Multi-App Security Analysis: Looking for Android App Collusion
Presented as part of the 2014 HCSS conference.
Abstract:
The Android security model was built from the ground up to combat potential attacks (or misuse) one app at a time. This model culminates in a user interface that asks for the user's approval each time an app is installed. While the interfaces enables users to avoid applications that may violate their security policy (by using combinations of permissions) applications can freely communicate with each other to share their permissions, achieving capabilities through collusion that astute users would not have approved.
A holistic view of the app ecosystem is necessary to identify these potential collusions, but no existing tools provide such an interface.
Galois has been working with DARPA to develop a system that enables security analysts to quickly examine collections of Android apps, focusing their analysis on sets of apps that may be sharing capabilities (either intentionally or inadvertently) that result in undesirable data flows and possibly exfiltration. The resulting tool, called FUSE, conducts a binary static analysis of individual Android apps to identify inputs and outputs. FUSE then produces an Extended Manifest that concretely defines the possible set of sources and sinks for a given app. An additional multi-app analysis connects compatible sources and sinks and presents users with an interactive interface where they can delve into the possible data flows for a given device.
This talk is a follow-on to Joe Hurd's 2012 HCSS presentation about the vision of multi-app analysis in Android. Since then we have created a precise single-app static analysis, altered our approach to analysis based on analysis feedback, and implemented a deployable system for use when investigating new apps or designing a secure set of apps for a deployed device. In particular, the current approach does not assume that a security policy is known in advance. Instead, we allow the analyst to iteratively discover a policy during analysis---an approach that does not preclude the presence of a security policy a-priori, but also does not require a fixed security policy.
Speaker Bio:
Rogan Creswick develops unique tools and techniques for software development at Galois, Inc. His research interests focus on improving the state of the art in software engineering tools and user interfaces. His experience also reaches into the areas of user interface automation and customization via integrated assistants and automated documentation aides at IBM Research. He has striven to provide natural interfaces to ease communication with complex and semi-sentient agents through existing tools that have already become trustworthy and familiar to their users.