FUSE: Beyond single-app security
Abstract:
FUSE is a tool to help security analysts see how a collection of Android applications will operate together on a device. FUSE combines information from static analysis of all the individual apps provisioned to a mobile device to give security analysts the ability to quickly see where collusion or other app interaction may occur--interactions that no single-app analysis can discover. Analysts can combine the information from FUSE's visual data flow graphs with their expert domain knowledge to focus their attention on the applications that pose the greatest risk. FUSE allows analysts to interactively filter different types of data flow, select subsets of apps, and even reveal the specific instructions where inter-app data transfer occurs. Because FUSE analyzes compiled Android APKs, the analysis does not require access to application source code.
Managing information to ensure the privacy of your personal, corporate, or organizational information requires more than a single-app view of security. The big-picture analysis possible with FUSE provides a high-level view of how personal and confidential information is handled on an Android device. Our approach to Android analysis starts with that high-level view of application collections, but also allows for deep dives into decompiled application bytecode through an integrated 'dex explorer'.
This poster builds on previous talks at HCSS in 2012 and 2014, showing the latest state of the FUSE tools for single- and multi-app Android analysis. It showcases changes from the previous presentations, including: support for automated policy evaluation, interactive deep-dives, and the application of information flow slicing techniques to identify undesirable flows.
Biography:
Rogan Creswick develops unique tools and techniques for software development and security analysis at Galois, Inc. His research interests focus on improving the state of the art in software engineering tools and user interfaces. His experience also reaches into the areas of user interface automation and customization via integrated assistants and automated documentation aides. He strives to provide intuitive tools that ease communication with complex and semi-sentient agents so people can work more efficiently while building trust in their computing systems.