Epicc Project Publications
Damien Octeau, Patrick McDaniel, Somesh Jha, Alexandre Bartel, Eric Bodden,
Jacques Klein, and Yves Le Traon.
Effective inter-component communication mapping in android: An
essential step towards holistic security analysis.
In Proceedings of the 22nd USENIX Security Symposium (USENIX
Security 13), pages 543-558, Washington, D.C., 2013. USENIX.
[ bib |
Many threats present in smartphones are the result of
interactions between application components, not just artifacts of single
components. However, current techniques for identifying inter-application
communication are ad hoc and do not scale to large numbers of applications.
In this paper, we reduce the discovery of inter-component communication
(ICC) in smartphones to an instance of the Interprocedural Distributive
Environment (IDE) problem, and develop a sound static analysis technique
targeted to the Android platform. We apply this analysis to 1,200
applications selected from the Play store and characterize the locations and
substance of their ICC. Experiments show that full specifications for ICC
can be identified for over 93% of ICC locations for the applications
studied. Further the analysis scales well; analysis of each application took
on average 113 seconds to complete. Epicc, the resulting tool, finds ICC
vulnerabilities with far fewer false positives than the next best tool. In
this way, we develop a scalable vehicle to extend current security analysis
to entire collections of applications as well as the interfaces they export.