Static Analysis for Extracting Permission Checks of a Large Scale Framework: The Challenges and Solutions for Analyzing Android

Author

Bartel, Alexandre ; Klein, John ; Monperrus, Martin ; Le Traon, Yves

Author_Institution

Interdiscipl. Centre for Security, Univ. of Luxembourg, Kirchberg, Luxembourg

Volume

40

Issue

6

fYear

2014

fDate

June 1 2014

Firstpage

617

Lastpage

632

Abstract

A common security architecture is based on the protection of certain resources by permission checks (used e.g., in Android and Blackberry). It has some limitations, for instance, when applications are granted more permissions than they actually need, which facilitates all kinds of malicious usage (e.g., through code injection). The analysis of permission-based framework requires a precise mapping between API methods of the framework and the permissions they require. In this paper, we show that naive static analysis fails miserably when applied with off-the-shelf components on the Android framework. We then present an advanced class-hierarchy and field-sensitive set of analyses to extract this mapping. Those static analyses are capable of analyzing the Android framework. They use novel domain specific optimizations dedicated to Android.

Keywords

Android (operating system); optimisation; program diagnostics; security of data; API methods; Android framework; advanced class-hierarchy analysis; common security architecture; field-sensitive set analysis; large scale framework; novel domain specific optimizations; permission checks; permission-based framework; static analysis; Androids; Cameras; Humanoid robots; Java; Security; Servers; Sparks; Android; Java; Large scale framework; Soot; call-graph; permissions; security; static analysis;

fLanguage

English

Journal_Title

Software Engineering, IEEE Transactions on

Publisher

ieee

ISSN

0098-5589

Type

jour

DOI

10.1109/TSE.2014.2322867

Filename

6813664