Securing Mobile Applications

W idespread mobile device use has stimulated a rich market for applications. Many apps, however, reveal sensitive user information such as location, movements, and habits1 and/or spread malware.2 Network anonymization techniques alone don’t ensure privacy because the OS together with the invoked mobile apps might still release information that reidentifies users or devices. Even when users are careful not to provide identifying data to smartphone apps over anonymous connections, the apps can leak such information without user knowledge. Thus, we must devise accurate methods of checking apps for the presence of malware and spyware. Although third-party application markets exist, most users download apps from well-known markets such as Google Play, Amazon Appstore, iTunes App Store, and Windows Store. The availability and widespread use of these markets might allow centralized deployment of techniques that identify potentially malicious apps. Uncovering potentially malicious apps isn’t a trivial task. Proposed approaches typically differ in the features they use to identify such apps, their use of machine-learning techniques, and their accuracy. In their 2015 IEEE Transactions on Dependable and Secure Computing article, Lei Cen and his colleagues proposed a highly accurate model for detecting malware in Android apps.3 The authors observed that application markets distribute apps in a form that allows easy decompilation and thus analysis. Moreover, they noted that mobile platforms provide semantically rich APIs. Drawing on these two observations, the authors devised a discriminative probabilistic learning model, based on regularized logistic regression, that detects malware by using apps’ decompiled code and information about required permissions.