User Expectations in Mobile App Security
1 like950 views
The document discusses the importance of user expectations in mobile app security, highlighting the roles of app developers and users in defining functional and security requirements. It emphasizes the necessity for users to understand app permissions and the potential risks associated with mobile applications, particularly regarding malware. Additionally, it outlines various research approaches aimed at improving mobile app security, including user experience enhancement, functionality disclosure, and risk assessment automation.
![Motivation: Stealthy App Behaviors
• 52-64% of existing malwares send stealthy premium rate
SMS messages or make phone calls [Felt et al. SPSM’11, Zhou et
al. S&P’12]
• Stealthy HTTP requests are also very common
undesirable behaviors in malware [Felt et al. SPSM’11]
– A kind of malware making stealthy HTTP connections caused
8 million dollars loss in March 2010 in China [news in SINA.com]
Acknowledgment: slide adapted from AsDroid authors’](https://image.slidesharecdn.com/userexpectationmobilesecurity-released-160129232649/85/User-Expectations-in-Mobile-App-Security-22-320.jpg)
![Motivating Example
public class RegLoginListener implements OnClickListener {
public void onClick(View view) {
String uid = ...;
String pass = ...;
if (pref. getBoolean("registered", false)) {
LoginTask.doLogin(uid, pass);
} else {
sendRegisterSms(getPhoneNumber());
doRegister(uid, pass);
...
}
}
private void sendRegisterSms(String phoneNum) {
String msg = String.format("Register Phone: %s",
phoneNum);
SmsManager sm = SmsManager.getDefault();
sm.sendTextMessage("106053", null, msg, null, null);
}
}
public class LoginTask extends AsyncTask {
protected String doInBackground(String... params) {
http.execute(get); // http & get are fields
}
public static void doLogin(String uid, String pass) {
LoginTask login = new LoginTask();
String[] params = new String[] { uid, pass };
login.execute(params);
}
}
RegLoginListener.onClick()
LoginTask.doLogin() sendRegisterSms()
LoginTask.execute()
SmsManager.sendTextMessage()
LoginTask.doInBackground()
indirect call
Acknowledgment: slide adapted from AsDroid authors’
HttpClient.execute()](https://image.slidesharecdn.com/userexpectationmobilesecurity-released-160129232649/85/User-Expectations-in-Mobile-App-Security-24-320.jpg)
![Internet of Things Security:
The curse of the minimum viable product
• “Tentler told Ars that webcam manufacturers are in a race to
bottom. Consumers do not perceive value in security and
privacy. As a rule, many have not shown a willingness to pay
for such things. As a result, webcam manufacturers slash
costs to maximize their profit, often on narrow margins. Many
webcams now sell for as little as £15 or $20.”
• “"The consumers are saying 'we're not supposed to know
anything about this stuff [cybersecurity]," he said. "The
vendors don't want to lift a finger to help users because it
costs them money."”
http://arstechnica.com/security/2016/01/how-to-search-the-internet-of-things-for-photos-of-sleeping-babies/](https://image.slidesharecdn.com/userexpectationmobilesecurity-released-160129232649/85/User-Expectations-in-Mobile-App-Security-44-320.jpg)
User Expectations in Mobile App Security
- 1. User Expectations in Mobile App Security Tao Xie Joint Work w/ Wesley Brooks, Wing Lam, Davis Li, David Yang, Carl Gunter, ChengXiang Zhai (Illinois) Benjamin Andow, William Enck (NCSU) Collaborating SoS Lablet PIs: Sean Smith (Dartmouth), Ross Koppel (U Penn), Jim Blythe (USC) NSA SoS Lablet, NSF Medium CNS-1513939, Google Faculty Research Award
- 2. Mobile App Markets Apple App Store Google Play Microsoft Windows Phone
- 3. App Store beyond Mobile Apps!
- 4. +++++++++++++++++++++ ++ • tempMobile apps can access a wealth of sensitive data and sensors Acknowledgment: Slide adapted from Haoyu Wang’s
- 5. “Conceptual” Model 5 APP DEVELOPERS APP USERS App Functional Requirements App Security Requirements User Functional Requirements User Security Requirements informal: app description, etc. permission list, etc. App Code App Code
- 6. Informal App Functional Requirements: App Description 6 App Code App Permissions
- 7. App Security Requirements: Permission List 7
- 8. “Conceptual” Model 8 APP DEVELOPERS APP USERS App Functional Requirements App Security Requirements User Functional Requirements User Security Requirements informal: app description, etc. permission list, etc. App Code
- 9. Example Andriod App: Angry Birds 9
- 10. It is NOT that People Don’t Care http://www.businessinsider.com/app-permission-agreements-privacy-video-2015-2
- 11. “Conceptual” Model 11 APP DEVELOPERS APP USERS App Functional Requirements App Security Requirements User Functional Requirements User Security Requirements informal: app description, etc. permission list, etc. App Code
- 12. oFocus on permission app descriptions o permissions (protecting user understandable resources) should be discussed o What does the users expect (w.r.t. app functionalities)? o GPS Tracker: record and send location o Phone-Call Recorder: record audio during phone call WHYPER: Text Analytics for Mobile Security 12 App Description Sentence Permission Linkage Pandita et al. WHYPER: Towards Automating Risk Assessment of Mobile Applications. USENIX Security 2013
- 13. WHYPER Overview Application Market WHYPER DEVELOPERS USERS 13Pandita et al. WHYPER: Towards Automating Risk Assessment of Mobile Applications. USENIX Security 2013 http://web.engr.illinois.edu/~taoxie/publications/usenixsec13-whyper.pdf • Enhance user experience while installing apps • Enforce functionality disclosure on developers • Complement program analysis to ensure justifications
- 14. Natural Language Processing on App Description 14 • “Also you can share the yoga exercise to your friends via Email and SMS.” – Implication of using the contact permission – Permission sentences • Confounding effects: – Certain keywords such as “contact” have a confounding meaning – E.g., “... displays user contacts, ...” vs “... contact me at abc@xyz.com”. • Semantic inference: – Sentences describe a sensitive action w/o referring to keywords – E.g., “share yoga exercises with your friends via Email and SMS” NLP + Semantic Graphs/Ontologies Derived from Android API Documents
- 15. • Synonym analysis • Ex non-permission sentence: “You can now turn recordings into ringtones.” • functionality that allows users to create ringtones from previously recorded sounds but NOT requiring permission to record audio • false positive due to using synonym: (turn, start) • Limitations of Semantic Graphs • Ex. permission sentence: “blow into the mic to extinguish the flame like a real candle” • false negative due to failing to associate “blow into” with “record” • Automatic mining from user comments and forums Challenges 15
- 16. Not All Malware Developers Are “Dumb” or “Lazy” 16
- 20. Not All Malware Developers Are “Dumb” or “Lazy” Benign? Malicious?
- 21. Insight by Other Researchers • Stealthy behaviors in Android apps Premium rate Phone number Malicious Web site Send SMS to Send request to Respond with malicious app You didn’t see me Huang et al. AsDroid: Detecting Stealthy Behaviors in Android Applications by User Interface and Program Behavior Contradiction. ICSE 2014. https://www.cs.purdue.edu/homes/xyzhang/Comp/icse14_2.pdf Acknowledgment: slide adapted from AsDroid authors’
- 22. Motivation: Stealthy App Behaviors • 52-64% of existing malwares send stealthy premium rate SMS messages or make phone calls [Felt et al. SPSM’11, Zhou et al. S&P’12] • Stealthy HTTP requests are also very common undesirable behaviors in malware [Felt et al. SPSM’11] – A kind of malware making stealthy HTTP connections caused 8 million dollars loss in March 2010 in China [news in SINA.com] Acknowledgment: slide adapted from AsDroid authors’
- 23. Motivating Example public class RegLoginListener implements OnClickListener { public void onClick(View view) { String uid = ...; String pass = ...; if (pref. getBoolean("registered", false)) { LoginTask.doLogin(uid, pass); } else { sendRegisterSms(getPhoneNumber()); doRegister(uid, pass); ... } } } Acknowledgment: slide adapted from AsDroid authors’
- 24. Motivating Example public class RegLoginListener implements OnClickListener { public void onClick(View view) { String uid = ...; String pass = ...; if (pref. getBoolean("registered", false)) { LoginTask.doLogin(uid, pass); } else { sendRegisterSms(getPhoneNumber()); doRegister(uid, pass); ... } } private void sendRegisterSms(String phoneNum) { String msg = String.format("Register Phone: %s", phoneNum); SmsManager sm = SmsManager.getDefault(); sm.sendTextMessage("106053", null, msg, null, null); } } public class LoginTask extends AsyncTask { protected String doInBackground(String... params) { http.execute(get); // http & get are fields } public static void doLogin(String uid, String pass) { LoginTask login = new LoginTask(); String[] params = new String[] { uid, pass }; login.execute(params); } } RegLoginListener.onClick() LoginTask.doLogin() sendRegisterSms() LoginTask.execute() SmsManager.sendTextMessage() LoginTask.doInBackground() indirect call Acknowledgment: slide adapted from AsDroid authors’ HttpClient.execute()
- 25. AsDroid Approach RegLoginListener.onClick() HttpAccess SendSms Code behaviors Correlation Analysis UI Text HttpAccess SendSms Acknowledgment: slide adapted from AsDroid authors’
- 26. Our Own Insight Different goals of benign apps vs. malware. • Benign apps – Meet requirements from users (as delivering utility) • Malware – Trigger malicious behaviors frequently (as maximizing profits) – Evade detection (as prolonging lifetime) 26
- 27. Differentiating characteristics Mobile malware (vs. benign apps) – Frequently enough to meet the need: frequent occurrences of imperceptible system events; • E.g., many malware families trigger malicious behaviors via background events. – Not too frequently for users to notice anomaly: indicative states of external environments • E.g., Send premium SMS every 12 hours Balance!!!
- 28. ActionReceiver.OnReceive() Date date = new Date(); if(data.getHours>23 || date.getHours< 5 ){ ContextWrapper.StartService(MainService); … MainService.OnCreate() DummyMainMethod() SendTextActivity$4.onClick() SplashActivity.OnCreate() SmsManager.sendTextMessage() long last = db.query(“LastConnectTime"); long current = System.currentTimeMillis(); if(current – last > 43200000 ){ SmsManager.sendTextMessage(); db.save(“LastConnectTime”, current); … SendTextActivity$5.run() MainService.b() ContextWrapper.StartService() The app will send an SMS when • user clicks a button in the app Example of malicious app SendTextActivity$4.onClick SmsManager.sendTextMessage
- 29. ActionReceiver.OnReceive() Date date = new Date(); if(data.getHours>23 || date.getHours< 5 ){ ContextWrapper.StartService(MainService); … MainService.OnCreate() DummyMainMethod() SendTextActivity$4.onClick() SplashActivity.OnCreate() SmsManager.sendTextMessage() long last = db.query(“LastConnectTime"); long current = System.currentTimeMillis(); if(current – last > 43200000 ){ SmsManager.sendTextMessage(); db.save(“LastConnectTime”, current); … SendTextActivity$5.run()MainService.b() ContextWrapper.StartService() The app will send an SMS when • phone signal strength changes (frequent) • current time is within 11PM-5 AM (not too frequent, User not around) Example of malicious app if(data.getHours>23 || date.getHours< 5 ){ Android.intent.action.SIG_STR
- 30. ActionReceiver.OnReceive() Date date = new Date(); if(data.getHours>23 || date.getHours< 5 ){ ContextWrapper.StartService(MainService); … MainService.OnCreate() DummyMainMethod() SendTextActivity$4.onClick() SplashActivity.OnCreate() SmsManager.sendTextMessage() long last = db.query(“LastConnectTime"); long current = System.currentTimeMillis(); if(current – last > 43200000 ){ SmsManager.sendTextMessage(); db.save(“LastConnectTime”, current); … SendTextActivity$5.run() MainService.b() ContextWrapper.StartService() The app will send an SMS when • user enters the app (frequent) • (current time – time when last msg sent) >12 hours (not too frequent) Example if(current – last > 43200000 ){
- 31. AppContext • Capture differentiating characteristics with contexts of security-sensitive behavior. • Leverage contexts in machine learning (classification) to differentiate malware and benign apps. Yang et al. AppContext: Differentiating Malicious and Benign Mobile App Behavior Under Contexts. ICSE 2015. http://taoxie.cs.illinois.edu/publications/icse15-appcontext.pdf
- 32. Different Insight by Other Researchers Attackers like to piggyback the same attack payload to different legitimate apps. Chen et al. Finding Unknown Malice in 10 Seconds: Mass Vetting for New Threats at the Google-Play Scale. USENIX Security 2015. https://www.usenix.org/node/190925 Acknowledgment: slide adapted from Kai Chen’s http://www.appomicsec.com
- 33. Results of Repackaging Compare related apps, check “different” code Acknowledgment: slide adapted from Kai Chen’s
- 34. Results of Repackaging Detect code intersection in apps with unrelated apps Acknowledgment: slide adapted from Kai Chen’s
- 35. MassVet approach: DiffCom Analysis Sim-View Analysis No Yes Diff Analysis Com Analysis Suspicious? Acknowledgment: slide adapted from Kai Chen’s
- 36. MassVet: Diff Analysis • For apps having the same view and different signatures, the different methods between the two apps may be malicious • Challenge 1: How to quickly compare two apps and find the different methods? • Challenge 2: Are the different methods malicious? Chen et al. Finding Unknown Malice in 10 Seconds: Mass Vetting for New Threats at the Google-Play Scale. USENIX Security 2015. https://www.usenix.org/node/190925 Acknowledgment: slide adapted from Kai Chen’s
- 37. MassVet: Com Analysis • For the apps with different views, find the common code • Challenge 1: Are the two apps really unrelated? • Challenge 2: Is the common code really malicious? Chen et al. Finding Unknown Malice in 10 Seconds: Mass Vetting for New Threats at the Google-Play Scale. USENIX Security 2015. https://www.usenix.org/node/190925 Acknowledgment: slide adapted from Kai Chen’s
- 38. Putting Pieces Together 39 APP DEVELOPERS APP USERS App Functional Requirements App Security Requirements User Functional Requirements User Security Requirements informal: app description, etc. permission list, etc. App Code App Code WHYPER AsDroid AppContext MassVet
- 40. Pre-Installed Apps/Malware: Middlemen • “According to the G Data researchers, there is unlikely to have been anything accidental about the malware it discovered pre- installed on at least 26 different smartphones from manufacturers including Huawei, Lenovo and Xiaomi.” • “Which isn't to say the security firm thinks that the manufacturers are the perpetrators here, far from it. In fact, G Data reckons it is down to 'middlemen' in the distribution chain who are looking to add to their revenue by making "additional financial gains from stolen user data and enforced advertising".” http://www.scmagazineuk.com/chinese-android-smartphones-now-shipping- with-pre-installed-malware/article/436631/
- 42. Internet of Things Security: Mobile or Not http://arstechnica.com/security/2016/01/how-to-search-the-internet-of-things-for-photos-of-sleeping-babies/
- 43. Internet of Things Security: Mobile or Not • “The cameras are vulnerable because they use the Real Time Streaming Protocol (RTSP, port 554) to share video but have no password authentication in place. The image feed is available to paid Shodan members at images.shodan.io. Free Shodan accounts can also search using the filter port:554 has_screenshot:true.” • “Shodan crawls the Internet at random looking for IP addresses with open ports. If an open port lacks authentication and streams a video feed, the new script takes a snap and moves on.” http://arstechnica.com/security/2016/01/how-to-search-the-internet-of-things-for-photos-of-sleeping-babies/
- 44. Internet of Things Security: The curse of the minimum viable product • “Tentler told Ars that webcam manufacturers are in a race to bottom. Consumers do not perceive value in security and privacy. As a rule, many have not shown a willingness to pay for such things. As a result, webcam manufacturers slash costs to maximize their profit, often on narrow margins. Many webcams now sell for as little as £15 or $20.” • “"The consumers are saying 'we're not supposed to know anything about this stuff [cybersecurity]," he said. "The vendors don't want to lift a finger to help users because it costs them money."” http://arstechnica.com/security/2016/01/how-to-search-the-internet-of-things-for-photos-of-sleeping-babies/
- 45. (Mobile) Privacy vs. Utility: A Balancing Act • A likely scenario for a professor – Student A: “May I record our 1-on-1 meeting so that I don’t miss anything?” – Professor: “Hmmhh… OK… but please don’t post it on public domain or redistribute it…” – Hopefully…. • Mobile utility apps: app store management, Input method, IME (input method editor) – even non-mobile ones: medical devices, search engines, …. • Assurance case for privacy policy compliance by app or service providers Sen et al. Bootstrapping Privacy Compliance in Big Data Systems, Oakland 2013. http://research.microsoft.com/apps/pubs/default.aspx?id=208626
- 46. User Expectations in Mobile App Security 47 APP DEVELOPERS APP USERS App Functional Requirements App Security Requirements User Functional Requirements User Security Requirements informal: app description, etc. permission list, etc. App Code App Code WHYPER AsDroid AppContext MassVet
- 47. User Expectations in Mobile App Security 48 APP DEVELOPERS APP USERS App Functional Requirements App Security Requirements User Functional Requirements User Security Requirements informal: app description, etc. permission list, etc. App Code App Code WHYPER AsDroid AppContext MassVet taoxie@illinois.edu NSA SoS Lablet, NSF Medium CNS-1513939, Google Faculty Research Award