Mobile App
Security Analysis with the MAVeriC Static Analysis
Module 2Security &
Trust Unity, Fondazione Bruno Kessler, Via Sommarive
18, 38123, Trento, Italy armando@fbk.eu 3Poste Italiane,
Roma, Italy {boccigi2, chiare96, mammoliti.rocco}@posteitaliane.it Abstract The success of
the mobile application model is mostly due to the ease with which new
applications are uploaded by developers, distributed through the application
markets (e.g. Google Play), and installed by users. Yet, the very same model
is cause of serious security concerns, since users have no or little means to
ascertain the trustworthiness of the applications they install on their
devices. Such concerns grow up when dealing with professional scenarios like
the use of mobile devices within organisations. To
protect their customers, Poste Italiane has defined
the Mobile Application Verification Cluster (MAVeriC),
a process for the systematic security analysis of third-party mobile apps
leveraging their online services (e.g. home banking, parcel tracking). MAVeriC is an ongoing project that will be completed in
the next few years. At the core of the MAVeriC
project lies the Static Analysis Module (SAM), a
toolkit that supports automatic static analysis of mobile applications by
automating a number of operations including reverse engineering, privilege
analysis and automatic verification of security properties. In this paper we
present the SAM that has been fully developed and tested. We introduce the
functionalities of SAM through a demonstration of the platform applied to
real Android applications. Keywords: Android
Security, Static Analysis, Malware Analysis, Model Checking, +: Corresponding author: Alessio
Merlo Computer Security Lab,
DIBRIS, University of Genova, Viale
F. Causa, 13, 16145, Italy. Journal of
Wireless Mobile Networks, Ubiquitous Computing, and Dependable Applications (JoWUA), Vol. 5, No. 4,
pp. 103-119, December 2014 [pdf] |
|