Automated Means of Vetting Mobile Apps

Mobile app markets are creating a fundamental paradigm shift in the way software is delivered to end users. By providing a medium for reaching a large consumer market at a nominal cost, app markets have leveled the software industry, allowing entrepreneurs and hobbyist programmers to compete with prominent software development companies.  The result of this has been an explosive growth in the number of new apps for platforms that have embraced this method of provisioning software, such as Android. This paradigm shift, however, has given rise to a new set of security challenges. 

Prof. Sam MalekOver the past few years, Professor Sam Malek has received substantial funding from various government agencies (e.g., DHS, DARPA, FBI, NSA, NSF) to develop new technologies for mitigating the security risks posed by mobile apps. According to Malek, “We are witnessing a steep increase in the security threats targeted at mobile platforms.  This is nowhere more evident than in the Google Play market, where we have seen many cases of apps infected with malwares and spywares collecting all sorts of private user data for nefarious purposes.”  A key obstacle to safeguarding the app markets is the fact that assessing the security properties of apps is largely a cumbersome manual process.  The market operators, developers, and users alike are in desperate need of automated tools for vetting the trustworthiness of apps.  The development of such tools has been the focus of Malek’s research.

Malek explains, “Broadly, our research in this area can be categorized under two thrusts: (1) How to ensure an app does not harbor a malicious capability.  For instance, ensuring an app does not have the ability to eavesdrop on the user.  (2) How to ensure an app does not have security vulnerabilities that could be exploited by an attacker.  For example, ensuring an app cannot be tricked into leaking private user information.”

The first thrust of research in Malek’s group has resulted in RevealDroid, a machine-learning based approach for malware detection and family identification. RevealDroid uses novel program analysis techniques to extract security-relevant properties, referred to as features, from simply an app’s installation files, and without requiring access to its source code.  One of the key challenges of detecting malicious behavior is that attackers often obfuscate their code, i.e., change the implementation logic of the malicious behavior to avoid detection via conventional signature-based anti-virus products.  To mitigate this challenge, RevealDroid focuses the analysis on features that are difficult to obfuscate. Specifically, RevealDroid extracts features such as  Android-API usage and system call invocations that are outside the control of the attacker, and thus much more difficult to obfuscate.  In extensive experiments on a dataset of 51,496 malicious and benign apps, RevealDroid was able to detect malicious apps with an accuracy of 91%, and identify the malware family of the app with 87% accuracy.  Most notably, RevealDroid was able to achieve this accuracy on heavily obfuscated apps that were shown to evade all major commercial anti-virus products. 

RevealDroidAccording to Malek, “The most rewarding part of this work has been the adoption of RevealDroid by the security analysts within the Department of Homeland Security (DHS) and Federal Bureau of Investigation (FBI) for vetting mobile apps.”  RevealDroid is now one of the tools available on the Software Assurance Marketplace (SWAMP), a DHS-sponsored cloud-based environment for vetting software products used in the government. 

The second thrust of research in Malek’s group has resulted in the development of COVERT, an approach for detection of security issues that arise due to the interaction of multiple apps.  This is an increasingly important problem for Android due to its flexible Inter-Component Communication (ICC) that may cross app boundaries.  As an example, it has been shown that a malicious app may simultaneously exploit vulnerabilities in two benign, yet vulnerable apps, to achieve its objectives.  Similarly, given that Android’s permissions are enforced at the level of individual apps, it is quite easy for two malicious apps to collude and leak the user’s private information.  

COVERTSince a given device may have a large number of installed apps, evaluating security issues that arise due to their interaction is a very challenging problem.  To solve this problem, Malek and his team developed a hybrid static analysis and formal verification technique that decomposes the problem as follows.  Each individual app is first statically analyzed to extract security-relevant properties about its behavior.  These properties are then specified in a formal declarative language, called Alloy, the models of which can be composed and analyzed together with the help of an off-the-shelf SAT Solver.  This novel approach allowsCOVERT to decouple the static extraction of apps’ security-sensitive behaviors from the verification of their interactions through the ICC capabilities of Android.  It also eliminates the need to perform the analysis again from scratch every time apps are updated and new ones are installed.  In a set of experiments over 4,000 real-world apps, COVERT was able to identify 385 types of vulnerabilities, most of which were previously unknown. 

Malek believes there is a lot more future work in this space. He explains, “In spite of the promising results we have gotten so far, our tools suffer from the well-known limitations of static program analysis. Most notably, the static approximation of a program’s behavior can result in false positives, meaning, for instance, identification of vulnerabilities that are not really exploitable.”  To mitigate this limitation and make the technology more useful for practitioners, Malek and his group are now working on dynamic analyses to complement the properties that can be inferred statically.  His group is also developing a self-protection autonomic framework that allows a mobile device to intelligently neutralize security attacks at runtime.  Finally, in addition to their work on mobile security, his group is developing novel automated testing tools to help developers assess other quality attributes (e.g., energy) of their apps. 

For more information, contact Prof. Sam Malek or visit Malek’s Software Engineering and Analysis Lab (SEAL) website.

This article appeared in ISR Connector issue: