance: loading time and event dispatching time Contributions: Authors implement the system (LayerCoke) which provides additional security properties and capabilities Isolated Embedded UI Secure WebViews Access Control Gadgets Bob (CUHK) Paper Summaries October 30, 2014 10 / 93 

Securing Embedded User Interfaces: Android and Beyond Directions If modified Android system can provieds lots of security benefits, We can also work on it. Questions Will the system benifit Android security community? Is it easy to write applications on these modified system? Bob (CUHK) Paper Summaries October 30, 2014 11 / 93 

Automatic Mediation of Privacy-Sensitive Resource Access in Smartphone Applications2 Take-away Message: The authors design a static analysis algorithm to automatically mediate (add, delete) the permission prompt codes in the Windows Phone project. 2Benjamin Livshits and Jaeyeon Jung. “Automatic mediation of privacy-sensitive resource access in smartphone applications”. In: Proceedings of the 22nd USENIX conference on Security. USENIX Association. 2013, pp. 113–130. Bob (CUHK) Paper Summaries October 30, 2014 12 / 93 

Automatic Mediation of Privacy-Sensitive Resource Access in Smartphone Applications Background: Unlike Android, the permission mechanism in Windows Phone is to add prompt codes before calling sensitive APIs by developer manmually. Motivation Coding problem proper protection partial protection no protection The current practice often fails in providing adequate privacy protection. Bob (CUHK) Paper Summaries October 30, 2014 13 / 93 

Automatic Mediation of Privacy-Sensitive Resource Access in Smartphone Applications Proposed Solution The algorithm formulate the problem as prompt placement problem. And solve it to achieve the following conditions: safe, visible, frugal and not-repetitive. There are two approaches: Dominator-based approach Backward placement Checking for existing prompts Bob (CUHK) Paper Summaries October 30, 2014 14 / 93 

Automatic Mediation of Privacy-Sensitive Resource Access in Smartphone Applications Evaluation Input statistics (processed methods, nodes) Results of applying analysis (succeeded #, failed #, dominator-based #, backward #) Performance analysis Contributions Study on the existing applications on resource access prompts. Two static analysis algorithm for correct promt placement. Bob (CUHK) Paper Summaries October 30, 2014 15 / 93 

Automatic Mediation of Privacy-Sensitive Resource Access in Smartphone Applications Directions Some static methods can help developers to avoid some coding mistakes which can lead to security problem or battery consumption. Questions Why not add policy enforcement in system level like iOS? The study use a compiler algorithm method to solve the security problem. But I think the motivation and the issues to be solved is not so compelling. Bob (CUHK) Paper Summaries October 30, 2014 16 / 93 

Flexible and Fine-grained Mandatory Access Control on Android for Diverse Security and Privacy Policies3 Take-away Message: The paper propose a system (FlaskDroid) which is a modified Android system. FlaskDroid can make mandatory access control (MAC) using SELinux. 3Sven Bugiel, Stephan Heuser, and Ahmad-Reza Sadeghi. “Flexible and fine-grained mandatory access control on Android for diverse security and privacy policies”. In: 22nd USENIX Security Symposium (USENIX Security’13). USENIX. 2013. Bob (CUHK) Paper Summaries October 30, 2014 17 / 93 

Flexible and Fine-grained Mandatory Access Control on Android for Diverse Security and Privacy Policies Motivation Almost all proposals for security extensions to Android constitute MAC mechanisms that are tailored to the specific semantics of the addressed problem. Current MAC system operate only at a specific layer (application layer, kernel layer). No generic MAC system both in application layer and kernel layer. Mobile system need a higher security standard than PC. Bob (CUHK) Paper Summaries October 30, 2014 18 / 93 

Flexible and Fine-grained Mandatory Access Control on Android for Diverse Security and Privacy Policies Proposed Solution Modify Android system to achieve the architecture showed in the right. Extend SELinux’s policy semantics for type enforcement. Bob (CUHK) Paper Summaries October 30, 2014 19 / 93 

Flexible and Fine-grained Mandatory Access Control on Android for Diverse Security and Privacy Policies Evaluation Root exploits Malicious apps executed by root Over-privileged and information stealing Sensory malware Confused deputy and collusion attacks Contributions: FlaskDroid system, extensible policy language Bob (CUHK) Paper Summaries October 30, 2014 20 / 93 

Flexible and Fine-grained Mandatory Access Control on Android for Diverse Security and Privacy Policies Directions: Complex system, lots of engineering work. Questions: I think the system is so complex using on the normal implementation. The newly designed policy language is very hard for the developers. What’s the practical usage of the system? Bob (CUHK) Paper Summaries October 30, 2014 21 / 93 

WHYPER: Towards Automating Risk Assessment of Mobile Applications4 Take-away Message: The paper presents a system WHYPER which use Natural Language Processing (NPL) techniques to identify sentences that describe the need for a given permission in an application description. 4Rahul Pandita, Xusheng Xiao, Wei Yang, William Enck, and Tao Xie. “WHYPER: towards automating risk assessment of mobile applications”. In: Proceedings of the 22nd USENIX conference on Security. USENIX Association. 2013, pp. 527–542. Bob (CUHK) Paper Summaries October 30, 2014 22 / 93 

WHYPER: Towards Automating Risk Assessment of Mobile Applications Background: What does the user expect? GPS Tracker Phone-Call Recorder One-Click Root Motivation: Bridging the semantic gap between what the user expects an application to do (application description) and what it actually does (permission usage). Bob (CUHK) Paper Summaries October 30, 2014 23 / 93 

WHYPER: Towards Automating Risk Assessment of Mobile Applications Proposed Solution Preprocessor: preiod handling, sentence boundaries, named entity handling and abbreviation handling. NPL Parser: Stanford Parser Intermediate-representation generator: First-Order-Logic (FOL) Semantic Graph Generator: API Docs -> Semantic Graphs Semantic Engine: FOL, semantic graphs -> determine if a sentence describes the need for a permission Bob (CUHK) Paper Summaries October 30, 2014 24 / 93 

WHYPER: Towards Automating Risk Assessment of Mobile Applications Evaluation: TP, FP, TN, FN precision, recall and F-Score How effective compared to keyword-based searching? Contributions WHYPER uses NLP techniques to bridge the semantic gap. 581 applications containing 10,000 sentences, substantial improvement Bob (CUHK) Paper Summaries October 30, 2014 25 / 93 

WHYPER: Towards Automating Risk Assessment of Mobile Applications Directions Using the basic techniques to solve the security problems will come out a novel idea. But, we should clear about the motivation (the security problems). Questions Did this system help you find out the zero-day malware or existing malware in the wild? Can this method work on Chinese descriptions? Bob (CUHK) Paper Summaries October 30, 2014 26 / 93 

Jekyll on iOS: When Benign Apps Become Evil5 Take-away Message: The authors craft Jekyll apps which can be remotely exploited and introduce malicious control flows by rearranging codes on iOS. The Jekyll apps can bypass the review mechanism of Apple. 5Tielei Wang, Kangjie Lu, Long Lu, Simon Chung, and Wenke Lee. “Jekyll on iOS: when benign apps become evil”. In: Proceedings of the 22nd USENIX conference on Security. USENIX Association. 2013, pp. 559–572. Bob (CUHK) Paper Summaries October 30, 2014 27 / 93 

Jekyll on iOS: When Benign Apps Become Evil Background Public APIs, private APIs App signing Motivation Apple adopts the mandatory app review and code signing mechanisms to ensure the security of apps on iOS. The result is very good, and rare malware appears on App Store due to the mechanisms. Is there any methods can bypass the app review. If yes, why make this happened? Can we provide a better architecture? Bob (CUHK) Paper Summaries October 30, 2014 28 / 93 

Jekyll on iOS: When Benign Apps Become Evil Proposed Solution (Attack Design): Motivating example explained on the right figures. Normal application planted with vulnerabilities and hides code gadgets. Jekyll apps pass Apple’s app review and publish to the App Store. The attacker exploits the vulnerabilities and assembles the gadgets in a particular order to perform malicious operations. Challenges: ASLR, crafting vulnerability, hiding gadgets Bob (CUHK) Paper Summaries October 30, 2014 29 / 93 

Jekyll on iOS: When Benign Apps Become Evil Evaluation Posting tweets and sending email and SMS Camera, bluetooth, device ID, and dialing exploiting kernel vulnerabilities Trampoline attack Contributions Novel attacking method on iOS which can pass App Review. Experiments. Bob (CUHK) Paper Summaries October 30, 2014 30 / 93 

Jekyll on iOS: When Benign Apps Become Evil Directions Research direction on finding unrevealed vulnerabilities. The discovery should have great impact on the industry or represent a new type of attack. Android vulnerabilities? The inconsistent programming issue between Java and native code (e.g., Master Key bugs). Questions iOS 7? How to figure out the vulnerabilities and exploit them? (ROP attacks?) Bob (CUHK) Paper Summaries October 30, 2014 31 / 93 

The Impact of Vendor Customizations on Android Security6 Take-away Message: The authors perform provenance analysis, permission usage analysis and vulnerability analysis on the customized Android OS from four different vendors. The results bring impact on the current smartphone industries. 6Lei Wu, Michael Grace, Yajin Zhou, Chiachih Wu, and Xuxian Jiang. “The Impact of Vendor Customizations on Android Security”. In: Proceedings of the 20th ACM Conference on Computer and Communications Security. CCS, 2013. Bob (CUHK) Paper Summaries October 30, 2014 32 / 93 

The Impact of Vendor Customizations on Android Security Motivation: Most of the phone on the market are customized by vendors. Vendor customizations inherently impact over Android security. Authors want to study vendor customizations on stock Android devices and assess the impact on overall Android security. Proposed Solution Provenance analysis: AOSP app, vendor app, third-party app. Permission usage analysis compares the permissions requested by the app: permission overprivilege problem. Vulnerability analysis: permission re-delegation attacks and content leaks. Bob (CUHK) Paper Summaries October 30, 2014 33 / 93 

The Impact of Vendor Customizations on Android Security Evaluation: Ten customized systems from five vendors. (Samsung, HTC, LG, Sony, Google) Statistics of the distribution of AOSP app, vendor app and third-party app % of overprivileged apps among all pre-loaded apps % of vulnerable apps among all apps Two case studies: Samsung Galaxy S3 (wipe data) and LG Optimus P880 (reboot and account leak) Bob (CUHK) Paper Summaries October 30, 2014 34 / 93 

The Impact of Vendor Customizations on Android Security Contributions: Systematically analyze the security impact of customized systems from different vendors. The most attractive contribution is the discoveries in the below table. Bob (CUHK) Paper Summaries October 30, 2014 35 / 93 

The Impact of Vendor Customizations on Android Security Directions The same study can be used in the third-party ROMs. The impact of third-party ROMs will be small than vendors. There may be more interesting discoveries: more severe security problems. Questions How long to determine a vulnerabilities using the tools mentioned in the paper? If a long time, then why? Bob (CUHK) Paper Summaries October 30, 2014 36 / 93 

Unauthorized Origin Crossing on Mobile Platforms: Threats and Mitigation7 Take-away Message: The study analyze the mobile cross-origin risk and propose a protection mechanism called Morbs. Morbs labels every message with the origin information and enforce the policies based on origins. 7Rui Wang, Luyi Xing, XiaoFeng Wang, and Shuo Chen. “Unauthorized Origin Crossing on Mobile Platforms: Threats and Mitigation”. In: Proceedings of the 20th ACM Conference on Computer and Communications Security. CCS, 2013. Bob (CUHK) Paper Summaries October 30, 2014 37 / 93 

Unauthorized Origin Crossing on Mobile Platforms: Threats and Mitigation Background: Mobile communication channels Intent (Key value data) URL scheme: youtube://watch?token=xxx Web-accessing utility classes: WebView, UIWebView Motivation Unauthorized origin crossing is related to the prior research problems: confused deputy problem, permission redelegation problem, cross-site request forgery (CSRF) attack. However, prior studies aim at protecting mobile devices, the general problem has not been dug deeper. private Avtivity? other channels? Bob (CUHK) Paper Summaries October 30, 2014 38 / 93 

Unauthorized Origin Crossing on Mobile Platforms: Threats and Mitigation Attacks Exploiting the Intent Channel Abusing the Scheme Channel Attacks on Web-Accessing Utility Classes Bob (CUHK) Paper Summaries October 30, 2014 39 / 93 

Unauthorized Origin Crossing on Mobile Platforms: Threats and Mitigation Exploiting the Intent Channel: Next Intent (Android) Bob (CUHK) Paper Summaries October 30, 2014 40 / 93 

Unauthorized Origin Crossing on Mobile Platforms: Threats and Mitigation Intent Channel: Next Intent (Android) - Attacks on Facebook & Dropbox Vendor responses: Complicated, $5000 bounty, 100GB Bob (CUHK) Paper Summaries October 30, 2014 41 / 93 

Unauthorized Origin Crossing on Mobile Platforms: Threats and Mitigation Abusing the scheme Channel: Fbconnect (Android) Bob (CUHK) Paper Summaries October 30, 2014 42 / 93 

Unauthorized Origin Crossing on Mobile Platforms: Threats and Mitigation Abusing the scheme Channel: Invoking apps from the web (Android and iOS) Login CSRF attacks on Dropbox iOS SDK Bob (CUHK) Paper Summaries October 30, 2014 43 / 93 

Unauthorized Origin Crossing on Mobile Platforms: Threats and Mitigation Abusing the scheme Channel: Invoking apps from the web (Android and iOS) Bypassing Facebook’s app authentication mechanism. Bob (CUHK) Paper Summaries October 30, 2014 44 / 93 

Unauthorized Origin Crossing on Mobile Platforms: Threats and Mitigation Attacks on Web-Accessing Utility Classes Exploiting Callbacks (WebView in iOS) Exploiting Header-attachement (HttpClient in Android) Bob (CUHK) Paper Summaries October 30, 2014 45 / 93 

Unauthorized Origin Crossing on Mobile Platforms: Threats and Mitigation Proposed system: Morbs (policy checking) Bob (CUHK) Paper Summaries October 30, 2014 46 / 93 

Unauthorized Origin Crossing on Mobile Platforms: Threats and Mitigation Evaluation Effectiveness (examples) Performance (Morbs operation, impact of policy check on different channel) Campatibility and developer’s effort (Comparison between fix the problems w/o Morbs and w. Morbs) Bob (CUHK) Paper Summaries October 30, 2014 47 / 93 

Unauthorized Origin Crossing on Mobile Platforms: Threats and Mitigation Contributions Problems System Evalutaion Directions: Try to figure out the security problems of App/System. Question: The problem is bring by the new communication mechanisms (intent, scheme) in mobile system. Are there any communication designs can defend against these security problem without modifying current architecuture/system? Bob (CUHK) Paper Summaries October 30, 2014 48 / 93 

Identity, Location, Disease and More: Inferring Your Secrets from Android Public Resources8 Take-away Message: In this paper, the authors discovered three unexpected channels of information leaks on Android.What can a malicious app still learn about the user’s private information without any permissions at all? 8Xiaoyong Zhou, Soteris Demetriou, Dongjing He, Muhammad Naveed, Xiaorui Pan, XiaoFeng Wang, Carl A Gunter, and Klara Nahrstedt. “Identity, location, disease and more: inferring your secrets from android public resources”. In: Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security. ACM. 2013, pp. 1017–1028. Bob (CUHK) Paper Summaries October 30, 2014 49 / 93 

Identity, Location, Disease and More: Inferring Your Secrets from Android Public Resources Motivation: Assuming that Android’s security design has been faithfully implemented and apps are well protected by their developers, what can a malicious app still learn about the user’s private information without any permissions at all? Bob (CUHK) Paper Summaries October 30, 2014 50 / 93 

Identity, Location, Disease and More: Inferring Your Secrets from Android Public Resources Attacks: Usage monitoring and analysis Identity inference Health and investment Location inference Driving Route inference Bob (CUHK) Paper Summaries October 30, 2014 51 / 93 

Identity, Location, Disease and More: Inferring Your Secrets from Android Public Resources Usage monitoring and analysis: /proc/uid_stat/[uid]/tcp_rcv and /proc/uid_stat/[uid]/tcp_snd: record the total numbers of bytes received and sent by a specific app respectively. Stealthy and realtime monitoring: continuously reads from tcp_rcv and tcp_send of a target app to record increments in their values. Analyze a target app’s behavior offline to generate a payload-sequence signature for the behavior. Bob (CUHK) Paper Summaries October 30, 2014 52 / 93 

Identity, Location, Disease and More: Inferring Your Secrets from Android Public Resources Identity inference: Twitter Fingerprinting tweeting event using TCP payload sequence Timestamp + Location (next slide) + Twitter API = Identity Bob (CUHK) Paper Summaries October 30, 2014 53 / 93 

Identity, Location, Disease and More: Inferring Your Secrets from Android Public Resources Health and investment: Application finite state machine Bob (CUHK) Paper Summaries October 30, 2014 54 / 93 

Identity, Location, Disease and More: Inferring Your Secrets from Android Public Resources Finding where you are: Location inference BSSID-based geo-location /proc/net/arp and /proc/net/wireless is documented with ARP parameters. BSSID: the gateway’s MAC address -> MAC of wireless switch/route Google, Skyhook and Navizon collecting the BSSIDs of public Wi-Fi hotspots to help location-based service. Bob (CUHK) Paper Summaries October 30, 2014 55 / 93 

Identity, Location, Disease and More: Inferring Your Secrets from Android Public Resources Knowing where you go: Driving route inference Assumption: driving, turn-by-turn void guidance. Speaker usage information: speech-length sequences. Bob (CUHK) Paper Summaries October 30, 2014 56 / 93 

Identity, Location, Disease and More: Inferring Your Secrets from Android Public Resources Solutions Mitigation strategies Enforcement framework Bob (CUHK) Paper Summaries October 30, 2014 57 / 93 

Identity, Location, Disease and More: Inferring Your Secrets from Android Public Resources Evaluation Experimental results: https://sites.google.com/site/sidedroid/ Geo-location with a single BSSID evaluation. FP, TP Contributions Reveal us what privacy can we steal by a zero-permission application. Directions: Any new attack methods. Questions?: Is it difficult to figure out the TCP payload sequence produced by a certain behavior? Bob (CUHK) Paper Summaries October 30, 2014 58 / 93 

Vetting Undesirable Behaviors in Android Apps with Permission Use Analysis9 Take-away Message: TaintDroid + Permission usage 9Yuan Zhang, Min Yang, Bingquan Xu, Zhemin Yang, Guofei Gu, Peng Ning, X Sean Wang, and Binyu Zang. “Vetting undesirable behaviors in android apps with permission use analysis”. In: Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security. ACM. 2013, pp. 611–622. Bob (CUHK) Paper Summaries October 30, 2014 59 / 93 

Vetting Undesirable Behaviors in Android Apps with Permission Use Analysis Motivation: TaintDroid: Tracking how apps use sensitive information required integrating our software into the Android platform at a low level by tainting variables. Which variable should I taint? And how did the privacy leak? Bob (CUHK) Paper Summaries October 30, 2014 60 / 93 

Vetting Undesirable Behaviors in Android Apps with Permission Use Analysis Solutions: Explicit permission use points (E-PUP), Implicit permission use points (I-PUP). Permission User Behavior is a function call graph based on E-PUP and I-PUP. Bob (CUHK) Paper Summaries October 30, 2014 61 / 93 

Vetting Undesirable Behaviors in Android Apps with Permission Use Analysis E-PUP Identifier. I-PUP Tracker: 1. Delivery point; 2. Permission-based taint analysis. Application driver: Monkey. Behavior profiler: fine-grained permission model -> application usually need to use multiple permissions together to accomplish a meaningful behavior. Bob (CUHK) Paper Summaries October 30, 2014 62 / 93 

Vetting Undesirable Behaviors in Android Apps with Permission Use Analysis Prototype, Evaluation Based on TaintDroid (Android 2.3). Two real-world malware study: malicious behavior analysis, system call trace comparison. Vetting market apps: comparison between TaintDroid and VetDroid with information leakage. Performance overhead evaluation: 80%, 238%. Bob (CUHK) Paper Summaries October 30, 2014 63 / 93 

Vetting Undesirable Behaviors in Android Apps with Permission Use Analysis Contributions: VetDroid can help analyst to find privacy leakage easily based on TaintDroid. Directions: Still have some space to improve the dynamic analysis system. Questions: Can VetDroid analyze the privacy which go through native library? Bob (CUHK) Paper Summaries October 30, 2014 64 / 93 

AppIntent: Analyzing Sensitive Data Transmission in Android for Privacy Leakage Detection10 Take-away Message: AppIntent uses an event-space constraint guided symbolic execution technique, which effectively reduces the event search space. 10Zhemin Yang, Min Yang, Yuan Zhang, Guofei Gu, Peng Ning, and X Sean Wang. “Appintent: Analyzing sensitive data transmission in android for privacy leakage detection”. In: Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security. ACM. 2013, pp. 1043–1054. Bob (CUHK) Paper Summaries October 30, 2014 65 / 93 

AppIntent: Analyzing Sensitive Data Transmission in Android for Privacy Leakage Detection Motivation: Existing symbolic execution only focus on non-interactive programs and has path explosion problem. Proposed Solution: Event-space constraint guided symbolic execution. Bob (CUHK) Paper Summaries October 30, 2014 66 / 93 

AppIntent: Analyzing Sensitive Data Transmission in Android for Privacy Leakage Detection Construction of the event-space constraint graph Extracting critical events: backward traversing the call graph. Extracting essential events: construct the life cycle in an application. Guided symbolic execution Bob (CUHK) Paper Summaries October 30, 2014 67 / 93 

AppIntent: Analyzing Sensitive Data Transmission in Android for Privacy Leakage Detection Dynamic analysis platform: AppIntent uses InstrumentationTestRunner which can: Automatically trigger event inputs. Automatically provide data inputs. Highlight activated views of GUI events. Highlight sensitive data read and transmission. Bob (CUHK) Paper Summaries October 30, 2014 68 / 93 

AppIntent: Analyzing Sensitive Data Transmission in Android for Privacy Leakage Detection Evaluation: Effectiveness of event-space constraint guided symbolic execution. full graph v.s. event-space constraint graph Effectiveness on analyzing sensitive data transmission. Malicious apps/Google Play Findings: ID/phone number, logging system Analysis time. Case study. Bob (CUHK) Paper Summaries October 30, 2014 69 / 93 

AppIntent: Analyzing Sensitive Data Transmission in Android for Privacy Leakage Detection Contributions Event-space constraint guided symbolic execution technique. Dynamic triggering using Instrument. Directions: Using the technique in other fields to solve the security problem is a good direction. Questions: How to extract sensitive data transmission path? How do you deal with the input data which is not from UI interaction (e.g. timing, network, sensor). Bob (CUHK) Paper Summaries October 30, 2014 70 / 93 

PatchDroid: Scalable Third-Party Security Patches for Android Devices11 Take-away Message: PatchDroid use hooking technique to make scalable third-party security patches for Android devices. 11Collin Mulliner, Jon Oberheide, William Robertson, and Engin Kirda. “PatchDroid: Scalable Third-Party Security Patches for Android Devices”. In: Proceedings of the 2013 Annual Computer Security Applications Conference. 2013. Bob (CUHK) Paper Summaries October 30, 2014 71 / 93 

PatchDroid: Scalable Third-Party Security Patches for Android Devices Motivation: Because Android upgrades quickly, the motivation is to fix security vulnerabilities in Android devices that are no longer supported by the manufacturer and mobile network operator. roll out third-party security fixes. Bob (CUHK) Paper Summaries October 30, 2014 72 / 93 

PatchDroid: Scalable Third-Party Security Patches for Android Devices Proposed Solution Bob (CUHK) Paper Summaries October 30, 2014 73 / 93 

PatchDroid: Scalable Third-Party Security Patches for Android Devices Proposed Solution patching native code function replacement fixing via function proxy failed return value checking patching Dalvik bytecode Bob (CUHK) Paper Summaries October 30, 2014 74 / 93 

PatchDroid: Scalable Third-Party Security Patches for Android Devices Evaluation functional evaluation performance overhead: ZygoteBench measures the time that it takes zygote to create a new process on an Android device. user trails: 14 different models Master Key Bug (case study) Bob (CUHK) Paper Summaries October 30, 2014 75 / 93 

PatchDroid: Scalable Third-Party Security Patches for Android Devices Contributions Patchdroid: distributing and applying third-party patches for security vulnerabilities in-memory patching evaluation Direction: What else can hooking take place in other research area? Question: Is there a lot of engineering work to fit for different phone models? Bob (CUHK) Paper Summaries October 30, 2014 76 / 93 

AFrame: Isolating Advertisements from Mobile Applications in Android12 Take-away Message: Modify Android system to achieve advertisements isolation. 12Xiao Zhang, Amit Ahlawat, and Wenliang Du. “AFrame: Isolating Advertisements from Mobile Applications in Android”. In: Proceedings of the 2013 Annual Computer Security Applications Conference. 2013. Bob (CUHK) Paper Summaries October 30, 2014 77 / 93 

AFrame: Isolating Advertisements from Mobile Applications in Android Motivation: When a application is installed, both the advertisement and the original application will have the same privilege, as they are running in the same process, inseparable by the system. AdSplit different application activity. transparency technique clickjacking overhead in drawing require a stub library inside each application Inspiration comes from browser’s iframe. Bob (CUHK) Paper Summaries October 30, 2014 78 / 93 

AFrame: Isolating Advertisements from Mobile Applications in Android Proposed Solution: AFrame (Activity Frame) from the user perspective: transparent to end users from the developer perspective: easy to develop, permission assignments from the system perspective: process isolation, permission isolation, input isolation, display (output) isolation. Design and implementation: Modify Package Manager Service (PMS) hardware abstraction layer (HAL) Bob (CUHK) Paper Summaries October 30, 2014 79 / 93 

AFrame: Isolating Advertisements from Mobile Applications in Android Evaluation privilege isolation compatibility with various advertising libraries performance: system & application overhead Bob (CUHK) Paper Summaries October 30, 2014 80 / 93 

AFrame: Isolating Advertisements from Mobile Applications in Android Contributions AFrame is a modified Android system which can isolate the advertisement. It’s easy to use from either user’s perspective or developer’s perspective. Direction: Both this paper and CCS paper are solving the advertising isolation problem. However, both of them need to modify Android system. Is this problem still non-trivial? Can we use hooking to solve the problem? Question: Will Google uses this method in the next release to isolate the advertisement libraries? Why or why not? Is there any constraints for the system? Bob (CUHK) Paper Summaries October 30, 2014 81 / 93 

The Man Who Was There: Validating Check-ins in Location-Based Services13 Take-away Message: This paper discovers a detection mechanisms and demonstrates that both services are still vulnerable. And then, implement a system employs NFC hardware to eliminate fake-location attacks. 13Xiao Zhang, Amit Ahlawat, and Wenliang Du. “AFrame: Isolating Advertisements from Mobile Applications in Android”. In: Proceedings of the 2013 Annual Computer Security Applications Conference. 2013. Bob (CUHK) Paper Summaries October 30, 2014 82 / 93 

The Man Who Was There: Validating Check-ins in Location-Based Services Motivation A important aspect of LBS: venues attract customers by providing special offers for their mayor. Fake check-ins will have a negative impact on the system and deter users from participating. Cheating detection mechanism of Foursquare. Bob (CUHK) Paper Summaries October 30, 2014 83 / 93 

The Man Who Was There: Validating Check-ins in Location-Based Services Attacks: Foursquare GPS distance High speed Rapid fire Experimental Results: Inconsistent triggering Inconsistent non-triggering Bob (CUHK) Paper Summaries October 30, 2014 84 / 93 

The Man Who Was There: Validating Check-ins in Location-Based Services Attacks: Facebook Places For every venue, the user checks-in with the same location coordinates, regardless of the venue’s location. Experimental Results: An attacker can completely bypass the traveling speed constraints and check into venues around the globe with unlimited speed. Bob (CUHK) Paper Summaries October 30, 2014 85 / 93 

The Man Who Was There: Validating Check-ins in Location-Based Services Proposed Solution Validating user location: QR code, NFC Adapt existing detection mechanisms Implement NFC Design a data exchanged protocol by using asymmetric encryption. Evaluation: security analysis and performance analysis. Bob (CUHK) Paper Summaries October 30, 2014 86 / 93 

The Man Who Was There: Validating Check-ins in Location-Based Services Contributions Reveal the LBS attack. Propose a system. Direction: Is there any other rewarding systems in Android. Can we find the vulnerabilities? Question: We need to put NFC reader in every venue which is infeasible. Bob (CUHK) Paper Summaries October 30, 2014 87 / 93 

FireDroid: Hardening Security in Almost-Stock Android14 Take-away Message: FireDroid uses ptrace to attach Zygote in order to enforce security policies. 14Xiao Zhang, Amit Ahlawat, and Wenliang Du. “AFrame: Isolating Advertisements from Mobile Applications in Android”. In: Proceedings of the 2013 Annual Computer Security Applications Conference. 2013. Bob (CUHK) Paper Summaries October 30, 2014 88 / 93 

FireDroid: Hardening Security in Almost-Stock Android Motivation: does not require to recompile any parts of the Android system. it provides support for enterprise security management where security administrators can define security policies to be enforced on the devices without relying on the device’s user. Bob (CUHK) Paper Summaries October 30, 2014 89 / 93 

FireDroid: Hardening Security in Almost-Stock Android Proposed Solution: FireDroid: ptrace-based PEP: policy enforcement point PDP: policy decision point PR: policy repository PAP: policy administration point GPR: global policy repository RPM: remote policy manager Bob (CUHK) Paper Summaries October 30, 2014 90 / 93 

FireDroid: Hardening Security in Almost-Stock Android FireDroid Policies: FireDroid design a policy language and its syntax. Financial charges Information harvesting Vulnerabilities Bob (CUHK) Paper Summaries October 30, 2014 91 / 93 

FireDroid: Hardening Security in Almost-Stock Android Evaluation CTS: Compatibility Test Suite Overhead on Benchmark: Quadrant, BenchmarkPi Inter-process Communication: HttpGet, BroadcastIntent, QueryContact and GetLastLocation Bob (CUHK) Paper Summaries October 30, 2014 92 / 93 

FireDroid: Hardening Security in Almost-Stock Android Contributions ptrace-based system policy language Direction: Performance evaluation is completed. Question: How to connect system call with the policy language? It is quiet obscure in the paper. Bob (CUHK) Paper Summaries October 30, 2014 93 / 93