Towards Improving Mobile Application Security by Enhancing User Perceptions of Application Behaviors

Abstract

Application markets such as Apples’s AppStore and Google’s Play store provide easy mechanisms for developers to distribute their applications. Unfortunately, these markets also provide easy mechanisms for developers with ulterior intent to distribute malware. However, classifying an application as malicious, privacy infringing, or benign is an ongoing challenge in the application markets. Existing formal analysis tool [1–5,7,9,10](directed towards detecting malicious applications) do not make a distinction between user expected application behavior and the unexpected application behavior, and may potentially report all security and privacy sensitive operations as malicious. This poster presents our works on bridging the semantic gap between user perceptions of the application behavior and the actual application behavior.

In our first project [8], we provide a user-aware privacy control approach that: 1) notifies users of potential information leak via presenting information flows that show what private data types are flowing to what output channels, and 2) allows users to perform inspection of the outgoing information at runtime. However, some information flows can flow to output channels where users cannot perform runtime inspection such as network socket (referred to as escaping flows), and may tamper with the information before the information is presented to users for inspection (referred to as tampering flows). To differentiate such information flows with other information flows where users can inspect untampered information, our approach further provides tamper analysis that tracks whether information is tampered with before the information flows to output channels, and identifies escaping flows and tampering flows for users to inspect.

In our second project [6], we developed an approach to automatically identify sentences that indicate the uses of security permissions in the application descriptions. Specifically, in this work, we specialized Natural Language Processing (NLP) techniques using the domain-specific models inferred from API documents to distinguish such sentences from the others. These domain-specific models describe various actions that perform on the resources protected by permissions, representing common uses of permissions. Our evaluation results on about 600 application descriptions show great promise in using NLP techniques to bridge the semantic gap of user expectations to aid the risk assessment of mobile applications. 

Presenter Bio

Wei Yang is a PhD student in University of Illinois at Urbana-Champaign. He joined the Automated Software Engineering Research Group in Aug, 2011, under the supervision of Professor Tao Xie. He received an M.S. in Computer Science from the North Carolina State University in 2013. Before that, he received a B.E. in Software Engineering and a B.S in Accounting from Shanghai Jiao Tong University, advised by Professor Jianjun Zhao. His research interests are in Software Engineering, with a focus on Software Security.