ded Project Publication

[1] William Enck, Damien Octeau, Patrick McDaniel, and Swarat Chaudhuri. A Study of Android Application Security. In Proceedings of the 20th USENIX Security Symposium, August 2011. [ bib | .pdf ]
The fluidity of application markets complicate smartphone security. Although recent efforts have shed light on particular security issues, there remains little insight into broader security characteristics of smartphone applications. This paper seeks to better understand smartphone application security by studying 1,100 popular free Android applications. We introduce the ded decompiler, which recovers Android application source code directly from its installation image. We design and execute a horizontal study of smartphone applications based on static analysis of 21 million lines of recovered code. Our analysis uncovered pervasive use/misuse of personal/phone identifiers, and deep penetration of advertising and analytics networks. However, we did not find evidence of malware or exploitable vulnerabilities in the studied applications. We conclude by considering the implications of these preliminary findings and offer directions for future analysis.

[2] Damien Octeau, William Enck, and Patrick McDaniel. The ded Decompiler. Technical Report NAS-TR-0140-2010, Network and Security Research Center, Department of Computer Science and Engineering, Pennsylvania State University, University Park, PA, USA, September 2010. [ bib | .pdf ]
Smartphone applications are frequently incompletely vetted, poorly isolated, and installed by users without restraint. Such behavior is fraught with peril: applications containing malicious logic or critical vulnerabilities are likely to be identified only after substantial damage has already occurred. Unfortunately, the limitations of application markets make them a poor agent for certifying that applications are secure. This paper presents a certification process that allows the consumers of applications to validate applications security directly. Built for the Android mobile phone platform, we reverse engineer downloaded application images into application source code and use static analysis to detect vulnerabilities. We develop and document a multi-stage process for VM retargeting and code recovery. A study of the top 1100 free Android market applications recovers source code for over 95 percent of the 143 thousand class files containing over 12 million lines of code. A preliminary analysis of the recovered source code identified over 3100 potential vulnerabilities involving a broad range of program features.