A model‐based framework for inter‐app Vulnerability analysis of Android applications. (23rd November 2022)
- Record Type:
- Journal Article
- Title:
- A model‐based framework for inter‐app Vulnerability analysis of Android applications. (23rd November 2022)
- Main Title:
- A model‐based framework for inter‐app Vulnerability analysis of Android applications
- Authors:
- Nirumand, Atefeh
Zamani, Bahman
Tork‐Ladani, Behrouz
Klein, Jacques
Bissyandé, Tegawendé F. - Abstract:
- Abstract: Android users install various apps, such as banking apps, on their smart devices dealing with user‐sensitive information. The Android framework, via Inter‐Component Communication (ICC) mechanism, ensures that app components (inside the same app or on different apps) can communicate. The literature works have shown that this mechanism can cause security issues, such as app security policy violations, especially in the case of Inter‐App Communication (IAC). Despite the plethora of research on detecting security issues in IAC, detection techniques face fundamental ICC challenges for improving the precision of static analysis. Challenges include providing comprehensive and scalable modeling of app specification, capturing all potential ICC paths, and enabling more effective IAC analysis. To overcome such challenges, in this paper, we propose a framework called VAnDroid2, as an extension of our previous work, to address the security issues in multiple components at both intra‐ and inter‐app analysis levels. VAnDroid2, based on Model‐Driven Reverse Engineering, has extended our previous work as per following: (1) providing a comprehensive Intermediate Representation (IR) of the app which supports extracting all the ICC information from the app, (2) extracting high‐level representations of the apps and their interactions by omitting the details that are not relevant to inter‐app security analysis, and (3) enabling more effective IAC security analysis. This framework isAbstract: Android users install various apps, such as banking apps, on their smart devices dealing with user‐sensitive information. The Android framework, via Inter‐Component Communication (ICC) mechanism, ensures that app components (inside the same app or on different apps) can communicate. The literature works have shown that this mechanism can cause security issues, such as app security policy violations, especially in the case of Inter‐App Communication (IAC). Despite the plethora of research on detecting security issues in IAC, detection techniques face fundamental ICC challenges for improving the precision of static analysis. Challenges include providing comprehensive and scalable modeling of app specification, capturing all potential ICC paths, and enabling more effective IAC analysis. To overcome such challenges, in this paper, we propose a framework called VAnDroid2, as an extension of our previous work, to address the security issues in multiple components at both intra‐ and inter‐app analysis levels. VAnDroid2, based on Model‐Driven Reverse Engineering, has extended our previous work as per following: (1) providing a comprehensive Intermediate Representation (IR) of the app which supports extracting all the ICC information from the app, (2) extracting high‐level representations of the apps and their interactions by omitting the details that are not relevant to inter‐app security analysis, and (3) enabling more effective IAC security analysis. This framework is implemented as an Eclipse‐based tool. The results of evaluating VAnDroid2 w.r.t. correctness, scalability, and run‐time performance, and comparing with state‐of‐the‐art analysis tools well indicate that VAnDroid2 is a promising framework in the field of Android inter‐app security analysis. … (more)
- Is Part Of:
- Software, practice & experience. Volume 53:Number 4(2023)
- Journal:
- Software, practice & experience
- Issue:
- Volume 53:Number 4(2023)
- Issue Display:
- Volume 53, Issue 4 (2023)
- Year:
- 2023
- Volume:
- 53
- Issue:
- 4
- Issue Sort Value:
- 2023-0053-0004-0000
- Page Start:
- 895
- Page End:
- 936
- Publication Date:
- 2022-11-23
- Subjects:
- android -- inter‐app communication -- inter‐component communication -- model‐driven reverse engineering -- security analysis
Computer software -- Periodicals
Computer programming -- Periodicals
Computer programs -- Periodicals
005.3 - Journal URLs:
- http://onlinelibrary.wiley.com/ ↗
- DOI:
- 10.1002/spe.3171 ↗
- Languages:
- English
- ISSNs:
- 0038-0644
- Deposit Type:
- Legaldeposit
- View Content:
- Available online (eLD content is only available in our Reading Rooms) ↗
- Physical Locations:
- British Library DSC - 8321.453000
British Library DSC - BLDSS-3PM
British Library STI - ELD Digital store - Ingest File:
- 26122.xml