research-article

Towards Automatic Generation of Security-Centric Descriptions for Android Apps

Authors:

Heng YinAuthors Info & Claims

CCS '15: Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security

Pages 518 - 529

https://doi.org/10.1145/2810103.2813669

Published: 12 October 2015 Publication History

Abstract

To improve the security awareness of end users, Android markets directly present two classes of literal app information: 1) permission requests and 2) textual descriptions. Unfortunately, neither can serve the needs. A permission list is not only hard to understand but also inadequate; textual descriptions provided by developers are not security-centric and are significantly deviated from the permissions. To fill in this gap, we propose a novel technique to automatically generate security-centric app descriptions, based on program analysis. We implement a prototype system, DescribeME, and evaluate our system using both DroidBench and real-world Android apps. Experimental results demonstrate that DescribeME enables a promising technique which bridges the gap between descriptions and permissions. A further user study shows that automatically produced descriptions are not only readable but also effectively help users avoid malware and privacy-breaching apps.

References

[1]

amazon mechanical turk. https://www.mturk.com/mturk/welcome.

[2]

bangcle. http://www.bangcle.com.

[3]

Droidbench-benchmarks. http://sseblog.ec-spride.de/tools/droidbench/.

[4]

ijiami. http://www.ijiami.cn.

[5]

Malware Genome Project. http://www.malgenomeproject.org.

[6]

Reference - Android Developers. http://developer.android.com/reference/packages.html.

[7]

simplenlg: Java API for Natural Language Generation. https://code.google.com/p/simplenlg/.

[8]

Soot: a Java Optimization Framework. http://www.sable.mcgill.ca/soot/.

[9]

Arzt, S., Rasthofer, S., Fritz, C., Bodden, E., Bartel, A., Klein, J., le Traon, Y., Octeau, D., and McDaniel, P. FlowDroid: Precise Context, Flow, Field, Object-sensitive and Lifecycle-aware Taint Analysis for Android Apps. In Proceedings of the 35th ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI '14) (June 2014).

Digital Library

[10]

Au, K. W. Y., Zhou, Y. F., Huang, Z., and Lie, D. PScout: Analyzing the Android Permission Specification. In Proceedings of the 2012 ACM Conference on Computer and Communications Security (CCS'12) (October 2012).

Digital Library

[11]

Buse, R. P., and Weimer, W. R. Automatically Documenting Program Changes. In Proceedings of the IEEE/ACM International Conference on Automated Software Engineering (ASE'10) (September 2010).

Digital Library

[12]

Chen, K. Z., Johnson, N., D'Silva, V., Dai, S., MacNamara, K., Magrino, T., Wu, E. X., Rinard, M., and Song, D. Contextual Policy Enforcement in Android Applications with Permission Event Graphs. In Proceedings of the 20th Annual Network and Distributed System Security Symposium (NDSS'13) (February 2013).

[13]

Cordella, L. P., Foggia, P., Sansone, C., and Vento, M. A (Sub) Graph Isomorphism Algorithm for Matching Large Graphs. IEEE Transactions on Pattern Analysis and Machine Intelligence (2004).

Digital Library

[14]

Enck, W., Gilbert, P., Chun, B.-G., Cox, L. P., Jung, J., McDaniel, P., and Sheth, A. N. TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones. In Proceedings of the 9th USENIX Symposium on Operating Systems Design and Implementation (OSDI'10) (October 2010).

Digital Library

[15]

Felt, A. P., Ha, E., Egelman, S., Haney, A., Chin, E., and Wagner, D. Android Permissions: User Attention, Comprehension, and Behavior. In Proceedings of the Eighth Symposium on Usable Privacy and Security (SOUPS'12) (July 2012).

Digital Library

[16]

Felt, A. P., Reeder, R. W., Almuhimedi, H., and Consolvo, S. Experimenting at Scale with Google Chrome's SSL Warning. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems (CHI'14) (April 2014).

Digital Library

[17]

Felt, A. P., Wang, H. J., Moshchuk, A., Hanna, S., and Chin, E. Permission Re-delegation: Attacks and Defenses. In Proceedings of the 20th USENIX Security Symposium (August 2011).

Digital Library

[18]

Feng, Q., Prakash, A., Yin, H., and Lin, Z. MACE: High-Coverage and Robust Memory Analysis for Commodity Operating Systems. In Proceedings of Annual Computer Security Applications Conference (ACSAC'14) (December 2014).

Digital Library

[19]

Fredrikson, M., Jha, S., Christodorescu, M., Sailer, R., and Yan, X. Synthesizing Near-Optimal Malware Specifications from Suspicious Behaviors. In Proceedings of the 2010 IEEE Symposium on Security and Privacy (Oakland'10) (May 2010).

Digital Library

[20]

Grace, M., Zhou, Y., Wang, Z., and Jiang, X. Systematic Detection of Capability Leaks in Stock Android Smartphones. In Proceedings of the 19th Network and Distributed System Security Symposium (NDSS'12) (February 2012).

[21]

Huang, J., Zhang, X., Tan, L., Wang, P., and Liang, B. AsDroid: Detecting Stealthy Behaviors in Android Applications by User Interface and Program Behavior Contradiction. In Proceedings of the 36th International Conference on Software Engineering (ICSE'14) (May 2014).

Digital Library

[22]

Kolbitsch, C., Comparetti, P. M., Kruegel, C., Kirda, E., Zhou, X., and Wang, X. Effective and Efficient Malware Detection at the End Host. In Proceedings of the 18th Conference on USENIX Security Symposium (August 2009).

Digital Library

[23]

Lu, K., Li, Z., Kemerlis, V., Wu, Z., Lu, L., Zheng, C., Qian, Z., Lee, W., and Jiang, G. Checking More and Alerting Less: Detecting Privacy Leakages via Enhanced Data-flow Analysis and Peer Voting. In Proceedings of the 22th Annual Network and Distributed System Security Symposium (NDSS'15) (February 2015).

[24]

Lu, L., Li, Z., Wu, Z., Lee, W., and Jiang, G. CHEX: Statically Vetting Android Apps for Component Hijacking Vulnerabilities. In Proceedings of the 2012 ACM Conference on Computer and Communications Security (CCS'12) (October 2012).

Digital Library

[25]

Moreno, L., Aponte, J., Sridhara, G., Marcus, A., Pollock, L., and Vijay-Shanker, K. Automatic Generation of Natural Language Summaries for Java Classes. In Proceedings of the 2013 IEEE 21th International Conference on Program Comprehension (ICPC'13) (May 2013).

[26]

Pandita, R., Xiao, X., Yang, W., Enck, W., and Xie, T. WHYPER: Towards Automating Risk Assessment of Mobile Applications. In Proceedings of the 22nd USENIX Conference on Security (August 2013).

Digital Library

[27]

Poynton, C. Digital video and HD: Algorithms and Interfaces. Elsevier, 2012.

Digital Library

[28]

Qu, Z., Rastogi, V., Zhang, X., Chen, Y., Zhu, T., and Chen, Z. AutoCog: Measuring the Description-to-permission Fidelity in Android Applications. In Proceedings of the 21st Conference on Computer and Communications Security (CCS) (November 2014).

Digital Library

[29]

Russell, S. J., and Norvig, P. Artificial Intelligence: A Modern Approach. 2003.

Digital Library

[30]

Sridhara, G., Hill, E., Muppaneni, D., Pollock, L., and Vijay-Shanker, K. Towards Automatically Generating Summary Comments for Java Methods. In Proceedings of the IEEE/ACM International Conference on Automated Software Engineering (ASE'10) (September 2010).

Digital Library

[31]

Sridhara, G., Pollock, L., and Vijay-Shanker, K. Automatically Detecting and Describing High Level Actions Within Methods. In Proceedings of the 33rd International Conference on Software Engineering (ICSE'11) (May 2011).

Digital Library

[32]

Sridhara, G., Pollock, L., and Vijay-Shanker, K. Generating Parameter Comments and Integrating with Method Summaries. In Proceedings of the 2011 IEEE 19th International Conference on Program Comprehension (ICPC'11) (June 2011).

Digital Library

[33]

Tam, K., Khan, S. J., Fattori, A., and Cavallaro, L. CopperDroid: Automatic Reconstruction of Android Malware Behaviors. In Proceedings of the 22nd Annual Network and Distributed System Security Symposium (NDSS'15) (February 2015).

[34]

Wei, F., Roy, S., Ou, X., and Robby. Amandroid: A Precise and General Inter-Component Data Flow Analysis Framework for Security Vetting of Android Apps. In Proceedings of the 21th ACM Conference on Computer and Communications Security (CCS'14) (November 2014).

Digital Library

[35]

Xia, M., Gong, L., Lv, Y., Qi, Z., and Liu, X. Effective Real-time Android Application Auditing. In Proceedings of the 36th IEEE Symposium on Security and Privacy (Oakland'15) (May 2015).

Digital Library

[36]

Yamaguchi, F., Golde, N., Arp, D., and Rieck, K. Modeling and Discovering Vulnerabilities with Code Property Graphs. In Proceedings of the 35th IEEE Symposium on Security and Privacy (Oakland'14) (May 2014).

Digital Library

[37]

Yan, L.-K., and Yin, H. DroidScope: Seamlessly Reconstructing OS and Dalvik Semantic Views for Dynamic Android Malware Analysis. In Proceedings of the 21st USENIX Security Symposium (August 2012).

Digital Library

[38]

Yan, X., and Han, J. gspan: Graph-based Substructure Pattern Mining. In Proceedings of IEEE International Conference on Data Mining(ICDM'03) (December 2002).

Digital Library

[39]

Yang, Z., Yang, M., Zhang, Y., Gu, G., Ning, P., and Wang, X. S. AppIntent: Analyzing Sensitive Data Transmission in Android for Privacy Leakage Detection. In Proceedings of the 20th ACM Conference on Computer and Communications Security (CCS'13) (November 2013).

Digital Library

[40]

Zhang, M., Duan, Y., Yin, H., and Zhao, Z. Semantics-Aware Android Malware Classification Using Weighted Contextual API Dependency Graphs. In Proceedings of the 21th ACM Conference on Computer and Communications Security (CCS'14) (November 2014).

Digital Library

[41]

Zhang, M., and Yin, H. AppSealer: Automatic Generation of Vulnerability-Specific Patches for Preventing Component Hijacking Attacks in Android Applications. In Proceedings of the 21th Annual Network and Distributed System Security Symposium (NDSS'14) (February 2014).

[42]

Zhang, Y., Luo, X., and Yin, H. DexHunter: Toward Extracting Hidden Code from Packed Android Applications. In Proceedings of the 20th European Symposium on Research in Computer Security (ESORICS'15) (September 2015).

[43]

Zhou, Y., and Jiang, X. Dissecting Android Malware: Characterization and Evolution. In Proceedings of the 33rd IEEE Symposium on Security and Privacy (Oakland'12) (May 2012).

Digital Library

[44]

Zhou, Y., and Jiang, X. Detecting Passive Content Leaks and Pollution in Android Applications. In Proceedings of the 20th Network and Distributed System Security Symposium (NDSS'13) (February 2013).

[45]

Zhou, Y., Wang, Z., Zhou, W., and Jiang, X. Hey, You, Get Off of My Market: Detecting Malicious Apps in Official and Alternative Android Markets. In Proceedings of 19th Annual Network and Distributed System Security Symposium (NDSS'12) (February 2012).

[46]

Zhou, Y., Zhang, X., Jiang, X., and Freeh, V. W. Taming Information-Stealing Smartphone Applications (on Android). In Proceedings of the 4th International Conference on Trust and Trustworthy Computing (TRUST'11) (June 2011).

Digital Library

Cited By

Zhou LWei CZhu TChen GZhang XDu SCao HZhu HCalandrino JTroncoso C(2023)POLICYCOMPProceedings of the 32nd USENIX Conference on Security Symposium10.5555/3620237.3620298(1073-1090)Online publication date: 9-Aug-2023
https://dl.acm.org/doi/10.5555/3620237.3620298
Pan YXu ZLi LYang YZhang MJust RFraser G(2023)Automated Generation of Security-Centric Descriptions for Smart Contract BytecodeProceedings of the 32nd ACM SIGSOFT International Symposium on Software Testing and Analysis10.1145/3597926.3598132(1244-1256)Online publication date: 12-Jul-2023
https://dl.acm.org/doi/10.1145/3597926.3598132
Tan ZSong WGrundy JPollock LPenta M(2023)PTPDroid: Detecting Violated User Privacy Disclosures to Third-Parties of Android AppsProceedings of the 45th International Conference on Software Engineering10.1109/ICSE48619.2023.00050(473-485)Online publication date: 14-May-2023
https://dl.acm.org/doi/10.1109/ICSE48619.2023.00050
Show More Cited By

Index Terms

Towards Automatic Generation of Security-Centric Descriptions for Android Apps
1. Security and privacy
  1. Intrusion/anomaly detection and malware mitigation
  2. Systems security
    1. Operating systems security
2. Software and its engineering
  1. Software creation and management
    1. Software post-development issues
      1. Documentation

Recommendations

Security analysis of permission re-delegation vulnerabilities in Android apps
Abstract
The Android platform facilitates reuse of app functionalities by allowing an app to request an action from another app through inter-process communication mechanism. This feature is one of the reasons for the popularity of Android, but it also ...
Dynodroid: an input generation system for Android apps
ESEC/FSE 2013: Proceedings of the 2013 9th Joint Meeting on Foundations of Software Engineering

We present a system Dynodroid for generating relevant inputs to unmodified Android apps. Dynodroid views an app as an event-driven program that interacts with its environment by means of a sequence of events through the Android framework. By ...
Inter-app communication between Android apps developed in app-inventor and Android studio
MOBILESoft '16: Proceedings of the International Conference on Mobile Software Engineering and Systems

Communications between mobile apps are an important aspect of mobile platforms. Android is specifically designed with inter-app communication in mind and depends on this to provide different platform specific functionalities. Android Apps can either be ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Conferences

CCS '15: Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security

October 2015

1750 pages

ISBN:9781450338325

DOI:10.1145/2810103

General Chair:
Indrajit Ray
Colorado State University, USA
,
Program Chairs:
Ninghui Li
Purdue University, USA
,
Christopher Kruegel
University of California, Santa Barbara, USA

Copyright © 2015 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 12 October 2015

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

National Science Foundation

Conference

CCS'15

Sponsor:

SIGSAC

CCS'15: The 22nd ACM Conference on Computer and Communications Security

October 12 - 16, 2015

Colorado, Denver, USA

Acceptance Rates

CCS '15 Paper Acceptance Rate 128 of 660 submissions, 19%;

Overall Acceptance Rate 1,261 of 6,999 submissions, 18%

Upcoming Conference

CCS '25

Sponsor:
sigsac

ACM SIGSAC Conference on Computer and Communications Security

October 13 - 17, 2025

Taipei , Taiwan

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

42
Total Citations
View Citations
1,598
Total Downloads

Downloads (Last 12 months)28
Downloads (Last 6 weeks)0

Reflects downloads up to 14 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

Zhou LWei CZhu TChen GZhang XDu SCao HZhu HCalandrino JTroncoso C(2023)POLICYCOMPProceedings of the 32nd USENIX Conference on Security Symposium10.5555/3620237.3620298(1073-1090)Online publication date: 9-Aug-2023
https://dl.acm.org/doi/10.5555/3620237.3620298
Pan YXu ZLi LYang YZhang MJust RFraser G(2023)Automated Generation of Security-Centric Descriptions for Smart Contract BytecodeProceedings of the 32nd ACM SIGSOFT International Symposium on Software Testing and Analysis10.1145/3597926.3598132(1244-1256)Online publication date: 12-Jul-2023
https://dl.acm.org/doi/10.1145/3597926.3598132
Tan ZSong WGrundy JPollock LPenta M(2023)PTPDroid: Detecting Violated User Privacy Disclosures to Third-Parties of Android AppsProceedings of the 45th International Conference on Software Engineering10.1109/ICSE48619.2023.00050(473-485)Online publication date: 14-May-2023
https://dl.acm.org/doi/10.1109/ICSE48619.2023.00050
Shan ZChannu H(2023)An Approach to Reveal Unknown Malware Hiding Techniques2023 IEEE/ACIS 8th International Conference on Big Data, Cloud Computing, and Data Science (BCD)10.1109/BCD57833.2023.10466287(245-249)Online publication date: 14-Dec-2023
https://doi.org/10.1109/BCD57833.2023.10466287
Yang SWang YYao YWang HYe YXiao XDwyer MDamian DZeller A(2022)DescribeCtxProceedings of the 44th International Conference on Software Engineering10.1145/3510003.3510058(685-697)Online publication date: 21-May-2022
https://dl.acm.org/doi/10.1145/3510003.3510058
Du XPan XCao YHe BFang GChen YXu D(2022)FlowCog: Context-aware Semantic Extraction and Analysis of Information Flow Leaks in Android AppsIEEE Transactions on Mobile Computing10.1109/TMC.2022.3197638(1-17)Online publication date: 2022
https://doi.org/10.1109/TMC.2022.3197638
Cevik BAltiparmak NAksu MSen S(2022)Lib2Desc: automatic generation of security-centric Android app descriptions using third-party librariesInternational Journal of Information Security10.1007/s10207-022-00601-x21:5(1107-1125)Online publication date: 4-Aug-2022
https://doi.org/10.1007/s10207-022-00601-x
Autili MMalavolta IPerucci AScoccia GVerdecchia R(2021)Software engineering techniques for statically analyzing mobile apps: research trends, characteristics, and potential for industrial adoptionJournal of Internet Services and Applications10.1186/s13174-021-00134-x12:1Online publication date: 23-Jul-2021
https://doi.org/10.1186/s13174-021-00134-x
Tan LShi NYu KAloqaily MJararweh Y(2021)A Blockchain-empowered Access Control Framework for Smart Devices in Green Internet of ThingsACM Transactions on Internet Technology10.1145/343354221:3(1-20)Online publication date: 16-Jun-2021
https://dl.acm.org/doi/10.1145/3433542
Alecakir HCan BSen S(2021)Attention: there is an inconsistency between android permissions and application metadata!International Journal of Information Security10.1007/s10207-020-00536-1Online publication date: 7-Jan-2021
https://doi.org/10.1007/s10207-020-00536-1
Show More Cited By

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents