Dissertation/Thesis Abstract

Automatic Program State Exploration Techniques for Security Analysis of Android Apps
by Johnson, Ryan, Ph.D., George Mason University, 2019, 211; 27667472
Abstract (Summary)

The usage and ownership of mobile devices is increasing globally. Our reliance on mobile

devices and the apps they run warrant novel techniques to explore the behavior of both

downloaded and pre-installed apps. Mobile apps are increasing in size and complexity,

making them more challenging to design and test. Focusing on Android, the most popular

mobile platform, I present methodologies to automatically analyze the states of Android

apps without access to source code and from a security perspective. Primarily, my research

suggests approaches to overcome the limitations of current binary code analysis techniques

to also include external and environmental inputs. I explain how utilizing this augmented

set of inputs we can discover unsafe app states that violate end-user security and privacy

when abused by an adversary.

To that end, I designed and implemented a novel program analysis technique for Android

called Forced-Path Execution (FPE). FPE forces execution of code independent of the

program state according to an execution strategy exposing program states that are deemed

safety critical. Applying FPE on Android apps, I was able to discover unsafe use of sensitive

Android Programming Interfaces (APIs) and “leaking” of Personally Identifiable Information

(PII) including access to text messages and system logs, among others. In addition, I explore

the security and reliability of inter-app communications via the Android Inter-Process

Communication (IPC) mechanism, namely the use of Intents. I systematically stress-test this

Android IPC mechanism to uncover design flaws within apps and the Android Operating

System (OS) itself. My approach scales to scan thousands of apps from Google Play and

the official Android Open Source Project (AOSP) code. As a result, I discovered thousands

of Intent input validation faults in apps from Google Play and multiple faults in a critical

AOSP system process for both the smartphone and embedded Android platforms.

Indexing (document details)
Advisor: Stavrou, Angelos, Setia, Sanjeev
Commitee: Offutt, Jeff, Ammann, Paul, Jones Jr, James H
School: George Mason University
Department: Information Technology
School Location: United States -- Virginia
Source: DAI-B 81/8(E), Dissertation Abstracts International
Subjects: Information Technology, Computer science
Keywords: Android, Android apps, App analysis, Forced-path execution, State exploration, Vulnerabilities
Publication Number: 27667472
ISBN: 9781658430739
Copyright © 2021 ProQuest LLC. All rights reserved. Terms and Conditions Privacy Policy Cookie Policy