Abstract
Given a program whose functionality depends on access to certain external resources, we investigate the question of how to gracefully degrade functionality when a subset of those resources is unavailable. The concrete setting motivating this problem statement is mobile applications, which rely on contextual data (e.g., device identifiers, user location and contacts, etc.) to fulfill their functionality. In particular, we focus on the Android platform, which mediates access to resources via an installation-time permission model. On the one hand, granting an app the permission to access a resource (e.g., the device ID) entails privacy threats (e.g., releasing the device ID to advertising servers). On the other hand, denying access to a resource could render the app useless (e.g., if inability to read the device ID is treated as an error state). Our goal is to specialize an existing Android app in such a way that it is disabled from accessing certain sensitive resources (or contextual data) as specified by the user, while still being able to execute functionality that does not depend on those resources. We present ShamDroid, a program transformation algorithm, based on specialized forms of program slicing, backwards static analysis and constraint solving, that enables the use of Android apps with partial permissions. We rigorously state the guarantees provided by ShamDroid w.r.t. functionality maximization. We provide an evaluation over the top 500 Google Play apps and report on an extensive comparative evaluation of ShamDroid against three other state-of-the-art solutions (APM, XPrivacy, and Google App Ops) that mediate resource access at the system (rather than app) level. ShamDroid performs better than all of these tools by a significant margin, leading to abnormal behavior in only 1 out of 27 apps we manually investigated, compared to the other solutions, which cause crashes and abnormalities in 9 or more of the apps. This demonstrates the importance of performing app-sensitive mocking.
- XPrivacy. http://www.xprivacy.eu/.Google Scholar
- Advanced permission manager. https://play.google. com/store/apps/details?id=com.gmail. heagoo.pmaster.Google Scholar
- App ops brings granular permissions control to android 4.3. http://www.xda-developers.com/app-opsbrings-granular-permissions-control-to- android-4-3.Google Scholar
- Watson libraries for analysis (wala). https://github.com/wala/WALA.Google Scholar
- Taming information-stealing smartphone applications (on android). In J. McCune, B. Balacheff, A. Perrig, A.-R. Sadeghi, A. Sasse, and Y. Beres, editors, Proceedings of TRUST ’11, pages 93–107. Springer, 2011.. Google Scholar
Digital Library
- S. Arzt, S. Rasthofer, C. Fritz, E. Bodden, A. Bartel, J. Klein, Y. L. Traon, D. Octeau, and P. McDaniel. Flowdroid: precise context, flow, field, object-sensitive and lifecycle-aware taint analysis for android apps. In Proceedings of PLDI ’14, pages 259–269, 2014.. Google Scholar
Digital Library
- K. W. Y. Au, Y. F. Zhou, Z. Huang, and D. Lie. PScout: Analyzing the android permission specification. In Proceedings of CCS ’12, pages 217–228. ACM, 2012.. Google Scholar
Digital Library
- M. Backes, S. Gerling, C. Hammer, M. Maffei, and P. von Styp-Rekowsky. Appguard–enforcing user requirements on android apps. In Proceedings of TACAS ’13, pages 543–548. Springer, 2013.. Google Scholar
Digital Library
- A. R. Beresford, A. Rice, N. Skehin, and R. Sohan. Mockdroid: trading privacy for application functionality on smartphones. In Proceedings of HotMobile ’11, pages 49–54. ACM, 2011.. Google Scholar
Digital Library
- A. Bianchi, J. Corbetta, L. Invernizzi, Y. Fratantonio, C. Kruegel, and G. Vigna. What the App is That? Deception and Countermeasures in the Android User Interface. In Proceedings of the IEEE Symposium on Security and Privacy (S&P), 2015.Google Scholar
Digital Library
- S. Chandra, S. J. Fink, and M. Sridharan. Snugglebug: a powerful approach to weakest preconditions. In Proceedings of PLDI ’09, pages 363–374. ACM, 2009.. Google Scholar
Digital Library
- P. Cousot. Constructive design of a hierarchy of semantics of a transition system by abstract interpretation. Theoretical Computer Science, 277(1–2):47–103, 2002.. Google Scholar
Digital Library
- L. De Moura and N. Bjørner. Z3: An efficient smt solver. In Proceedings of TACAS ’08, pages 337–340. Springer, 2008.. Google Scholar
Digital Library
- E. W. Dijkstra. Guarded commands, nondeterminacy and formal derivation of programs. Commun. ACM, 18(8):453– 457, 1975.. Google Scholar
Digital Library
- W. Enck, P. Gilbert, B. Chun, L. P. Cox, J. Jung, P. McDaniel, and A. N. Sheth. Taintdroid: an information-flow tracking system for realtime privacy monitoring on smartphones. In Proceedings of OSDI ’10, pages 393–407. USENIX, 2010. Google Scholar
Digital Library
- A. P. Fuchs, A. Chaudhuri, and J. S. Foster. SCanDroid: Automated Security Certification of Android Applications. Technical report, CS-TR-4991, Department of Computer Science, University of Maryland, 20o9.Google Scholar
- P. Godefroid, N. Klarlund, and K. Sen. Dart: Directed automated random testing. In Proceedings of PLDI ’05, pages 213–223. ACM, 2005.. Google Scholar
Digital Library
- A. Groce, S. Chaki, D. Kroening, and O. Strichman. Error explanation with distance metrics. International Journal on Software Tools for Technology Transfer, 8(3):229–247, 2006.. Google Scholar
Digital Library
- D. Grove and C. Chambers. A framework for call graph construction algorithms. ACM Trans. Program. Lang. Syst., (6), Nov. 2001. ISSN 0164-0925. Google Scholar
Digital Library
- C. A. R. Hoare. An axiomatic basis for computer programming. Commun. ACM, 12(10):576–580, 1969.. Google Scholar
Digital Library
- P. Hornyack, S. Han, J. Jung, S. Schechter, and D. Wetherall. These aren’t the droids you’re looking for: retrofitting android to protect data from imperious applications. In Proceedings of CCS ’11, pages 639–652. ACM, 2011.. Google Scholar
Digital Library
- S. Horwitz, T. Reps, and D. Binkley. Interprocedural slicing using dependence graphs. In Proceedings of PLDI ’88, pages 35–46. ACM, 1988.. Google Scholar
Digital Library
- J. Jeon, K. K. Micinski, J. A. Vaughan, A. Fogel, N. Reddy, J. S. Foster, and T. Millstein. Dr. Android and Mr. Hide: Finegrained permissions in android applications. In Proceedings of SPSM ’12, pages 3–14. ACM, 2012.. Google Scholar
Digital Library
- J. C. King. Symbolic execution and program testing. Commun. ACM, 19(7):385–394, July 1976.. Google Scholar
Digital Library
- R. Nieuwenhuis and A. Oliveras. On SAT modulo theories and optimization problems. In Proceedings of SAT ’06, pages 156–169. Springer, 2006.. Google Scholar
Digital Library
- M. Pistoia, A. Banerjee, and D. A. Naumann. Beyond stack inspection: A unified access-control and information-flow security model. In Proceedings of the Symposium on Security and Privacy ’07, pages 149–163. IEEE, 2007. Google Scholar
Digital Library
- T. Reps, S. Horwitz, and M. Sagiv. Precise interprocedural dataflow analysis via graph reachability. In Proceedings of POPL ’95, pages 49–61. ACM, 1995.. Google Scholar
Digital Library
- G. Sarwar, O. Mehani, R. Boreli, and M. A. Kâafar. On the effectiveness of dynamic taint analysis for protecting against private information leaks on android-based devices. In Proceedings of SECRYPT ’13, pages 461–468, 2013.Google Scholar
- M. Sridharan, S. J. Fink, and R. Bodik. Thin slicing. SIGPLAN Not., 42(6):112–122, June 2007.. Google Scholar
Digital Library
- N. Tillmann and J. De Halleux. Pex–white box test generation for .net. In Proceedings of TAP ’08, pages 134–153. Springer, 2008.. Google Scholar
Digital Library
- F. Tip and J. Palsberg. Scalable propagation-based call graph construction algorithms. In Proceedings of OOPSLA, pages 281–293, 2000. Google Scholar
Digital Library
- O. Tripp and J. Rubin. A bayesian approach to privacy enforcement in smartphones. In Proceedings of USENIX Security ’14, pages 175–190. USENIX, 2014. Google Scholar
Digital Library
- O. Tripp, M. Pistoia, S. J. Fink, M. Sridharan, and O. Weisman. TAJ: effective taint analysis of web applications. In Proceedings of PLDI ’09, pages 87–97. ACM, 2009.. Google Scholar
Digital Library
- W. Visser, C. S. Pˇasˇareanu, and S. Khurshid. Test input generation with java pathfinder. In Proceedings of ISSTA ’04, pages 97–107. ACM, 2004.. Google Scholar
Digital Library
Index Terms
ShamDroid: gracefully degrading functionality in the presence of limited resource access
Recommendations
ShamDroid: gracefully degrading functionality in the presence of limited resource access
OOPSLA 2015: Proceedings of the 2015 ACM SIGPLAN International Conference on Object-Oriented Programming, Systems, Languages, and ApplicationsGiven a program whose functionality depends on access to certain external resources, we investigate the question of how to gracefully degrade functionality when a subset of those resources is unavailable. The concrete setting motivating this problem ...
MapperDroid: Verifying app capabilities from description to permissions and API calls
AbstractAndroid Applications (Apps) are usually accompanied by a text description and a permissions manifest which are expected to describe the app behaviour. However, an app may request or use more permissions than what has been described. ...
On the Static Analysis of Hybrid Mobile Apps
ESSoS 2016: Proceedings of the 8th International Symposium on Engineering Secure Software and Systems - Volume 9639Developing mobile applications is a challenging business: developers need to support multiple platforms and, at the same time, need to cope with limited resources, as the revenue generated by an average app is rather small. This results in an increasing ...






Comments