Automated Certification of Android Applications
Open Access
- Author:
- Octeau, Damien
- Graduate Program:
- Computer Science and Engineering
- Degree:
- Master of Science
- Document Type:
- Master Thesis
- Date of Defense:
- April 05, 2010
- Committee Members:
- Patrick Drew Mcdaniel, Thesis Advisor/Co-Advisor
Patrick Drew Mcdaniel, Thesis Advisor/Co-Advisor - Keywords:
- Soot
ded
retargeting
certification
decompilation
Android
static analysis - Abstract:
- Smart phone applications are often incompletely vetted, poorly isolated, and installed by users without restraint. Such behavior is fraught with peril: applications containing malicious logic or critical vulnerabilities are likely to be identified only after substantial damage has already occurred. Unfortunately, the limitations of application markets makes them a poor agent for certifying that applications are secure. This thesis presents a certification process that allows the consumers of applications to validate applications' security directly. Built for the Android cellular platform, we reverse engineer downloaded application images into application source code and thereafter use static analysis to detect potential security vulnerabilities. We develop a multi-stage process for VM retargeting and code recovery and detail their implementation within our automated tools. A study of the top 1,100 free Android market applications recovers source code for over 95% of the 143 thousand class files containing over 12 million lines of code. A preliminary analysis of the recovered source code identified over 3,100 potential vulnerabilities indicating issues over a broad range of features.