Not So Great Expectations: Why Application Markets Haven't Failed Security
ABSTRACT Application markets have rapidly become a widely popular mechanism for expanding the features and utility of mobile devices such as cell phones. The cottage industries that sprung up around these markets serve millions of Patrick McDaniel and William Enck Pennsylvania State University applications daily to a ready user audience. Markets entice developers by placing low economic and technical barriers to entry, thereby fostering fast-paced innovation. They streamline purchase and installation to serve even the most casual users with ease. Simply put, markets make producing and consuming applications easy. Markets also present obvious security concerns-users are trained to download applications with impunity from a huge number of developers about which they know little. Moreover, these applications often request nearly unfettered access to the data and device interfaces (for example, texting, voice-dialing, or GPS location), which seems to invite malicious applications and questionable functionality. Not surprisingly, such fears have been substantiated. A recent discovery of numerous applications sharing GPS locations and other personal information with online advertisers is just one example of dubious features found in market applications. The public reaction to these stories is often the same: users and pundits decry markets for their failure to properly vet the applications or developers. This underscores the widely held expectation that security is the market's responsibility.
- "On the other hand, permission lists provide a necessary foundation for security. Markets cannot simultaneously cater to the security and privacy requirements of all users , and permission lists allow researchers and expert users to become " whistle blowers " for security and privacy concerns . In fact, a recent comparison  of the Android and iOS versions of applications showed that iOS applications overwhelmingly more frequently use privacy-sensitive APIs. "
Conference Paper: WHYPER: Towards Automating Risk Assessment of Mobile Applications[Show abstract] [Hide abstract]
ABSTRACT: Application markets such as Apple's App Store and Google's Play Store have played an important role in the popularity of smartphones and mobile devices. However, keeping malware out of application markets is an ongo-ing challenge. While recent work has developed various techniques to determine what applications do, no work has provided a technical approach to answer, what do users expect? In this paper, we present the first step in addressing this challenge. Specifically, we focus on per-missions for a given application and examine whether the application description provides any indication for why the application needs a permission. We present WHY-PER, a framework using Natural Language Processing (NLP) techniques to identify sentences that describe the need for a given permission in an application description. WHYPER achieves an average precision of 82.8%, and an average recall of 81.5% for three permissions (address book, calendar, and record audio) that protect frequently-used security and privacy sensitive resources. These re-sults demonstrate great promise in using NLP techniques to bridge the semantic gap between user expectations and application functionality, further aiding the risk assess-ment of mobile applications.Proceedings of the 22nd USENIX Security Symposium (USENIX Security 2013); 01/2013
[Show abstract] [Hide abstract]
- "The corresponding markets are delivering an astonishing array of applications – as of March 2012, the number of applications available from the Android Market alone doubled to 400,000 in just eight months . However, existing markets provide little meaningful security or privacy guarantees because market providers have neither the tools nor the resources to perform detailed analysis of submitted applications . Thus, users fall victim to bad applications with moderate to devastating results    . "
ABSTRACT: The Android OS has emerged as the leading platform for Smart-Phone applications. However, because Android applications are compiled from Java source into platform-specific Dalvik bytecode, existing program analysis tools cannot be used to evaluate their behavior. This paper develops and evaluates algorithms for retar-geting Android applications received from markets to Java class files. The resulting Dare tool uses a new intermediate representa-tion to enable fast and accurate retargeting. Dare further applies strong constraint solving to infer typing information and translates the 257 DVM opcodes using only 9 translation rules. It also han-dles cases where the input Dalvik bytecode is unverifiable. We evaluate Dare on 1,100 of the top applications found in the free section of the Android market and successfully retarget 99.99% of the 262,110 associated classes. Further, whereas existing tools can only fully retarget about half of these applications, Dare can re-cover over 99% of them. In this way, we open the door to users, developers and markets to use the vast array of program analysis tools to ensure the correct operation of Android applications.
- "Users expect application markets to ensure the security of applications . However, the quantity of malware has been increasing exponentially, from 139 malware applications found in the first quarter of 2011 to over three thousand pieces of malware found in the first quarter of 2012 . "
Conference Paper: Predicting Vulnerable Classes in an Android Application[Show abstract] [Hide abstract]
ABSTRACT: Smart phones have been outselling PCs for several years. The Android operating system dominates the smart phone market, and the Android Market (now Google Play Store) recently passed the mark of 15 billions application down-loads. Therefore, there is a large base of users that is at-tractive for hackers to target. In this paper, we will examine the questions of whether mobile applications developed for the Android platform are vulnerable or not, and how to pre-dict which classes of an Android application are vulnerable. This paper approaches an answer to these questions by an-alyzing one very popular application of the Android Market and developing a vulnerability prediction model with high accuracy (over 80%) and precision (over 75%).International Workshop on Security Measurements and Metrics; 09/2012