Not So Great Expectations: Why Application Markets Haven't Failed Security
ABSTRACT Application markets have rapidly become a widely popular mechanism for expanding the features and utility of mobile devices such as cell phones. The cottage industries that sprung up around these markets serve millions of Patrick McDaniel and William Enck Pennsylvania State University applications daily to a ready user audience. Markets entice developers by placing low economic and technical barriers to entry, thereby fostering fast-paced innovation. They streamline purchase and installation to serve even the most casual users with ease. Simply put, markets make producing and consuming applications easy. Markets also present obvious security concerns-users are trained to download applications with impunity from a huge number of developers about which they know little. Moreover, these applications often request nearly unfettered access to the data and device interfaces (for example, texting, voice-dialing, or GPS location), which seems to invite malicious applications and questionable functionality. Not surprisingly, such fears have been substantiated. A recent discovery of numerous applications sharing GPS locations and other personal information with online advertisers is just one example of dubious features found in market applications. The public reaction to these stories is often the same: users and pundits decry markets for their failure to properly vet the applications or developers. This underscores the widely held expectation that security is the market's responsibility.
SourceAvailable from: ftp.inf.ethz.ch[Show abstract] [Hide abstract]
ABSTRACT: We show that the way in which permission-based mechanisms are used on today's mobile platforms enables attacks by colluding applications that commu-nicate over overt and covert communication channels. These attacks allow applications to indirectly execute operations that those applications, based on their declared permissions, should not be able to execute. Example operations include disclosure of users private data (e.g., phone book and calendar entries) to remote parties by applications that do not have direct access to such data or cannot directly establish remote connections. We further show that on today's mobile platforms users are not made aware of possible implications of application collusion– quite the contrary–users are implicitly lead to believe that by approving the installation of each application independently, based on its declared permissions, they can limit the damage that an application can cause. In this work, we show that this is not correct and that application permissions should be displayed to the users differently (e.g., in their aggregated form), reflecting their actual im-plications. We demonstrate the practicality of application collusion attacks by implementing several applications and example covert channels on an Android platform and an example channel on a Windows Phone 7 platform. We study free applications from the Android market and show that the potential for application collusion is significant. Finally, we discuss countermeasures that can be used to mitigate these attacks.
[Show abstract] [Hide abstract]
ABSTRACT: The Android OS has emerged as the leading platform for Smart-Phone applications. However, because Android applications are compiled from Java source into platform-specific Dalvik bytecode, existing program analysis tools cannot be used to evaluate their behavior. This paper develops and evaluates algorithms for retar-geting Android applications received from markets to Java class files. The resulting Dare tool uses a new intermediate representa-tion to enable fast and accurate retargeting. Dare further applies strong constraint solving to infer typing information and translates the 257 DVM opcodes using only 9 translation rules. It also han-dles cases where the input Dalvik bytecode is unverifiable. We evaluate Dare on 1,100 of the top applications found in the free section of the Android market and successfully retarget 99.99% of the 262,110 associated classes. Further, whereas existing tools can only fully retarget about half of these applications, Dare can re-cover over 99% of them. In this way, we open the door to users, developers and markets to use the vast array of program analysis tools to ensure the correct operation of Android applications.
[Show abstract] [Hide abstract]
ABSTRACT: Application markets providing one-click software in-stallation have become common to smartphones and are emerging on desktop platforms. Until recently, each platform has had only one market; however, social and economic pressures have resulted in multiple-market ecosystems. Multi-market environments limit, and in some cases eliminate, valuable security characteristics provided by the market model, including kill switches and developer name consistency. We outline a novel approach to retaining single-market security semantics while enabling the flexibility and independence of a multi-market environment. We propose Meteor as a security-enhancing application installation framework that leverages information (e.g., app statistics, expert ratings, developer history) from a configurable set of security information sources. We build a proof-of-concept Android ap-plication (Meteorite) to demonstrate the technical feasibility of our proposal. The Meteor approach provides valuable decision-making criteria useful not only for smartphone users, but technology consumers as a whole, as new and existing computing environments converge on a market-like model for software installation.