Title :
Analysis of Android Inter-App Security Vulnerabilities Using COVERT
Author :
Sadeghi, Alireza ; Bagheri, Hamid ; Malek, Sam
Author_Institution :
Dept. of Comput. Sci., George Mason Univ., Fairfax, VA, USA
Abstract :
The state-of-the-art in securing mobile software systems are substantially intended to detect and mitigate vulnerabilities in a single app, but fail to identify vulnerabilities that arise due to the interaction of multiple apps, such as collusion attacks and privilege escalation chaining, shown to be quite common in the apps on the market. This paper demonstrates COVERT, a novel approach and accompanying tool-suite that relies on a hybrid static analysis and lightweight formal analysis technique to enable compositional security assessment of complex software. Through static analysis of Android application packages, it extracts relevant security specifications in an analyzable formal specification language, and checks them as a whole for inter-app vulnerabilities. To our knowledge, COVERT is the first formally-precise analysis tool for automated compositional analysis of Android apps. Our study of hundreds of Android apps revealed dozens of inter-app vulnerabilities, many of which were previously unknown.
Keywords :
Android (operating system); formal specification; mobile computing; program diagnostics; security of data; specification languages; Android application package static analysis; Android inter-app security vulnerability analysis; COVERT approach; collusion attacks; complex software compositional security assessment; formal specification language; formally-precise analysis tool; hybrid static analysis; lightweight formal analysis technique; mobile software systems; privilege escalation chaining; Analytical models; Androids; Humanoid robots; Metals; Mobile communication; Security; Smart phones;
Conference_Titel :
Software Engineering (ICSE), 2015 IEEE/ACM 37th IEEE International Conference on
Conference_Location :
Florence
DOI :
10.1109/ICSE.2015.233
