Specifying Callback Control Flow of Mobile Apps Using Finite Automata
Given the event-driven and framework-based architecture of Android apps, finding the ordering of callbacks executed by the framework remains a problem that affects every tool that requires inter-callback reasoning. Previous work has focused on the ordering of callbacks related to the Android components and GUI events. But the execution of callbacks can also come from direct calls of the framework (API calls). This paper defines a novel program representation, called Callback Control Flow Automata (CCFA), that specifies the control flow of callbacks invoked via a variety of sources. We present an analysis to automatically construct CCFAs by combining two callback control flow representations developed from the previous research, namely, Window Transition Graphs (WTGs) and Predicate Callback Summaries (PCSs). To demonstrate the usefulness of our representation, we integrated CCFAs into two client analyses: a taint analysis using FLOWDROID, and a value-flow analysis that computes source and sink pairs of a program. Our evaluation shows that we can compute CCFAs efficiently and that CCFAs improved the callback coverages over WTGs. As a result of using CCFAs, we obtained 33 more true positive security leaks than FLOWDROID over a total of 55 apps we have run. With a low false positive rate, we found that 22.76% of source-sink pairs we computed are located in different callbacks and that 31 out of 55 apps contain source-sink pairs spreading across components. Thus, callback control flow graphs and inter-callback analysis are indeed important. Although this paper mainly uses Android, we believe that CCFAs can be useful for modeling control flow of callbacks for other event-driven, framework-based systems.
Tue 12 NovDisplayed time zone: Tijuana, Baja California change
13:40 - 15:20 | Mobile 2Research Papers / Journal First Presentations at Hillcrest Chair(s): Myra Cohen Iowa State University | ||
13:40 20mTalk | A Qualitative Analysis of Android Taint-Analysis Results Research Papers Linghui Luo Paderborn University, Eric Bodden Heinz Nixdorf Institut, Paderborn University and Fraunhofer IEM, Johannes Späth Fraunhofer IEM Pre-print File Attached | ||
14:00 20mTalk | Goal-Driven Exploration for Android Applications Research Papers Pre-print | ||
14:20 20mTalk | RANDR: Record and Replay for Android Applications via Targeted Runtime Instrumentation Research Papers Onur Sahin Boston University, Assel Aliyeva Boston University, Hariharan Mathavan Boston University, Ayse Coskun Boston University, Manuel Egele Boston University, USA | ||
14:40 20mTalk | Specifying Callback Control Flow of Mobile Apps Using Finite Automata Journal First Presentations Link to publication | ||
15:00 20mTalk | MalScan: Fast Market-Wide Mobile Malware Scanning by Social-Network Centrality Analysis Research Papers Yueming Wu Huazhong University of Science and Technology, Xiaodi Li University of Texas at Dallas, Deqing Zou Huazhong University of Science and Technology, Wei Yang University of Texas at Dallas, Xin Zhang Huazhong University of Science and Technology, Hai Jin Huazhong University of Science and Technology Pre-print |