research-article

Grab 'n Run: Secure and Practical Dynamic Code Loading for Android Applications

Authors:

Federico MaggiAuthors Info & Claims

ACSAC '15: Proceedings of the 31st Annual Computer Security Applications Conference

Pages 201 - 210

https://doi.org/10.1145/2818000.2818042

Published: 07 December 2015 Publication History

Get Access

Abstract

Android introduced the dynamic code loading (DCL) mechanism to allow for code reuse, to achieve extensibility, to enable updating functionalities, or to boost application start-up performance. In spite of its wide adoption by developers, previous research has shown that the secure implementation of DCL-based functionality is challenging, often leading to remote code injection vulnerabilities. Unfortunately, previous attempts to address this problem by both the academic and Android developers communities are affected by either practicality or completeness issues, and, in some cases, are affected by severe vulnerabilities.

In this paper, we propose, design, implement, and test Grab 'n Run, a novel code verification protocol and a series of supporting libraries, APIs, and tools, that address the problem by abstracting away from the developer many of the challenging implementation details. Grab 'n Run is designed to be practical: Among its tools, it provides a drop-in library, which requires no modifications to the Android framework or the underlying Dalvik/ART runtime, is very similar to the native API, and most code can be automatically rewritten to use it. Grab 'n Run also contains an application-rewriting tool, which allows to easily port legacy or third-party applications to use the secure APIs developed in this work.

We evaluate the Grab 'n Run library with a user study, obtaining very encouraging results in vulnerability reduction, ease of use, and speed of development. We also show that the performance overhead introduced by our library is negligible. For the benefit of the security of the Android ecosystem, we released Grab 'n Run as open source.

References

[1]

Androguard, project home page. URL https://code.google.com/p/androguard/.

Google Scholar

[2]

Apktool, project home page. URL https://code.google.com/p/android-apktool/.

Google Scholar

[3]

AppBrain. Number of available Android applications. http://www.appbrain.com/stats/number-of-android-apps.

Google Scholar

[4]

M. Egele, D. Brumley, Y. Fratantonio, and C. Kruegel. An Empirical Study of Cryptographic Misuse in Android Applications. In Proceedings of the ACM Conference on Computer and Communications Security (CCS), 2013.

Digital Library

Google Scholar

[5]

S. Fahl, M. Harbach, H. Perl, M. Koetter, and M. Smith. Rethinking SSL development in an appified world. In Proceedings of the ACM Conference on Computer and Communications Security (CCS), 2013.

Digital Library

Google Scholar

[6]

Google. Android Permissions. http://developer.android.com/reference/android/Manifest.permission.html#WRITE_EXTERNAL_STORAGE.

Google Scholar

[7]

D. Maier, T. Muller, and M. Protsenko. Divide-and-Conquer: Why Android Malware Cannot Be Stopped. In Proceedings of the International Conference on Availability, Reliability and Security (ARES), 2014.

Digital Library

Google Scholar

[8]

D. Maier, M. Protsenko, and T. Muller. A Game of Droid and Mouse: The Threat of Split-Personality Malware on Android. Computers & Security, 2015.

Digital Library

Google Scholar

[9]

S. Poeplau, Y. Fratantonio, A. Bianchi, C. Kruegel, and G. Vigna. Execute This! Analyzing Unsafe and Malicious Dynamic Code Loading in Android Applications. In Proceedings of the Network and Distributed System Security Symposium (NDSS), 2014.

Crossref

Google Scholar

[10]

singwhatiwanna Github User. Dynamic Load Framework for Android. https://github.com/singwhatiwanna/dynamic-load-apk/blob/master/README-en.md, 2015.

Google Scholar

[11]

Strategy Analytics. Android Captures Record 85 Percent Share of Global Smartphone Shipments in Q2 2014. http://prnewswire.com/news-releases/strategy-analytics-android-captures-record-85-percent-share-of-global-smartphone-shipments-in-q2-2014-269301171.html, August 2014.

Google Scholar

[12]

T. Vidas and N. Christin. Sweetening android lemon markets: Measuring and combating malware in application marketplaces. In Proceedings of the ACM Conference on Data and Application Security and Privacy (CODASPY), 2013.

Digital Library

Google Scholar

[13]

X. Zhou, Y. Lee, N. Zhang, M. Naveed, and X. Wang. The Peril of Fragmentation: Security Hazards in Android Device Driver Customizations. In Proceedings of the IEEE Symposium on Security and Privacy (S&P), 2013.

Digital Library

Google Scholar

[14]

Y. Zhou and X. Jiang. Dissecting Android Malware: Characterization and Evolution. In Proceedings of the IEEE Symposium on Security and Privacy (S&P), 2012.

Digital Library

Google Scholar

Cited By

View all

Draschbacher F(2023)A2P2 - An Android Application Patching Pipeline Based On Generic ChangesetsProceedings of the 18th International Conference on Availability, Reliability and Security10.1145/3600160.3600172(1-11)Online publication date: 29-Aug-2023
https://dl.acm.org/doi/10.1145/3600160.3600172
Zhang XZhang MZhang YZhong MZhang XCao YYang M(2023)Slowing Down the Aging of Learning-Based Malware Detectors With API KnowledgeIEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2022.314469720:2(902-916)Online publication date: 1-Mar-2023
https://doi.org/10.1109/TDSC.2022.3144697
Yang HWang YZhang LCheng XHu Z(2023)A Novel Android Malware Detection Method with API Semantics ExtractionComputers & Security10.1016/j.cose.2023.103651(103651)Online publication date: Dec-2023
https://doi.org/10.1016/j.cose.2023.103651
Show More Cited By

Grab 'n Run: Secure and Practical Dynamic Code Loading for Android Applications
1. Security and privacy
  1. Systems security

Recommendations

An Explorative Study of the Mobile App Ecosystem from App Developers' Perspective
WWW '17: Proceedings of the 26th International Conference on World Wide Web

With the prevalence of smartphones, app markets such as Apple App Store and Google Play has become the center stage in the mobile app ecosystem, with millions of apps developed by tens of thousands of app developers in each major market. This paper ...
Cross-Compiling Android Applications to iOS and Windows Phone 7

Android is currently leading the smartphone segment in terms of market share since its introduction in 2007. Android applications are written in Java using an API designed for mobile apps. Other smartphone platforms, such as Apple's iOS or Microsoft's ...
Benchmark Dalvik and Native Code for Android System
IBICA '11: Proceedings of the 2011 Second International Conference on Innovations in Bio-inspired Computing and Applications

Google's Android Native Development Kit (NDK) is a toolset that lets you embed components to use of native code in your Android applications. It makes possible for developers to easily compile in C/C++ for the Android development platform. Generally, ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

ACSAC '15: Proceedings of the 31st Annual Computer Security Applications Conference

December 2015

489 pages

ISBN:9781450336826

DOI:10.1145/2818000

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

In-Cooperation

ACSA: Applied Computing Security Assoc

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 07 December 2015

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article
Research
Refereed limited

Conference

ACSAC 2015

ACSAC 2015: 2015 Annual Computer Security Applications Conference

December 7 - 11, 2015

CA, Los Angeles, USA

Acceptance Rates

Overall Acceptance Rate 104 of 497 submissions, 21%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

14
Total Citations
View Citations
341
Total Downloads

Downloads (Last 12 months)18
Downloads (Last 6 weeks)2

Reflects downloads up to 02 Oct 2024

Other Metrics

View Author Metrics

Citations

Cited By

View all

Draschbacher F(2023)A2P2 - An Android Application Patching Pipeline Based On Generic ChangesetsProceedings of the 18th International Conference on Availability, Reliability and Security10.1145/3600160.3600172(1-11)Online publication date: 29-Aug-2023
https://dl.acm.org/doi/10.1145/3600160.3600172
Zhang XZhang MZhang YZhong MZhang XCao YYang M(2023)Slowing Down the Aging of Learning-Based Malware Detectors With API KnowledgeIEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2022.314469720:2(902-916)Online publication date: 1-Mar-2023
https://doi.org/10.1109/TDSC.2022.3144697
Yang HWang YZhang LCheng XHu Z(2023)A Novel Android Malware Detection Method with API Semantics ExtractionComputers & Security10.1016/j.cose.2023.103651(103651)Online publication date: Dec-2023
https://doi.org/10.1016/j.cose.2023.103651
Liu YMa YXiao XXie TLiu X(2023)LegoDroid: flexible Android app decomposition and instant installationScience China Information Sciences10.1007/s11432-021-3528-766:4Online publication date: 27-Mar-2023
https://doi.org/10.1007/s11432-021-3528-7
Wu YHuang JLiang BShi W(2020)Do not jail my appJournal of Computer Security10.3233/JCS-19132528:2(269-293)Online publication date: 17-Mar-2020
https://dl.acm.org/doi/10.3233/JCS-191325
Zhang XZhang YZhong MDing DCao YZhang YZhang MYang MLigatti JOu XKatz JVigna G(2020)Enhancing State-of-the-art Classifiers with API Semantics to Detect Evolved Android MalwareProceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security10.1145/3372297.3417291(757-770)Online publication date: 30-Oct-2020
https://dl.acm.org/doi/10.1145/3372297.3417291
Yang YLuo WPei YPan MZhang T(2019)Execution Enhanced Static Detection of Android Privacy Leakage Hidden by Dynamic Class Loading2019 IEEE 43rd Annual Computer Software and Applications Conference (COMPSAC)10.1109/COMPSAC.2019.00029(149-158)Online publication date: Jul-2019
https://doi.org/10.1109/COMPSAC.2019.00029
Aysan ASakiz FSen S(2019)Analysis of dynamic code updating in Android with security perspectiveIET Information Security10.1049/iet-ifs.2018.531613:3(269-277)Online publication date: May-2019
https://doi.org/10.1049/iet-ifs.2018.5316
Choi HKim Y(2018)Large-Scale Analysis of Remote Code Injection Attacks in Android AppsSecurity and Communication Networks10.1155/2018/24892142018Online publication date: 17-Apr-2018
https://dl.acm.org/doi/10.1155/2018/2489214
Chu PLu WLin JWu Y(2018)Enforcing Enterprise Mobile Application Security Policy with Plugin Framework2018 IEEE 23rd Pacific Rim International Symposium on Dependable Computing (PRDC)10.1109/PRDC.2018.00048(263-268)Online publication date: Dec-2018
https://doi.org/10.1109/PRDC.2018.00048
Show More Cited By

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Cited By

Recommendations

An Explorative Study of the Mobile App Ecosystem from App Developers' Perspective

Cross-Compiling Android Applications to iOS and Windows Phone 7

Benchmark Dalvik and Native Code for Android System