| Popis: |
Mobile applications (apps) have exploded in popularity, with billions of smartphone users using millions of apps, and these apps either communicate with their backend cloud (e.g., Google Map) or IoT peripherals (e.g., a smart watch) or both to provide customized services to mobile users. Unfortunately, there have been numerous attacks in this app-centric ecosystem and it is imperative to inspect the consequent security and privacy issues.In this dissertation, I argue that we can uncover the security and privacy vulnerabilities in the app-centric ecosystem by applying principled program analysis on mobile apps. Specifically, I focus on the Android ecosystem and apply data flow analysis on Android apps to uncover the security and privacy vulnerabilities in the three primary participants of this ecosystem: (i) mobile apps themselves by tracking data flows among different local app components within the same smartphone, (ii) in their cloud backends by analyzing the remote flows between apps and backends, and (iii) in their companion peripherals by inspecting the remote flows between apps and peripherals such as smartphones and Bluetooth-enabled Internet-of-Thing (IoT) devices. Accordingly, this dissertation presents three works in total.First, we present a framework, InputScope, to uncover hidden behaviors from flows among local components of apps. It focuses on the user input validations to uncover hidden behaviors in an app including backdoor (i.e., master passwords, access keys, and privileged commands) and unwanted content filtering (e.g., blacklisted keywords). In particular, we introduce a novel concept of comparison context where we apply a set of security policies to automatically identify different behaviors.Second, in addition to the analysis of flows among local components, we also study the security and privacy vulnerabilities from data flows to communicate with the remote.Particularly, we investigate the unexpected dangers beneath UI that are resulted from remote interactions between apps and their backends, with an empirical study on popular ride-hailing apps (e.g., Uber) to demonstrate that their nearby cars features from rider's app can be used to uncover the privacy and sensitive information of drivers including their mostly visited address (e.g., home) as well as daily driving behaviors.Finally, we also scrutinize the security and privacy from remote communications between apps and their companion IoT devices when these apps configure smartphones as Bluetooth peripherals. We have identified two main vulnerabilities: (i) cleartext transmission of sensitive information and (ii) improper access control, both of which lead to sensitive data leakages including but not limited to personal health data, digital identifiers of users, and even digital keys to unlock doors. |
