Android has become the dominant mobile platform. Millions of Android apps have been produced and disseminated across app markets, spurred by the relative ease of construction using the Android development framework. Unfortunately, this ease of dissemination and construction, and access to millions of users, has attracted malicious app developers and contributed to a growing number of exploitable software vulnerabilities. In this talk, to address these aforementioned challenges, I present two approaches for Android security assessment that I have constructed: LetterBomb, the first approach for automatically generating exploits for Android apps, and RevealDroid, a lightweight, obfuscation-resilient approach for malware detection and family identification that leverages machine learning and static analysis of both conventional and unconventional code (i.e., reflective code and native code).
In the first part of this talk, I introduce LetterBomb, which relies on a combined path-sensitive symbolic execution-based static analysis, and the use of software instrumentation and test oracles. I ran LetterBomb on 10,000 Android apps from Google Play, where I identified nearly 200 exploits from over 800 vulnerable apps, including popular apps with up to 10 million downloads. Compared to a state-of-the-art detection approach for three inter-component communication-based vulnerabilities, LetterBomb obtains 30%-60% more vulnerabilities at a 7 times faster speed.
In the second part of this talk, I present RevealDroid, which operates without the need to perform complex program analyses or to extract large sets of features, and examines unconventional code. Specifically, our selected features leverage categorized Android API usage, reflection-based features, and features from native binaries of apps. I assessed RevealDroid on more than 54,000 malicious and benign apps, where it achieved an accuracy of 98% for detection of malware, an accuracy of 95% for determination of their families, and very high obfuscation resiliency. I further demonstrate RevealDroid’s superiority against state-of-the-art approaches.
Joshua Garcia is a Postdoctoral Researcher at the Institute for Software Research at the University of California, Irvine (UCI) and the Software Engineering and Analysis Lab at UCI’s Department of Informatics in the Donald Bren School of Information and Computer Sciences. His current research interests include mobile security, testing, and analysis—and addressing problems of software architectural drift and erosion. He received three degrees from the University of Southern California: a B.S. in computer engineering and computer science, an M.S. in computer science, and a Ph.D. in computer science. His industrial experience includes software-engineering or research positions at the NASA Jet Propulsion Laboratory, the Southern California Earthquake Center, and Xerox Special Information Systems.