Embedded Files
PROJECT SUMMARY
Android security relies on a list of permissions presented to the user at the time of application installation. Unfortunately, this list lacks sufficient context for the users to fully understand the risk of installation. This paper presents AppContext, a system that extracts the context (e.g., activation event and execution setting) of each permission use and presents that context as a natural-language description. We used AppContext to analyze 950 Android applications (224 malicious applications and 726 Google Play Store applications). We study the extracted contexts of permission uses and the synthesized natural-language descriptions. We show that AppContext accurately identifies contexts for reflecting the intentions of permission uses that can differentiate benign and suspicious behaviors. We also show that the natural-language descriptions improve expert users’ understanding of mobile threats for making better installation decisions.
PEOPLE
Faculties
Students
Wei Yang Xusheng Xiao Sihan Li Ben Andow
APPCONTEXT
AppContext first locates the permission invocations with static analysis of the binary code of the app under analysis. Next, AppContext identifies the execution settings by the entry points of the computed sub-call graphs. Then AppContext generates complete contexts after extracting the execution settings. Finally, AppContext synthesizes the context descriptions using template-based generation techniques.
Table 1: Example Activation Event Descriptions
Table 2: Example Behavior Descriptions
An Simplified Example of Analysis Flow for a game app called aMazing Submarine:
DOWNLOADS
Source Code: PermissionContext.zip, findmethods.zip, ContextCollecting.zip
Binary Files and Scripts: AppContexts.zip
CONTEXTS DEFINITION
UI events are user actions interacting with app-specific user interfaces.
System events represent the events generated in daily use of a smartphone's software/hardware.
Lifecycle events are general user interactions on interfaces of systems or devices that can change the lifecycle of an Android component.
Table 3: Characteristics for Contexts of Permission Uses
EMPIRICAL STUDY
Raw Data:
We analyze 950 Android apps, with 726 as market apps and 224 as malicious apps. We apply AppContext to extract permission contexts from the subject apps. For each of these permission contexts, we manually inspect them and classify a per mission context as suspicious, benign, or uncertain. We inspect the app description for each app to understand
the functionality of the app. Based on the functionality of the app, we determine whether a permission context of the app is used for malicious intentions or potential
privacy violations. We refer to a permission context used for malicious intentions or potential privacy viola tions as a suspicious context.
Market App Contexts (Structural data format)
Mobile threat Contexts (Structural data format)
RQ1. Statistics of Permission Contexts: Can the frequent contexts for each permission refl ect malicious intentions or potential privacy vio lations?
To answer RQ1, we apply AppContext to extract all the permission contexts for both malicious and market apps, and rank the contexts for each permission based
on their frequencies. We .lter out the permission con texts whose frequencies are less than 10. In total, there are 34 (26 for malicious apps and 8 for market apps)
suspicious contexts whose frequencies are more than or equal to 10.
Statistics of Suspicious Contexts in Market Apps
Statistics of Suspicious Contexts in Malicious Apps
RQ2. Distinct Suspicious Contexts: Are the suspicious contexts identified by AppContext often used for only malicious intentions or potential privacy violations? Are any of these suspicious contexts used for benign purposes as well?
Distinct Suspicious Contexts in Market Apps
Distinct Suspicious Contexts in Malicious Apps
RQ3. Uncertain Permission Contexts: What intentions cannot be expressed by using our permission contexts?
To answer RQ3, we study the contexts marked as uncertain.
Uncertain Contexts in Market Apps
Uncertain Contexts in Malicious Apps
RQ4. Synthesized Descriptions for Permission Contexts: How effectively can the synthesized descriptions of AppContext be used to help expert users understand permission intentions?
To answer RQ4, we conduct a two-step study on the context descriptions synthesized from 10 malicious apps, with two expert users of mobile apps (being two authors of this paper)
First, these two expert users are given a form (form1) containing the names, the app descriptions, and the permissions of the selected apps. These two expert users then mark each permission claimed by the apps as reasonable or not and provide their installation decisions for each app.
Second, these two expert users are given another form (form2) that contains the same information but with the synthesized context descriptions for each permission. These expert users then mark the permissions and provide installation decisions again.
Author1 Mark:
Author2 Mark:
Example App in Evaluation:
App Name: 万阅公寓 (Bookworm Apartment)
App Description: 想得到关于2012的最新最爆的内部消息吗? 想深入探究未解之谜的奥妙吗? 想体验最 惊悚最灵异的事件吗? 想了解校园的最新动态吗? 想成为一名人见人爱的笑话大师吗? 想一边 欣赏着俊男靓女一边体验着 最新潮的服饰吗? 想每天学一道美食下班做给你的他/她吗? 想了解最新最火辣的影讯影评吗?想做一名 让上司信任让同事喜欢的职场达人吗? 想知道如何讨好你的星座恋人吗? 史上最有内涵!最深入!最灵异!最博学! 最多囧文的阅读软件《万阅公寓》上市啦
(Do you want the latest internal explosion news about the 2012? Do you want to delve into the mystery of mysteries? Do you want to experience the most supernatural thriller event? Do you want to know the latest developments on campus? Do you want to be a cute joke master? Do you want experience the latest wave of clothing while enjoying the looks of beautiful faces? Do you want to learn to give your special him / her a gourmet every day? Do you want to know the latest hottest movie information? Do you want to become a person that boss trust and colleagues like? Do you want to know how to please your constellation lover? The most in-depth! The supernatural! Most knowledgeable reading software of all time with most connotation articles and jokes! "Bookworm Apartment" now goes on the market!! ) (Based on Google Translate)
Permission List:
Generated Permission Description:
When the device is disconnected from a USB cable, the application may retrieve connection status information about a particular network type in the background (using android.permission.ACCESS_NETWORK_STATE permission).
When the device is disconnected from a USB cable, the application may retrieve the device ID in the background (using android.permission.READ_PHONE_STATE permission).
When the device is disconnected from a USB cable, the application may retrieve the unique subscriber ID of the device in the background (using android.permission.READ_PHONE_STATE permission).
When the device is disconnected from a USB cable, the application may open a connection to a URL in the background (using android.permission.INTERNET permission).
Page updated
Google Sites
Report abuse