Mobile Application Security in the Presence of Dynamic Code Updates

Ahmad, Maqsood (2017) Mobile Application Security in the Presence of Dynamic Code Updates. PhD thesis, University of Trento.

PDF - Doctoral Thesis
Available under License Creative Commons Attribution Non-commercial Share Alike.

[img]PDF - Disclaimer
Restricted to Repository staff only until 9999.



The increasing number of repeated malware penetrations into official mobile app markets poses a high security threat to the confidentiality and privacy of end users' personal and sensitive information. Protecting end user devices from falling victims to adversarial apps presents a technical and research challenge for security researchers/engineers in academia and industry. Despite the security practices and analysis checks deployed at app markets, malware sneak through the defenses and infect user devices. The evolution of malware has seen it become sophisticated and dynamically changing software usually disguised as legitimate apps. Use of highly advanced evasive techniques, such as encrypted code, obfuscation and dynamic code updates, etc., are common practices found in novel malware. With evasive usage of dynamic code updates, a malware pretending as benign app bypasses analysis checks and reveals its malicious functionality only when installed on a user's device. This dissertation provides a thorough study on the use and the usage manner of dynamic code updates in Android apps. Moreover, we propose a hybrid analysis approach, StaDART, that interleaves static and dynamic analysis to cover the inherent shortcomings of static analysis techniques to analyze apps in the presence of dynamic code updates. Our evaluation results on real world apps demonstrate the effectiveness of StaDART. However, typically dynamic analysis, and hybrid analysis too for that matter, brings the problem of stimulating the app's behavior which is a non-trivial challenge for automated analysis tools. To this end, we propose a backward slicing based targeted inter component code paths execution technique, TeICC. TeICC leverages a backward slicing mechanism to extract code paths starting from a target point in the app. It makes use of a system dependency graph to extract code paths that involve inter component communication. The extracted code paths are then instrumented and executed inside the app context to capture sensitive dynamic behavior, resolve dynamic code updates and obfuscation. Our evaluation of TeICC shows that it can be effectively used for targeted execution of inter component code paths in obfuscated Android apps. Also, still not ruling out the possibility of adversaries reaching the user devices, we propose an on-phone API hooking based app introspection mechanism, AppIntrospector, that can be used to analyze, detect and prevent runtime exploitation of app vulnerabilities that involve dynamic code updates.

Item Type:Doctoral Thesis (PhD)
Doctoral School:Information and Communication Technology
PhD Cycle:28
Subjects:Area 01 - Scienze matematiche e informatiche > INF/01 INFORMATICA
Uncontrolled Keywords:Android Security, Malware Analysis, Dynamic Code Updates
Repository Staff approval on:13 Apr 2017 15:26

Repository Staff Only: item control page