Security and Privacy in Communication Networks. 11th International Conference, SecureComm 2015, Dallas, TX, USA, October 26-29, 2015, Revised Selected Papers

Research Article

Using Provenance Patterns to Vet Sensitive Behaviors in Android Apps

Download
439 downloads
  • @INPROCEEDINGS{10.1007/978-3-319-28865-9_4,
        author={Chao Yang and Guangliang Yang and Ashish Gehani and Vinod Yegneswaran and Dawood Tariq and Guofei Gu},
        title={Using Provenance Patterns to Vet Sensitive Behaviors in Android Apps},
        proceedings={Security and Privacy in Communication Networks. 11th International Conference, SecureComm 2015, Dallas, TX, USA, October 26-29, 2015, Revised Selected Papers},
        proceedings_a={SECURECOMM},
        year={2016},
        month={2},
        keywords={},
        doi={10.1007/978-3-319-28865-9_4}
    }
    
  • Chao Yang
    Guangliang Yang
    Ashish Gehani
    Vinod Yegneswaran
    Dawood Tariq
    Guofei Gu
    Year: 2016
    Using Provenance Patterns to Vet Sensitive Behaviors in Android Apps
    SECURECOMM
    Springer
    DOI: 10.1007/978-3-319-28865-9_4
Chao Yang1, Guangliang Yang1, Ashish Gehani2, Vinod Yegneswaran2,*, Dawood Tariq2, Guofei Gu1
  • 1: Texas A&M University
  • 2: SRI International
*Contact email: vinod@csl.sri.com

Abstract

We propose Dagger, a lightweight system to dynamically vet sensitive behaviors in Android apps. Dagger avoids costly instrumentation of virtual machines or modifications to the Android kernel. Instead, Dagger reconstructs the program semantics by tracking provenance relationships and observing apps’ runtime interactions with the phone platform. More specifically, Dagger uses three types of low-level execution information at runtime: system calls, Android Binder transactions, and app process details. System call collection is performed via Strace [7], a low-latency utility for Linux and other Unix-like systems. Binder transactions are recorded by accessing Binder module logs via  [8]. App process details are extracted from the Android file system [6]. A data provenance graph is then built to record the interactions between the app and the phone system based on these three types of information. Dagger identifies behaviors by matching the provenance graph with the behavior graph patterns that are previously extracted from the internal working logic of the Android framework. We evaluate Dagger on both a set of over 1200 known malicious Android apps, and a second set of 1000 apps randomly selected from a corpus of over 18,000 Google Play apps. Our evaluation shows that Dagger can effectively vet sensitive behaviors in apps, especially for those using complex obfuscation techniques. We measured the overhead based on a representative benchmark app, and found that both the memory and CPU overhead are less than 10%. The runtime overhead is less than 63%, which is significantly lower than that of existing approaches.