In this section, we discuss some threats to the validity of our study.
First, same as typical Android static analysis, our approach does not handle Java reflection, dynamic code loading, native code, and complicated code obfuscation.
However, some apps may employ these mechanisms to access certain Android APIs.
If a such API call has inconsistency issues, a false negative would appear. Since these code protection mechanisms are usually used in malware, our statistical results of popular apps will be less affected and we will consider these mechanisms to our
future work.
Second, although our bytecode search in Section 5.3.3 has minimized false posi-tives caused by VERSION.SDK INT checking and uninvoked third-party libraries, it is theoretically less accurate than dataflow-based approaches. Therefore, in our deployment model, developers are required to manually check and correct inconsis-tency reported by our approach. Fortunately, as evidenced in Section 5.4.3, around 80% apps are reported with fewer than 10 inconsistent API calls each, which is well manageable for developers to perform a one-time manual check.
Third, the consistency detection in this chapter focuses on changed APIs, but there are also added and removed Java/Android fields during the SDK evolu-tion. To build the mapping between fields and SDK versions, we found that we can leverage the same document analysis method in Section 5.3.2, because the api-versions.xml file also records added, removed, and deprecated fields in all Android classes. By inputting this mapping to our app analysis, we can extend our consistency detection to evolved Android fields as well in our future work.
5.6 Summary
In this chapter, we conducted a systematic study of declared SDK versions in An-droid apps, a modern software mechanism that has received little attention. We measured the current practice of declared SDK versions or DSDK versions in a large set of 22,687 modern apps, and the inconsistency between DSDK versions and their host apps’ API calls. To facilitate the analysis that can be readily deployed by app markets for online vetting, we proposed a robust and scalable approach that oper-ates on the Android bytecode level and employs the lightweight bytecode search in BackDroid for app analysis. We have obtained some interesting new findings, including (i) 4.76% apps do not claim the targeted DSDK versions, although this percentage has significantly dropped over recent three years, (ii) around 50% apps
under-set the minimum DSDK versions and could incur runtime crashes, but fortu-nately, only 11.3% apps could crash on Android 6.0 and above, and (iii) around 2%
apps, due to under-claiming the targeted DSDK versions, are potentially exploitable by remote code execution, and a half of them invoke the vulnerable API via embed-ded third-party libraries.
Chapter 6
Conclusion and Future Work
6.1 Concluding Remarks
In this dissertation, we made a first attempt to explore a novel on-demand Android static analysis that does not generate a whole-app call graph but creatively leverages bytecode search to guide inter-procedural analysis on the fly or just in time. We developed such on-the-fly static analysis into a novel tool, called BackDroid, for ef-ficient and effective targeted security vetting of Android apps. Notably, BackDroid employed a novel backward search technique to search over Java polymorphism, threads, implicit callback flows, and Android inter-component communication. We further explored how the core technique of on-the-fly static analysis in BackDroid can enable different vulnerability studies and their corresponding new findings. To this end, we performed three representative vulnerability studies as follows:
• First, we applied BackDroid to detect crypto and SSL/TLS misconfigurations in modern Android apps. We also used this study as an evaluation of Back-Droid and compared it with the state-of-the-art Amandroid tool. The results showed that BackDroid achieved a much better performance than Amandroid, around ten times faster on average, and at the same time, maintained similar detection effectiveness as Amandroid for the apps detected by Amandroid.
Moreover, BackDroid discovered 18 additional vulnerable apps (out of the
144 apps with the targeted sink APIs) that were missed by Amandroid.
• Second, we explored how BackDroid can facilitate a systematic security study of open ports in Android apps. To this end, we first discovered open-port apps using crowdsourcing, and then enhanced BackDroid to identify insecure open ports and open-port SDKs in the discovered open-port apps. Specifically, the crowdsourcing allowed us to observe the actual execution of open ports in 925 popular apps and 725 built-in system apps, and the enhanced BackDroid diag-nosed that 61.8% of the open-port apps are solely due to embedded SDKs and 20.7% suffer from insecure API usages. We further performed three security assessments to reveal five vulnerability patterns in open ports of popular apps, to measure the feasibility of remote open-port attacks, and to demonstrate the effectiveness of denial-of-service attacks against mobile open ports.
• Third, we customized a lightweight version of BackDroid that operated on the original bytecode level and leveraged lightweight bytecode search to measure the inconsistency between declared SDK versions and their API calls in mod-ern Android apps. By focusing on the control-flow information of searched sink APIs, our lightweight BackDroid preserved a scalability suitable for on-line vetting. We then employed this custom BackDroid to analyze the SDK-API inconsistency for 22,687 modern popular apps, and found that (i) ∼50%
apps under-set the minimum DSDK versions and could incur runtime crashes, but fortunately, only 11.3% apps could crash on Android 6.0 and above; and (ii) ∼2% apps, due to under-claiming the targeted DSDK versions, are poten-tially exploitable by remote code execution.
To conclude, this dissertation made this core contribution: On-the-fly Android static analysis guided by bytecode search can efficiently and effectively analyze the security of modern apps. It enables us to perform vulnerability studies with differ-ent kinds of sink analysis requiremdiffer-ents, and to obtain new findings on crypto and SSL/TLS misconfigurations, insecure open ports, and SDK-API inconsistency.