ded Project Publication
William Enck, Damien Octeau, Patrick McDaniel, and Swarat Chaudhuri.
A Study of Android Application Security.
In Proceedings of the 20th USENIX Security Symposium, August
[ bib |
The fluidity of application markets complicate smartphone
security. Although recent efforts have shed light on particular security
issues, there remains little insight into broader security characteristics of
smartphone applications. This paper seeks to better understand smartphone
application security by studying 1,100 popular free Android applications. We
introduce the ded decompiler, which recovers Android application source code
directly from its installation image. We design and execute a horizontal study
of smartphone applications based on static analysis of 21 million lines of
recovered code. Our analysis uncovered pervasive use/misuse of personal/phone
identifiers, and deep penetration of advertising and analytics networks.
However, we did not find evidence of malware or exploitable vulnerabilities in
the studied applications. We conclude by considering the implications of these
preliminary findings and offer directions for future analysis.
Damien Octeau, William Enck, and Patrick McDaniel.
The ded Decompiler.
Technical Report NAS-TR-0140-2010, Network and Security Research
Center, Department of Computer Science and Engineering, Pennsylvania State
University, University Park, PA, USA, September 2010.
[ bib |
Smartphone applications are frequently incompletely vetted,
poorly isolated, and installed by users without restraint. Such behavior is
fraught with peril: applications containing malicious logic or critical
vulnerabilities are likely to be identified only after substantial damage has
already occurred. Unfortunately, the limitations of application markets make
them a poor agent for certifying that applications are secure. This paper
presents a certification process that allows the consumers of applications to
validate applications security directly. Built for the Android mobile phone
platform, we reverse engineer downloaded application images into application
source code and use static analysis to detect vulnerabilities. We develop and
document a multi-stage process for VM retargeting and code recovery. A study of
the top 1100 free Android market applications recovers source code for over 95
percent of the 143 thousand class files containing over 12 million lines of
code. A preliminary analysis of the recovered source code identified over 3100
potential vulnerabilities involving a broad range of program features.