THIRD-PARTY LIBRARY SECURITY MANAGEMENT FOR MOBILE APPLICATIONS
Open Access
- Author:
- Hu, Wenhui
- Graduate Program:
- Computer Science and Engineering
- Degree:
- Doctor of Philosophy
- Document Type:
- Dissertation
- Date of Defense:
- October 06, 2016
- Committee Members:
- Patrick Drew Mcdaniel, Dissertation Advisor/Co-Advisor
Patrick Drew Mcdaniel, Committee Chair/Co-Chair
Peng Liu, Committee Member
Trent Ray Jaeger, Committee Member
Constantino Manuel Lagoa, Outside Member
Peng Liu, Dissertation Advisor/Co-Advisor
Damien Octean, Special Member
Peng Liu, Committee Chair/Co-Chair - Keywords:
- Security
Third-party library
Isolation
Android
Integrity Verification
Policy - Abstract:
- In recent years, the Android operating system has had an explosive growth in the number of applications containing third-party libraries for different purposes. In this thesis, we identify three library-centric threats in the real-world Android application markets: (i) the library modification threat, (ii) the masquerading threat and (iii) the aggressive library threat. These three threats cannot effectively be fully addressed by existing defense mechanisms such as software analysis, anti-virus software and anti-repackaging techniques. The limitation of existing mechanisms is that the existing mechanisms ignore the fact the library and applications coexist, but are from different stakeholder in the ecosystem. For existing libraries, related security problems in applications, we propose a library integrity verification tool for Android applications at application stores. This is non-trivial because the Android application build process merges library code and application-specific logic into a single binary file. Our approach uses reverse-engineering to achieve integrity verification. The evaluation results also provide empirical insight into the library integrity situation in the wild. In addition, third-party libraries are detected to contain potentially malicious behaviors. With the Android security model, the core logic and the third-party library share permissions. Solutions are provided to enforce library isolation. Unfortunately, libraries in the isolation still share some permissions with the core logic. In order to generate distinct policies for third-party libraries, we need to know which part of libraries works for the core logic. Existing analysis tools cannot differentiate libraries' behaviors assisting for the application's main functionality from libraries' behaviors for itself because of two limitations: 1) the analysis cannot do backwards analysis; 2) the analysis cannot distinguish different stakeholders within one application. This shortcoming leads to the difficulty of creating a precise policy for library isolation solutions. The missing part is the intra-app cross-stakeholder data-flow analysis. To address it, we propose a callsite-aware bidirectional static analysis tool. The tool enables to classify the Android framework APIs in libraries into six categories. The classification information can be used to generate polices. The dissertation also has an enforcement of the library isolation.