1. AppAudit Effective Real-time Android Application Auditing Andrew Jeong 9642114

2. Background  Motivation?  Mobile applications can have access to sensitive personal data.  This can lead to threats of data leakage!  How to resolve the matter?  APP AUDITING!  What is App Auditing?  “App auditing is a fundamental program analysis task to reveal unauthorised data leaks”

3. How do these data leak? Third-party Advertising Modules  93.3% (28 out of 30 sample apps) of detected data leaks are caused by 3rd-party advertising libraries  Privilege separation and fine-grained privilege control.  Developers can analyse the application before publishing to the market.

4. How do these data leak? HTTP Requests are the most prominent leaking venues  HTTP servers can be easily configured, vulnerable to data leaks.  Important personal information can be easily obtained by traffic sniffing in the public.  Some of the apps do not have a clear privacy policy statement, making users unaware of the potential risks.

5. Existing Tools  AppIntent  Static analysis tool based on symbolic execution.  Can prune false positive and optimize the performance of symbolic execution.  Tend to overkill some cases with its pruning mechanism.  Consumes 32GB of memory by default, so not really usable to mobile and PC users.  Requires minutes to hours of execution time!  FlowDroid  High precision by accurately modeling the runtime behavior of the application.  Relatively high accuracy compared to AppIntent.  Faster execution than AppIntent  Needs 2GB to 4GB of memory by default, so more usable.  However, not adequate for real applications due to quick memory exhaustion.

6. AppAudit: Use Cases IDEs integrated with AppAudit App Developer App Market Mobile End-user

7. AppAudit: How does it work?  Static API usage analysis :  efficient but over-estimating analysis technique that sifts out suspicious functions.  lightweight, but reports false positives  Dynamic Approximated Execution :  simulates the execution of a program while performing customised checks at each program state.  executes each suspicious function, monitors the dissemination of sensitive data and reports data leaks that can happen in real execution.  prunes false positives resulted from the static analysis

8. AppAudit: Static API analysis Source API : retrieves personal data Sink API : transmits data out of the device Trigger API : registers call-back functions KEY Traditional call Extended call Suspicious Func Function

9. AppAudit: Dynamic Approximated Execution Three Working Modes:  Execution (exec) : executor interprets bytecodes and perform operations.  Check : executor checks the parameters for the sink API.  Approximation (approx) : entered when bytecode instruction includes unknown operands.

10. Evaluation Test Sets  DroidBench : a suite of test cases that indicates the completeness of the static API analysis  Malware : these samples have well-understood malicious behavior, which serves as good accuracy index for data leak detection tools.  Free apps : a collection of top free apps and newly uploaded apps during the sampling time period.

11. Evaluation Method 1.Use a micro-benchmark suite to validate the completeness of the static API analysis 2.Use malware samples to evaluate the accuracy of AppAudit  Can our dynamic analysis guarantee no false positives?  Can AppAudit provide comparable code coverage as static analysis (a low false negative rate)? 3.Use real-world apps to evaluate the usability as well as usefulness of AppAudit  What is the analysis time and memory consumption?  How could AppAudit be used in different use cases? 4.Present characterisation study of data-leaking apps uncovered by AppAudit

12. Evaluation Result

15.  AppAudit achieves a 99.3% true positive rate (comparable to static analysis) and no false positives.  AppAudit performs 8.3 times faster than the state-of-the-art static analysis tools.  AppAudit only requires a heap size of 256MB, which can run on all platforms (mobile devices, PCs and servers).

16. Criticism  Incomplete code structure recognition module. AppAudit cannot detect where the executor is unaware of the correlation of unknown variables in cases of if-else statements.  Unknown Branching Approximation only explores the “then” branch.  AppAudit cannot determine for itself whether an input-sensitive leak is user-intended or not.  e.g., input message could come from an untrusted source like BeanBot malware

17. Thank you for listening! Questions?