After selecting features for a new malicous app from the feature model, we introduce an intermediate language, called Behavior Description Language (BDL), to model concrete malicious behaviors with implementation details based on the selected features. The step is to guarantee the consistence and correctness between the feature model and the concrete implementation derived from it.
Behavior Description Language. The selection of features by the evolutionary algorithm just decides the malicious intent at the requirement level. To seamlessly glue the corresponding code of these selected features and attain a workable app, we introduce BDL to make an initial instantiation of these features, and bridge the gap between the feature model and the final implementation. We design the syntax of BDL. We add the implementation details (e.g., context) into BDL to make it close to the code implementation, in a model-driven way of code generation.
Backus Naur Form of BDL. We present the partial BNF of BDL in Fig. 4 . One app contains one or more flows, i.e., <APP> := <FLOW>+ . In attack of privacy leakage, one malicious flow is a concrete malicious behavior. It defines the concrete operations executed in apps. h FUNCTION i is the building block for a malicious flow, and it denotes how an apoperates during the flow from the source to the sink at the atomic level. One function consists of three elements — <COMPONENT> , <POINTCUT> and <OPERATION> , where <COMPONENT> denotes the component, the building blocks of Android apps, <POINTCUT> denotes the methods where malicious behaviors are located, and <OPERATION> denotes the operation of malicious behaviors. An Illustrative Example. For example, IBEA in step 1 selects android.provider.Telephony.SMS RECEIVED as the concrete trigger feature, SMS::INCOMING_SMS astheconcretesourcefeature, HTTP::APACHE POST as the concrete sink feature.
Intuitively, the selected AFs access incoming SMS messages, store them into a local variable, and finally send the information out by posting a message via Apache HTTP library. The permission feature android.permission.READ_SMS is required. M YSTIQUE first constructs meaningful and valid behaviors based on the selected features. Different from the abstract feature model, we need to consider both the context of specific features and the dependencies in between. An app needs to register an instance of class BroadcastReceiver that listens the event of android.provider.Telephony.SMS_RECEIVED . Moreover, the acquisition of the incoming SMS message needs to be done in the context of method onReceive . Last, the operation of sending out information is also carried on in method onReceive . The BDL for this example is as follows:
BROADCAST_RECEIVER::POINTCUT_ONRECEIVE::SOURCE(SMS::INCOMING_SMS)→ BROADCAST_RECEIVE::POINTCUT_ONRECEIVE::SINK(LOCAL_VARIABLE, HTTP::APACHE_POST)
Full details of BNF of BDL
<APP> := <FLOW>+
<FLOW> := <FUNCTION> ('->' <FUNCTION>)*
<FUNCTION> := <COMPONENT> '::' <POINTCUT> '::' <OPERATION>
<COMPONENT> := 'LAUNCHABLE_ACTIVITY' | 'ACTIVITY' '[' int ']'
| 'SERVICE' '[' int ']' | 'BROADCAST_RECEIVER' '[' int ']'
| 'CONTENT_OBSERVER' '[' int ']'
| 'PHONE_STATE_LISTENER' '[' int ']'
| 'LOCATION_LISTENER' '[' int ']'
<POINTCUT> := //for launchable activity, activity
'POINTCUT_ONCREATE' | 'POINTCUT_ONSTART'
| 'POINTCUT_ONRESUME' | 'POINTCUT_ONPAUSE'
| 'POINTCUT_ONSTOP' | 'POINTCUT_ONSTOP'
| 'POINTCUT_ONRESTART' | 'POINTCUT_ONDESTROY'
//for service
| 'POINTCUT_ONBIND' | 'POINTCUT_ONCREATE'
| 'POINTCUT_ONSTARTCOMMAND' |'POINTCUT_ONUNBIND'
| 'POINTCUT_ONREBIND' | 'POINTCUT_ONDESTROY'
//for broadcast receiver
| 'POINTCUT_ONRECEIVE'
//for location listener
| 'POINTCUT_ONSTATUSCHANGED'
| 'POINTCUT_ONPROVIDERDISABLED'
| 'POINTCUT_ONPROVIDERENABLED'
| 'POINTCUT_ONLOCATIONCHANGED'
//for phone state listener
| 'POINTCUT_ONCALLFORWARDINGINDICATOR'
| 'POINTCUT_ONCALLSTATECHANGED'
| 'POINTCUT_ONCELLINFOCHANGED'
| 'POINTCUT_ONCELLLOCATIONCHANGED'
| 'POINTCUT_ONDATAACTIVITY'
| 'POINTCUT_ONDATACONNECTIONSTATECHANGED'
| 'POINTCUT_ONDATACONNECTIONSTATECHANGED2'
| 'POINTCUT_ONMESSAGEWAITINGINDICATORCHANGED'
| 'POINTCUT_ONSERVICESTATECHANGED'
| 'POINTCUT_ONSIGNALSTRENGTHCHANGED'
| 'POINTCUT_ONSIGNALSTRENGTHSCHANGED'
//for content observer
| 'POINTCUT_CONSTRUCTOR' | 'POINTCUT_ONCHANGE'
| 'POINTCUT_ONCHANGE2'
<OPERATION> := 'NONE' | <SOURCE_SIG> | <STORE_SIG>
| <FETCH_SIG> | <SINK_SIG> | <ICC_SEND_DATA_SIG>
| <ICC_RECEIVE_DATA_SIG> | <ICC_SIG>
<SOURCE_SIG>:='SOURCE''('<SOURCE_ITEM>(,<SOURCE_ITEM>)?')'
<STORE_SIG> := 'STORE' '(' MEDIUM_ITEM ')'
<FETCH_SIG> := 'FETCH' '(' MEDIUM_ITEM ')'
<SINK_SIG> := 'SINK' '(' <SINK_ITEM> ',' <MEDIUM_ITEM> ')'
<ICC_SEND_DATA_SIG> := 'ICC_SEND_DATA' '(' <COMPONENT> ')'
//without CONTENT_OBSERVER, LOCATION_LISTENER and PHONE_STATE_LISTENER
<ICC_RECEIVE_DATA_SIG> := 'ICC_RECEIVE_DATA'
<ICC_SIG> := 'ICC' '(' <COMPONENT> ')'
//without CONTENT_OBSERVER, LOCATION_LISTENER and PHONE_STATE_LISTENER
<SINK_ITEM> := 'HTTP::APACHE_POST' | 'HTTP::APACHE_GET'
| 'HTTP::CONNECTION_POST' | 'HTTP::CONNECTION_GET'
| 'HTTP::SOCKET_GET' | 'HTTP::SOCKET_POST'
| 'SMS::SEND_TEXT_MESSAGE'
| 'SMS::SEND_MULTIPART_MESSAGE'
| 'SMS::SEND_DATA_MESSAGE'
<MEDIUM_ITEM> := 'LOCAL_VARIABLE' | 'GLOBAL_VARIABLE'
| 'SHARED_PREFERENCES' | 'DATABASE' | 'FILE' | 'INTENT'
<SOURCE_ITEM> := 'TELEPHONY::IMEI' | 'TELEPHONY::IMSI'
| 'TELEPHONY::PHONE_NUMBER'
| 'TELEPHONY::SIM_COUNTRY'
| 'TELEPHONY::SIM_SERIAL'
| 'TELEPHONY::SIM_OPERATOR'
| 'TELEPHONY::SIM_OPERATOR_NAME'
| 'TELEPHONY::NETWORK_COUNTRY'
| 'TELEPHONY::NETWORK_OPERATOR'
| 'TELEPHONY::NETWORK_OPERATOR_NAME'
| 'SMS::INBOX' | 'SMS::OUTBOX'
| 'SMS::ALL' | 'SMS::INCOMING_SMS'
| 'CALL::CALL_LOG' | 'MEDIA::RECORD'
| 'CALL::LAST_OUTGOING_CALL'
| 'CALL::INCOMING_CALL' | 'MEDIA::RECORD'
| 'BROWSER_HISTORY::BROWSER_HISTORY'
| 'LOCATION::REAL_TIME_LOCATION'
| 'LOCATION::LAST_KNOWN_LOCATION'
| 'BUILD::CODE_NAME' | 'BUILD::INCREMENTAL'
| 'BUILD::RELEASE' | 'BUILD::SDK'
| 'BUILD::SDK_INT' | 'CONTACT::CONTACT'
| 'EXTERNAL_STORAGE::FILE_LIST'
| 'PACKAGE::INSTALLED_APK'