Title :
Exposing software security and availability risks for commercial mobile devices
Author :
Johnson, R. ; Zhaohui Wang ; Stavrou, Angelos ; Voas, J.
Author_Institution :
Dept. of Comput. Sci., George Mason Univ., Fairfax, VA, USA
Abstract :
The advent of smaller, faster, and always connected handheld devices along with the ever-increasing reliance on technology for our everyday activities have introduced novel threats and risks. Beyond hardware security another primary factor that affects the reliability of the device is mobile applications. Indeed, the shift to smart commercially available mobile devices has created a pressing need for understanding the risks in using third-party mobile code running on the mobile devices. This new generation of smart devices and systems, including iPhone and Google Android, are powerful enough to accomplish most of the user tasks previously requiring a personal computer. In our paper, we discuss the cyber threats that stem from these new smart device capabilities and the on-line application markets for mobile devices. These threats include malware, data exfiltration, exploitation through USB, and user and data tracking. In this manuscript, we present our efforts towards a framework for exposing the functionality of a mobile application through a combination of static and dynamic program analysis that attempts to explore all available execution paths including libraries. We verified our approach by testing a large number of Android applications with our dynamic analysis framework to exhibit its functionality and viability. The framework allows complete automation of the execution process so that no user input is required. We also discuss how our static analysis output can be used to inform the execution of the dynamic analysis. Our approach can serve as an extensible basis to fulfill other useful purposes such as symbolic execution, program verification, interactive debugger, and other approaches that require deep inspection of an Android application. In summary, we believe that our efforts are the beginning of a long journey to asserting and exposing the risks of commercially available mobile devices. Our future work will include non-Android platforms.
Keywords :
formal verification; invasive software; mobile computing; program debugging; program diagnostics; smart phones; Google Android; cyber threat; data exfiltration; data tracking; dynamic program analysis; execution path; exploitation; handheld device; hardware security; iPhone; interactive debugger; malware; mobile device; online application market; program verification; software availability; software security; static program analysis; symbolic execution; third-party mobile code; user task; user tracking; Androids; Binary trees; Humanoid robots; Java; Registers; Smart phones; Switches; Android; Dynamic analysis; Execution coverage; Software reliability;
Conference_Titel :
Reliability and Maintainability Symposium (RAMS), 2013 Proceedings - Annual
Conference_Location :
Orlando, FL
Print_ISBN :
978-1-4673-4709-9
DOI :
10.1109/RAMS.2013.6517735
