On January 7, 2021 our SP2 doctoral candidate Jun Gao successfully defended his thesis titled:
“Mining App Lineages: A Security Perspective“
Members of the defense committee:
Dr Tegawendé BISSYANDE, Université Du Luxembourg, Chairman
Prof. Dr Li LI, Monash University, Vice-Chairman
Prof. Dr Jacques KLEIN, Université Du Luxembourg, Member (Supervisor)
Prof. Dr Riccardo SCANDARIATO, Hamburg University of Technology, Member
Dr Antonino SABETTA, SAP, Member
Abstract:
Today’s Android ecosystem is a growing universe of a few billion devices, hundreds of millions of users, and millions of applications targeting a wide range of activities where sensitive information is collected and processed. The security of Android apps is thus of utmost importance and needs to be addressed carefully. In the last decade, several studies have investigated Android applications from a security point of view, focusing on the detection of vulnerabilities or the appropriate usage of cryptography APIs. However, with the Android framework’s rapid iteration, new issues are continuously popping up while some old issues may not have been detected. As a result, security studies on Android apps have never been stopped.
Meanwhile, Android applications, just like other software, are developed by following an iterative process. Indeed, applications are updated regularly to fix bugs or introduce new features. In practice, to release a new version of their applications, developers need to provide a brand new installation package, which is known as an apk file. Therefore, each of these apk files stands for one version of a specific application, and the evolution of an application can be obtained by collecting all these apks. Nevertheless, the collection of these apk files are not straightforward because Android markets such as GooglePlay do not preserve the history of apk files. Instead, only the latest version of an app, i.e., the most recent apk, is provided. This fact challenges studies focusing on Android application evolution. However, history and past experiences allow us to learn from past mistakes. That is why evolutionary studies can potentially benefit both developers and users in many ways, such as: discovering trends for security issue predictions or policy evaluations, unveiling fundamental causes of vulnerabilities for prevention.
In this dissertation, by leveraging AndroZoo, a popular Android application dataset made available to researchers, the versioned lineages of Android apps are re-constructed. Then several security-relevant aspects of Android applications are investigated from an evolutionary perspective. Our study begins with a wide-range investigation in which we take a deep insight into
the evolution of several vulnerabilities of Android applications. Then we focus on the vulnerabilities related to crypto-API. We present our attempt to learn cryto-APIs usage from the crowd, i.e., by mining crypto-APIs usage rules from app lineages. Finally, we further narrow down the scale to a new security breach spotted by us. We elaborate on the mechanism of the breach and investigate its evolution patterns.
Link to dissertation: