Security Analysis of Permission-Based Systems using Static Analysis: An Application to the Android Stack

In recent years, mobile devices, such as smart phones, have spread at an exponential rate. The most used system running on these devices, accounting for almost 80% of market share for smart phones world-wide, is the Android software stack. This system runs Android applications that users download from an application market. The system is called a permission-based system since it limits access to protected resources by checking that applications have the required permission(s). Users store and manipulate personal information such as contact lists or pictures using applications on their devices and trust that their data is safe. Analyzing applications and the system on top of which they are running would be an objective method to evaluate if the data is well-protected. In this thesis we aim at analyzing Android applications from the security point of view and answering to the following challenging questions: How can Android applications be analyzed? Are permissions well-defined for Android applications? Can applications leak protected data? How can dynamic analysis complement static analysis? To answer these questions we structure the thesis around four objectives. The first objective is to analyze Android applications with static analysis tools. The challenge is that Android applications are packaged with Dalvik bytecode, different in many aspects from the Java bytecode. We developed Dexpler, a tool to transform Dalvik bytecode into Jimple, an understandable format for Soot, one of the most used static analysis framework for Java-based programs. With Dexpler we can now analyze Android applications. The second objective is to check that developers do not give too many permissions to the Android applications they develop. Reducing the number of permission reduces the attack surface of an malicious user exploiting an application. We analyze the code of applications to check which permissions they really require. This requires to deeply analyze the Android framework to extract a mapping between API methods (that Android application call) and required permissions. We present an Andersen-like field-sensitive approach using novel domain-specific optimizations to extract the mapping from the Android framework. Permissions protect sensitive data. Nevertheless, applications having the right permission(s) to access the data could leak the data. This is for instance the case with malware or application packaged with aggressive advertisement libraries. The third objective is to statically analyze Android applications to detect such leaks. Android applications are different from traditional Java applications. One of the most important differences is that Android applications are made of components. Analyzing Android applications to find leaks requires to link components that communicate together and to model every component. We developed IccTA to detect privacy leaks. It connects components at the code level to perform inter-component and inter-application data-flow analysis. Analyzing Android applications statically enables to find security issues such as the GPS coordinates leaking out of the device. However, static analyses do not run directly on users’ devices and thus do not take the device’s context into account. The last objective of this thesis is to have an insight of how dynamic approaches can complement static analyses. We are the first to present a tool-chain to dynamically instrument Android applications in vivo, i.e. directly on the device. We present two use cases instrumenting applications to show that dynamic approaches are feasible, that they can leverage results from static analyses, and that they are beneficial for the user from the point of view of security or privacy. One of the use case is a fine-grained permission system prototype enabling the user to disable or enable application permissions at will. The four contributions have been validated through rigorous experiments as complete as possible. Through this thesis we provide solutions to analyze Android applications using static analysis, to check the permission set of applications, to find private data leaks in Android applications and to analyze permission-based frameworks. By analyzing what goes wrong, we can improve the security and privacy of mobile applications.