Fresh Ideas for Addressing Mobile Software Security Vulnerabilities

Security has become the Achilles’ heel of most modern software systems. Techniques ranging from manual inspection to automated static and dynamic code analyses are commonly employed to identify security vulnerabilities prior to the release of software. However, these techniques are time-consuming and cannot keep pace with the growth of software repositories, such as Google Play and the Apple App Store, that host millions of apps.

An opportunity to tackle this issue is presented by the fact that the software products in these repositories are increasingly being organized into categories. Some examples are SourceForge for open source and Google Play for Android applications. In addition to helping users search and browse for apps, categorized repositories have been shown to be good predictors of the common features found within software of a particular category.

In a recent publication, Quandary Peak software expert Prof. Sam Malek and his team of researchers at George Mason University show that knowing the category of an Android application is sufficient for accurately predicting the types of security vulnerabilities that application may have. The approach works by mining a large number of apps available on the public app markets (e.g., Google Play). The apps are then analyzed for known security vulnerabilities, which can be detected through a variety of static analysis tools. The vulnerabilities detected in these apps are then used to build a classifier that can determine with a very high accuracy the types of security vulnerabilities one may encounter in a new app of a certain category.

This research has significant implications for  the consumers and app market operators, as it allows them to determine the types of security risks posed by applications of different category without requiring any specialized tools or detailed analysis of the software. It could also help a security analyst to target the manual effort of verifying and checking apps to the parts of the code that may harbor certain types of vulnerabilities.

Broadly, there are two sets of issues that mobile security experts are working on. First, how can we ensure that an app does not harbor a malicious capability, such as the ability to eavesdrop on the user? And second, how can we ensure that an app does not have security vulnerabilities that could be exploited for nefarious reasons, such as being tricked into leaking private user information? Although the work conducted so far in Malek’s Software Design and Analysis Research Lab has aimed to address the latter,  the approach is able to shed light on the former, too. He is currently extending the approach to develop a profile for the behavior of applications from different categories. Such a profile could be used to detect when an app of a given category does not fit the behavioral profile of a typical app from that category. A behavioral anomaly is a good indicator that the app may harbor certain malicious capabilities.

The underlying insight guiding Malek’s research is the fact that many modern software systems are developed using rich application development frameworks, such as the one that comes with Android, allowing the researchers to raise the level of abstraction for detecting vulnerabilities to the types of libraries and services used by the app. In other words, there is a fundamental difference between mobile apps and conventional software (e.g., those developed purely in Java or C) that could be exploited for developing better tools for assessing the security of mobile software. The libraries and services used by a mobile software could help us to automatically determine many of its security properties.

This research is funded in part by the US Defense Advanced Research Projects Agency.