More Web Proxy on the site http://driver.im/

Article

Brahmastra: driving apps to test the security of third-party components

Authors:

Ravi Bhoraskar,

David WetherallAuthors Info & Claims

SEC'14: Proceedings of the 23rd USENIX conference on Security Symposium

Pages 1021 - 1036

Published: 20 August 2014 Publication History

Abstract

We present an app automation tool called Brahmastra for helping app stores and security researchers to test third-party components in mobile apps at runtime. The main challenge is that call sites that invoke third-party code may be deeply embedded in the app, beyond the reach of traditional GUI testing tools. Our approach uses static analysis to construct a page transition graph and discover execution paths to invoke third-party code. We then perform binary rewriting to "jump start" the third-party code by following the execution path, efficiently pruning out undesired executions. Compared with the state-of-the-art GUI testing tools, Brahmastra is able to successfully analyse third-party code in 2.7× more apps and decrease test duration by a factor of 7. We use Brahmastra to uncover interesting results for two use cases: 175 out of 220 children's apps we tested display ads that point to web pages that attempt to collect personal information, which is a potential violation of the Children's Online Privacy Protection Act (COPPA); and 13 of the 200 apps with the Facebook SDK that we tested are vulnerable to a known access token attack.

References

[1]

A tool for reverse engineering Android apk files. http://code.google.com/p/androidapktool/.

[2]

Activity -- Android Developers. http://developer.android.com/reference/ android/app/Activity.html.

[3]

Amazon Mechanical Turk. https://www.mturk.com.

[4]

Android Debug Bridge. http://developer. android.com/tools/help/adb.html.

[5]

Android Developers, The Developer's Guide. UI/Application Exerciser Monkey. http://developer.android.com/ tools/help/monkey.html.

[6]

Complying with COPPA: Frequently Asked Questions. http://business.ftc.gov/ documents/Complying-with-COPPA-Frequently-Asked-Questions.

[7]

Dexpler: A Dalvik to Soot Jimple Translator. http://www.abartel.net/dexpler/.

[8]

Fiddler. http://www.telerik.com/fiddler.

[9]

Web of Trust. https://www.mywot.com/.

[10]

Self-Regulatory Program for Childrens Advertising, 2009. http://www.caru.org/ guidelines/guidelines.pdf.

[11]

AppBrain, Feb. 2014. http://www. appbrain.com/stats/libraries/ad.

[12]

A. V. Aho, R. Sethi, and J. D. Ullman. Compilers: Principles, Techniques and Tools. Addison-Wesley, 1986.

Digital Library

[13]

D. Amalfitano, A. R. Fasolino, S. D. Carmine, A. Memon, and P. Tramontana. Using GUI Ripping for Automated Testing of Android Applications. In Proceedings of the IEEE Conference on Automated Software Engineering (ASE), 2012.

Digital Library

[14]

T. Azim and I. Neamtiu. Targeted and depth-first exploration for systematic testing of android apps. In OOPSLA, 2013.

Digital Library

[15]

G. Bai, J. Lei, G. Meng, S. S. V. P. Saxena, J. Sun, Y. Liu, and J. S. Dong. Authscan: Automatic extraction of web authentication protocols from implementations. In NDSS, 2013.

[16]

P. Bisht, T. Hinrichs, N. Skrupsky, R. Bobrowicz, and V. N. Venkatakrishnan. Notamper: Automatically detecting parameter tampering vulnerabilities in web applications. In CCS, 2010.

Digital Library

[17]

P. Bisht, T. Hinrichs, N. Skrupsky, and V. N. Venkatakrishnan. Waptec: Whitebox analysis of web applications for parameter tampering exploit construction. In CCS, 2011.

Digital Library

[18]

T. Book, A. Pridgen, and D. S. Wallach. Longitudinal analysis of android ad library permissions. In IEEE Mobile Security Technologies (MoST), 2013.

[19]

J. Dean, D. Grove, and C. Chambers. Optimization of Object-Oriented Programs Using Static Class Hierarchy Analysis. In Proceedings of the 9th European Conference on Object-Oriented Programming, pages 77-101, 1995.

Digital Library

[20]

M. Egele, D. Brumley, Y. Fratantonio, and C. Kruegel. An Empirical Study of Cryptographic Misuse in Android Applications. In CCS, 2013.

Digital Library

[21]

V. Felmetsger, L. Cavedon, C. Kruegel, and G. Vigna. Toward automated detection of logic vulnerabilities in web applications. In USENIX Security, 2010.

Digital Library

[22]

M. Grace, W. Zhou, X. Jiang, and A.-R. Sadeghi. Unsafe Exposure Analysis of Mobile In-App Advertisements. In WiSec, 2012.

Digital Library

[23]

S. Hao, B. Liu, S. Nath, W. G. Halfond, and R. Govindan. PUMA: Programmable UI-Automation for Large Scale Dynamic Analysis of Mobile Apps. In Mobisys, 2014.

Digital Library

[24]

J. Jeon, K. K. Micinski, J. A. Vaughan, A. Fogel, N. Reddy, J. S. Foster, and T. Millstein. Dr. Android and Mr. Hide: Fine-grained Permissions in Android Applications. In ACM CCS Workshop on Security and Privacy in Smartphones and Mobile Devices, 2012.

Digital Library

[25]

B. Liu, S. Nath, R. Govindan, and J. Liu. DECAF: Detecting and Characterizing Ad Fraud in Mobile Apps. In USENIX NSDI, 2014.

Digital Library

[26]

V. Rastogi, Y. Chen, and W. Enck. Appsplay-ground: Automatic security analysis of smartphone applications. In Proceedings of the ACM Conference on Data and Application Security and Privacy, 2013.

Digital Library

[27]

L. Ravindranath, S. Nath, J. Padhye, and H. Balakrishnan. Automatic and Scalable Fault Detection for Mobile Applications. In Mobisys, 2014.

Digital Library

[28]

R. Stevens, C. Gibler, J. Crussell, J. Erickson, and H. Chen. Investigating user privacy in android ad libraries. In IEEE Mobile Security Technologies (MoST), 2012.

[29]

R. Valle-Rai, P. Co, E. Gagnon, L. J. Hendren, P. Lam, and V. Sundaresan. Soot - a Java bytecode optimization framework. In IBM Centre for Advanced Studies Conference, 1999.

Digital Library

[30]

R. Wang, Y. Zhou, S. Chen, S. Qadeer, D. Evans, and Y. Gurevich. Explicating SDKs: Uncovering Assumptions Underlying Secure Authentication and Authorization. In USENIX Security, 2013.

Digital Library

[31]

C. Zheng, S. Zhu, S. Dai, G. Gu, X. Gong, X. Han, and W. Zou. Smartdroid: an automatic system for revealing ui-based trigger conditions in android applications. In ACM CCS Workshop on Security and Privacy in Smartphones and Mobile Devices, 2012.

Digital Library

Cited By

Woo SPark SKim SLee HOh H(2021)CentrisProceedings of the 43rd International Conference on Software Engineering10.1109/ICSE43902.2021.00083(860-872)Online publication date: 22-May-2021
https://dl.acm.org/doi/10.1109/ICSE43902.2021.00083
Reardon JFeal ÁWijesekera POn AVallina-Rodriguez NEgelman SHeninger NTraynor P(2019)50ways to leak your dataProceedings of the 28th USENIX Conference on Security Symposium10.5555/3361338.3361380(603-620)Online publication date: 14-Aug-2019
https://dl.acm.org/doi/10.5555/3361338.3361380
Shi SWang XLau WGalbraith SRussello GSusilo WGollmann DKirda ELiang Z(2019)MoSSOT: An Automated Blackbox Tester for Single Sign-On Vulnerabilities in Mobile ApplicationsProceedings of the 2019 ACM Asia Conference on Computer and Communications Security10.1145/3321705.3329801(269-282)Online publication date: 2-Jul-2019
https://dl.acm.org/doi/10.1145/3321705.3329801
Show More Cited By

Recommendations

An Explorative Study of the Mobile App Ecosystem from App Developers' Perspective
WWW '17: Proceedings of the 26th International Conference on World Wide Web

With the prevalence of smartphones, app markets such as Apple App Store and Google Play has become the center stage in the mobile app ecosystem, with millions of apps developed by tens of thousands of app developers in each major market. This paper ...
A Measurement-based Study on Application Popularity in Android and iOS App Stores
Mobidata '15: Proceedings of the 2015 Workshop on Mobile Big Data

Mobile application stores (appstores) are emerging digital distribution platforms with explosive growth. Although there have been some observations on the mobile application (app) popularity in Android appstores, there is no report on the app popularity ...
RubyMotion iOS Development Essentials

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image Guide Proceedings

SEC'14: Proceedings of the 23rd USENIX conference on Security Symposium

August 2014

1067 pages

ISBN:9781931971157

Program Chair:
Kevin Fu
University of Michigan

Sponsors

Akamai: Akamai
Google Inc.
IBMR: IBM Research
NSF
Microsoft Reasearch: Microsoft Reasearch
USENIX Assoc: USENIX Assoc

Publisher

USENIX Association

United States

Publication History

Published: 20 August 2014

Qualifiers

Article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

36
Total Citations
View Citations
0
Total Downloads

Downloads (Last 12 months)0
Downloads (Last 6 weeks)0

Reflects downloads up to 20 Jan 2025

Other Metrics

View Author Metrics

Citations

Cited By

Woo SPark SKim SLee HOh H(2021)CentrisProceedings of the 43rd International Conference on Software Engineering10.1109/ICSE43902.2021.00083(860-872)Online publication date: 22-May-2021
https://dl.acm.org/doi/10.1109/ICSE43902.2021.00083
Reardon JFeal ÁWijesekera POn AVallina-Rodriguez NEgelman SHeninger NTraynor P(2019)50ways to leak your dataProceedings of the 28th USENIX Conference on Security Symposium10.5555/3361338.3361380(603-620)Online publication date: 14-Aug-2019
https://dl.acm.org/doi/10.5555/3361338.3361380
Shi SWang XLau WGalbraith SRussello GSusilo WGollmann DKirda ELiang Z(2019)MoSSOT: An Automated Blackbox Tester for Single Sign-On Vulnerabilities in Mobile ApplicationsProceedings of the 2019 ACM Asia Conference on Computer and Communications Security10.1145/3321705.3329801(269-282)Online publication date: 2-Jul-2019
https://dl.acm.org/doi/10.1145/3321705.3329801
Wang YLiu XMao WWang W(2019)DCDroidProceedings of the ACM Turing Celebration Conference - China10.1145/3321408.3326665(1-9)Online publication date: 17-May-2019
https://dl.acm.org/doi/10.1145/3321408.3326665
Onwuzurike LMariconti EAndriotis PCristofaro ERoss GStringhini G(2019)MaMaDroidACM Transactions on Privacy and Security10.1145/331339122:2(1-34)Online publication date: 9-Apr-2019
https://dl.acm.org/doi/10.1145/3313391
Yasumatsu TWatanabe TKanei FShioji EAkiyama MMori TAhn GThuraisingham BKantarcioglu MKrishnan R(2019)Understanding the Responsiveness of Mobile App Developers to Software Library UpdatesProceedings of the Ninth ACM Conference on Data and Application Security and Privacy10.1145/3292006.3300020(13-24)Online publication date: 13-Mar-2019
https://dl.acm.org/doi/10.1145/3292006.3300020
Singi KKaulgud VBose RPodder S(2019)CAGProceedings of the 2nd International Workshop on Emerging Trends in Software Engineering for Blockchain10.1109/WETSEB.2019.00011(32-39)Online publication date: 27-May-2019
https://dl.acm.org/doi/10.1109/WETSEB.2019.00011
Cao YWu GChen WWei J(2018)CrawlDroidProceedings of the 10th Asia-Pacific Symposium on Internetware10.1145/3275219.3275238(1-6)Online publication date: 16-Sep-2018
https://dl.acm.org/doi/10.1145/3275219.3275238
Wei FLin XOu XChen TZhang XLie DMannan MBackes MWang X(2018)JN-SAFProceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security10.1145/3243734.3243835(1137-1150)Online publication date: 15-Oct-2018
https://dl.acm.org/doi/10.1145/3243734.3243835
Ji YZhang XJi SLuo XWang TLie DMannan MBackes MWang X(2018)Model-Reuse Attacks on Deep Learning SystemsProceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security10.1145/3243734.3243757(349-363)Online publication date: 15-Oct-2018
https://dl.acm.org/doi/10.1145/3243734.3243757
Show More Cited By

View Options

View options

Media

Figures

Other

Tables

View Table of Contents