Operating Systems Security (2014 Year in Review), Part 2

	Operating Systems Security  (2014 Year in Review) Part 2

In a previous Newsletter, the editors offered a series of citations from late 2013 about operating systems.  In this set, we offer an update of publications and presentations from 2014, focused specifically upon security issues.  The general topic has produced prolific work.  We will present these in multiple parts.

Shuang Liang; Xiaojiang Du; Tan, C.C.; Wei Yu, "An Effective Online Scheme For Detecting Android Malware," Computer Communication and Networks (ICCCN), 2014 23rd International Conference on, pp. 1, 8, 4-7 Aug. 2014. doi: 10.1109/ICCCN.2014.6911740 The growing popularity of Android-based smart-phones have led to the rise of Android based malware. In particular, profit-motivated malware is becoming increasingly popular in Android malware distribution. These malware typically profit by sending premium-rate SMS messages and/or make premium-rate phone calls from infected devices without user consent. In this paper, we investigate the telephony framework of the Android operating system and propose a novel process user-identification (UID) based online detection scheme. Our scheme can effectively detect premium-rate and background SMS messages as well as premium-rate phone calls initiated by malware. We implemented our detection system on a Samsung Google Nexus 4 running Android Jelly Bean and tested the effectiveness of detecting real malware from Android markets. The experimental results show that our scheme is efficient and effective in detecting background messages and premium-rate messages and phone calls. Our scheme can detect and block all the background and premium-rate SMS messages and phone calls initiated by popular malware.
Keywords: Android (operating system); invasive software; Android Jelly Bean; Android malware distribution; Android markets; Android operating system; Android-based smart phones; Samsung Google Nexus 4; UID based online detection scheme; online scheme; premium rate SMS messages; premium-rate phone calls; process user identification; profit-motivated malware; telephony framework; Libraries; Linux; Malware; Mobile communication; Smart phones; Sockets; Telephony; Android; malware detection; security; smartphone (ID#: 15-4330)
URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6911740&isnumber=6911704

Skillen, A.; Mannan, M., "Mobiflage: Deniable Storage Encryption for Mobile Devices," Dependable and Secure Computing, IEEE Transactions on, vol. 11, no .3, pp.224,237, May-June 2014. doi: 10.1109/TDSC.2013.56 Data confidentiality can be effectively preserved through encryption. In certain situations, this is inadequate, as users may be coerced into disclosing their decryption keys. Steganographic techniques and deniable encryption algorithms have been devised to hide the very existence of encrypted data. We examine the feasibility and efficacy of deniable encryption for mobile devices. To address obstacles that can compromise plausibly deniable encryption (PDE) in a mobile environment, we design a system called Mobiflage. Mobiflage enables PDE on mobile devices by hiding encrypted volumes within random data in a devices free storage space. We leverage lessons learned from deniable encryption in the desktop environment, and design new countermeasures for threats specific to mobile systems. We provide two implementations for the Android OS, to assess the feasibility and performance of Mobiflage on different hardware profiles. MF-SD is designed for use on devices with FAT32 removable SD cards. Our MF-MTP variant supports devices that instead share a single internal partition for both apps and user accessible data. MF-MTP leverages certain Ext4 file system mechanisms and uses an adjusted data-block allocator. These new techniques for soring hidden volumes in Ext4 file systems can also be applied to other file systems to enable deniable encryption for desktop OSes and other mobile platforms.
Keywords: Android (operating system); cryptography; mobile computing; steganography; Android OS; Ext4 file system mechanisms; FAT32 removable SD cards; MF-MTP variant; MF-SD; Mobiflage; PDE; data confidentiality; data-block allocator; decryption keys; deniable storage encryption; desktop OS; desktop environment; mobile devices; mobile environment; plausibly deniable encryption; steganographic techniques; Androids; Encryption; Humanoid robots; Law; Mobile communication; Mobile handsets; File system security; deniable encryption; mobile platform security; storage encryption (ID#: 15-4331)
URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6682886&isnumber=6813632

Cooper, V.N.; Shahriar, H.; Haddad, H.M., "A Survey of Android Malware Characteristics and Mitigation Techniques," Information Technology: New Generations (ITNG), 2014 11th International Conference on, pp. 327, 332, 7-9 April 2014. doi: 10.1109/ITNG.2014.71 As mobile applications are being developed at a faster pace, the security aspect of is being neglected. A solid understanding of the characteristics of malware is the first step to preventing many unwanted consequences. This paper provides an overview of popular security threats posed by Android malware. In particular, we focus on the characteristics commonly found in malware applications and understand the code level features that can enable detection techniques. We also discuss some common defense techniques to mitigate the impact of malware applications.
Keywords: Android (operating system); invasive software; mobile computing; smart phones; Android malware characteristics; code level features; defense technique; detection technique; malware mitigation technique; mobile applications; security threats; Kernel; Libraries; Malware; Mobile communication; Smart phones; Social network services; Android Malware; Mobile application; Mobile security; Software Security (ID#: 15-4332)
URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6822218&isnumber=6822158

Shao Shuai; Dong Guowei; Guo Tao; Yang Tianchang; Shi Chenjie, "Modelling Analysis and Auto-detection of Cryptographic Misuse in Android Applications," Dependable, Autonomic and Secure Computing (DASC), 2014 IEEE 12th International Conference on, pp. 75, 80, 24-27 Aug. 2014. doi: 10.1109/DASC.2014.22 Cryptographic misuse affects a sizeable portion of Android applications. However, there is only an empirical study that has been made about this problem. In this paper, we perform a systematic analysis on the cryptographic misuse, build the cryptographic misuse vulnerability model and implement a prototype tool Crypto Misuse Analyser (CMA). The CMA can perform static analysis on Android apps and select the branches that invoke the cryptographic API. Then it runs the app following the target branch and records the cryptographic API calls. At last, the CMA identifies the cryptographic API misuse vulnerabilities from the records based on the pre-defined model. We also analyze dozens of Android apps with the help of CMA and find that more than a half of apps are affected by such vulnerabilities.
Keywords: Android (operating system); application program interfaces; cryptography; program diagnostics; Android application; CMA; cryptographic API; cryptographic misuse autodetection; cryptographic misuse vulnerability model; prototype tool crypto misuse analyser; static analysis; Analytical models; Androids; Encryption; Humanoid robots; Runtime; Android; Cryptographic Misuse; Modelling Analysis; Vulnerability (ID#: 15-4333)
URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6945307&isnumber=6945641

Zhiyong Shan; Xin Wang, "Growing Grapes in Your Computer to Defend Against Malware," Information Forensics and Security, IEEE Transactions on, vol. 9, no. 2, pp.196, 207, Feb. 2014. doi: 10.1109/TIFS.2013.2291066 Behavior-based detection is promising to resolve the pressing security problem of malware. However, the great challenge lies in how to detect malware in a both accurate and light-weight manner. In this paper, we propose a novel behavior-based detection method, named growing grapes, aiming to enable accurate online detection. It consists of a clustering engine and detection engine. The clustering engine groups the objects, e.g., processes and files, of a suspicious program together into a cluster, just like growing grapes. The detection engine recognizes the cluster as malicious if the behaviors of the cluster match a predefined behavior template formed by a set of discrete behaviors. The approach is accurate since it identifies a malware based on multiple behaviors and the source of the processes requesting the behaviors. The approach is also light-weight as it uses OS-level information flows instead of data flows that generally impose significant performance impact on the system. To further improve the performance, a novel method of organizing the behavior template and template database is proposed, which not only makes the template matching process very quick, but also makes the storage space small and fixed. Furthermore, the detection accuracy and performance are optimized to the best degree using a combinatorial optimization algorithm, which properly selects and combines multiple behaviors to form a template for malware detection. Finally, the approach novelly identifies malicious OS objects in a cluster fashion rather than one by one as done in traditional methods, which help users to thoroughly eliminate the changes of a malware without malware family knowledge. Compared with commercial antimalware tools, extensive experiments show that our approach can detect new malware samples with higher detection rate and lower false positive rate while imposing low overhead on the system.
Keywords: combinatorial mathematics; database management systems; invasive software; operating systems (computers); optimisation; pattern clustering; OS-level information flow; behavior template database; behavior-based detection method; clustering engine; combinatorial optimization algorithm; detection accuracy optimization; detection engine; discrete behaviors; false positive rate; growing grapes; malicious OS object identification; malicious cluster recognition; malware; object grouping; overhead; performance improvement; performance optimization; process source; security problem; suspicious program; template matching process; Databases; Detectors; Engines; Joints; Malware; Monitoring; Pipelines; Malware detection; OS-level information flow; behavior (ID#: 15-4334)
URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6663657&isnumber=6705647

Xiaolei Li; Guangdong Bai; Thian, B.; Zhenkai Liang; Heng Yin, "A Light-Weight Software Environment for Confining Android Malware," Software Security and Reliability-Companion (SERE-C), 2014 IEEE Eighth International Conference on, pp.158,167, June 30 2014-July 2 2014. doi: 10.1109/SERE-C.2014.34 Mobile devices are becoming increasingly general-purpose, and therefore the physical boundary used to separate important resources disappears. As a result, malicious applications (apps) get chances to abuse resources that are available on the mobile platform. In this paper, we propose resource virtualization as a security mechanism for the Android system to strengthen the physical barrier between many types of resources and confine resource-abusing Android apps. The physical resources on a mobile device are virtualized to a different virtual view for selected Android apps. Resource virtualization simulates a partial but consistent virtual view of the Android resources. Therefore, it can not only confine the resource-abusing apps effectively, but also ensure the usability of these apps. We implement a system prototype, RVL, and evaluate it with real-world apps of various types. Our results demonstrate its effectiveness on malicious Android apps and its compatibility and usability on benign Android apps.
Keywords: Android (operating system); invasive software; mobile computing; telecommunication security; Android malware; RVL; light-weight software environment; malicious Android apps; mobile device; resource virtualization; resource-abusing Android apps; security mechanism; Androids; Humanoid robots; Linux; Resource virtualization; Security; Smart phones; Virtualization; Android malware ;isolation; mobile security
URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6901653&isnumber=6901618

Yuru Shao; Xiapu Luo; Chenxiong Qian, "RootGuard: Protecting Rooted Android Phones," Computer, vol. 47, no.6, pp. 32, 40, June 2014. doi: 10.1109/MC.2014.163 Though popular for achieving full operation functionality, rooting Android phones opens these devices to significant security threats. RootGuard offers protection from malware with root privileges while providing user flexibility and control. The Web extra at http://youtu.be/-KMMfxOoCjg is a video demonstration of how RootGuard manages root privileges of Android apps in a flexible and robust manner. First, we use the popular root-required app Root Explorer to show the configuration and effectiveness of RootGuard policies. Then, we use DKFBootkit, a real-world malicious app that leverages root access to do evil, to show how malware attacks performed with root privileges are mitigated by RootGuard.
Keywords: Android (operating system); invasive software; smart phones; Android apps; DKFBootkit; Root Explorer; RootGuard policies; malware attacks; malware protection; root access; root-required app; rooted Android phone protection; security threats; Androids; Computer security; Malware; Servers; Smart phones; Android; RootGuard; malware; root privilege; root-management systems; security; smartphone security (ID#: 15-4335)
URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6838907&isnumber=6838865

Yong Li; Pan Hui; Depeng Jin; Li Su; Lieguang Zeng, "Optimal Distributed Malware Defense in Mobile Networks with Heterogeneous Devices," Mobile Computing, IEEE Transactions on, vol. 13, no. 2, pp.377, 391, Feb. 2014. doi: 10.1109/TMC.2012.255 As malware attacks become more frequently in mobile networks, deploying an efficient defense system to protect against infection and to help the infected nodes to recover is important to prevent serious spreading and outbreaks. The technical challenges are that mobile devices are heterogeneous in terms of operating systems, the malware infects the targeted system in any opportunistic fashion via local and global connectivity, while the to-be-deployed defense system on the other hand would be usually resource limited. In this paper, we investigate the problem of how to optimally distribute the content-based signatures of malware, which helps to detect the corresponding malware and disable further propagation, to minimize the number of infected nodes. We model the defense system with realistic assumptions addressing all the above challenges that have not been addressed in previous analytical work. Based on the framework of optimizing the system welfare utility, which is the weighted summation of individual utility depending on the final number of infected nodes through the signature allocation, we propose an encounter-based distributed algorithm based on Metropolis sampler. Through theoretical analysis and simulations with both synthetic and realistic mobility traces, we show that the distributed algorithm achieves the optimal solution, and performs efficiently in realistic environments.
Keywords: invasive software; mobile radio; operating systems (computers); telecommunication security; Metropolis sampler; content-based signatures; encounter-based distributed algorithm; global connectivity; heterogeneous devices; infected node minimization; infection protection; local connectivity; malware attacks; mobile devices; mobile networks; operating systems; optimal distributed malware defense; realistic mobility trace; signature allocation; synthetic mobility trace; system welfare utility; theoretical analysis; to-be-deployed defense system; Distributed algorithms; Educational institutions; Malware; Mathematical model; Mobile communication; Mobile computing; Mobile handsets; Security threat; distributed algorithm; heterogeneous mobile networks; mobile malware (ID#: 15-4336)
URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6381416&isnumber=6689256

Yusoff, M.N.; Mahmod, R.; Abdullah, M.T.; Dehghantanha, A., "Mobile Forensic Data Acquisition in Firefox OS," Cyber Security, Cyber Warfare and Digital Forensic (CyberSec), 2014 Third International Conference on, pp.27,31, April 29 2014-May 1 2014. doi: 10.1109/CyberSec.2014.6913967 Mozilla Corporation has recently released a Linux-based open source operating system, namely Firefox OS. The arrival of this Firefox OS has created new challenges, concentrations and opportunities for digital investigators. Currently, Firefox OS is still not fully supported by most of the existing mobile forensic tools. Even when the phone is detected as Android, only pictures from removable card was able to be captured. Furthermore, the internal data acquisition is still not working. Therefore, there are very huge opportunities to explore the Firefox OS on every stages of mobile forensic procedures. This paper will present an approach for mobile forensic data acquisition in a forensically sound manner from a Firefox OS running device. This approach will largely use the UNIX dd command to create a forensic image from the Firefox OS running device. (ID#: 15-4337)
Keywords: Linux; data acquisition; image forensics; mobile computing; public domain software; Android phone; Firefox OS; Linux-based open source operating system; Mozilla Corporation; UNIX dd command; digital investigators; forensic image; internal data acquisition; mobile forensic data acquisition; Data acquisition; Flash memories; Forensics; GSM; Mobile communication; Smart phones; Firefox OS; Mobile forensic; data acquisition
URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6913967&isnumber=6913961

Kataria, A.; Anjali, T.; Venkat, R., "Quantifying Smartphone Vulnerabilities," Signal Processing and Integrated Networks (SPIN), 2014 International Conference on, pp. 645,649, 20-21 Feb. 2014. doi: 10.1109/SPIN.2014.6777033 Nowadays, smartphones are an integral part of our lives. They provide a wide variety of functionality through their applications (apps), whether it's the latest news, social connectivity, market updates or picture editing and many more similar things. People rely on their smartphones for all these small tasks. These applications often have sensitive data/information about the users. As a result, smartphones are hot target for the hackers these days. Due to this, the number of vulnerabilities in smartphones is on a rise too. As soon as a new version of a smartphone operating system is launched, hackers look to exploit that and new vulnerabilities are discovered. In this paper we analyze the various versions of Google's Android and Apple's iOS operating systems and the vulnerabilities present in them.
Keywords: Android (operating system); mobile computing; security of data; smart phones; telecommunication security; Apple iOS operating system; Google Android operating system; market updates; picture editing; smartphone operating system; smartphone security; smartphone vulnerability quantification; social connectivity; Computer hacking; Ice; Mobile communication; Operating systems; Smart phones; Android vulnerabilities and iOS vulnerabilities; Mobile vulnerabilities; Smartphone Vulnerabilities; Smartphone security; Smartphones (ID#: 15-4338)
URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6777033&isnumber=6776904

Kato, M.; Matsuura, S., "Improve User's Security Literacy by Experiencing Behavior of Pseudo Android Malware," Computer Software and Applications Conference (COMPSAC), 2014 IEEE 38th Annual, pp. 602, 603, 21-25 July 2014. doi: 10.1109/COMPSAC.2014.92 Recent years, Android malware which execute malicious attacks within the scope of permissions which was approved by user is increasing. Generally it is installed by user. Therefore user can avoid being infected with obvious malware by checking permissions which application requires. However many users install applications without checking permissions and get infected. Such Android malware have various kinds of threats, so user need to protect his assets by himself. In this paper we propose an educational method to improve user's security literacy by having experience of pseudo malware's behavior and recognize threats, risks, assets and relations between permissions and adverse actions.
Keywords: Android (operating system); computer aided instruction; computer literacy; invasive software; user interfaces; educational method; malicious attacks; pseudo Android malware; user security literacy; Androids; Availability; Control systems; Humanoid robots; Malware; Smart phones; Android; education; malware; security (ID#: 15-4339)
URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6899269&isnumber=6899181

Jerome, Q.; Allix, K.; State, R.; Engel, T., "Using Opcode-Sequences to Detect Malicious Android Applications," Communications (ICC), 2014 IEEE International Conference on, pp. 914, 919, 10-14 June 2014. doi: 10.1109/ICC.2014.6883436 Recently, the Android platform has seen its number of malicious applications increased sharply. Motivated by the easy application submission process and the number of alternative market places for distributing Android applications, rogue authors are developing constantly new malicious programs. While current anti-virus software mainly relies on signature detection, the issue of alternative malware detection has to be addressed. In this paper, we present a feature based detection mechanism relying on opcode-sequences combined with machine learning techniques. We assess our tool on both a reference dataset known as Genome Project as well as on a wider sample of 40,000 applications retrieved from the Google Play Store.
Keywords: Android (operating system); digital signatures; invasive software ;learning (artificial intelligence); Genome project; google play store; anti-virus software; application submission process; feature based detection mechanism; machine learning techniques; malicious Android application detection; malicious programs; malware detection opcode-sequences; reference dataset; signature detection; Androids; Feature extraction; Google; Humanoid robots; Malware; Software; Android malware; machine learning; opcode-sequences (ID#: 15-4340)
URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6883436&isnumber=6883277

Yerima, S.Y.; Sezer, S.; McWilliams, G., "Analysis_of_Bayesian_Classification-Based Approaches for Android Malware Detection," Information Security, IET, vol. 8, no.1, pp. 25, 36, January 2014. doi: 10.1049/iet-ifs.2013.0095 Mobile malware has been growing in scale and complexity spurred by the unabated uptake of smartphones worldwide. Android is fast becoming the most popular mobile platform resulting in sharp increase in malware targeting the platform. Additionally, Android malware is evolving rapidly to evade detection by traditional signature-based scanning. Despite current detection measures in place, timely discovery of new malware is still a critical issue. This calls for novel approaches to mitigate the growing threat of zero-day Android malware. Hence, the authors develop and analyse proactive machine-learning approaches based on Bayesian classification aimed at uncovering unknown Android malware via static analysis. The study, which is based on a large malware sample set of majority of the existing families, demonstrates detection capabilities with high accuracy. Empirical results and comparative analysis are presented offering useful insight towards development of effective static-analytic Bayesian classification-based solutions for detecting unknown Android malware.
Keywords: invasive software; learning (artificial intelligence); operating system kernels; pattern classification; smart phones; Android malware detection; machine learning; mobile malware; signature based scanning; smartphones; static analysis; static analytic Bayesian classification (ID#: 15-4341)
URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6687155&isnumber=6687150

Lokhande, B.; Dhavale, S., "Overview of Information Flow Tracking Techniques Based On Taint Analysis for Android," Computing for Sustainable Global Development (INDIACom), 2014 International Conference on, pp.749,753, 5-7 March 2014. doi: 10.1109/IndiaCom.2014.6828062 Smartphones today are ubiquitous source of sensitive information. Information leakage instances on the smartphones are on the rise because of exponential growth in smartphone market. Android is the most widely used operating system on smartphones. Many information flow tracking and information leakage detection techniques are developed on Android operating system. Taint analysis is commonly used data flow analysis technique which tracks the flow of sensitive information and its leakage. This paper provides an overview of existing Information flow tracking techniques based on the Taint analysis for android applications. It is observed that static analysis techniques look at the complete program code and all possible paths of execution before its run, whereas dynamic analysis looks at the instructions executed in the program-run in the real time. We provide in depth analysis of both static and dynamic taint analysis approaches.
Keywords: Android (operating system); data flow analysis; smart phones; Android; Information leakage instances; data flow analysis technique; dynamic analysis; dynamic taint analysis approaches; exponential smartphone market growth; information flow tracking techniques; information leakage detection techniques; program code; program-run; static analysis techniques; static taint analysis approaches; Androids; Humanoid robots; Operating systems; Privacy; Real-time systems; Security; Smart phones; Android Operating System; Mobile Security; data flow analysis; static and dynamic taint analysis (ID#: 15-4342)
URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6828062&isnumber=6827395

Lee Mengxuan; Song Jiaxing; Liu Weidong, "Android Privacy Information Encoding Mechanism (APIEM)," Parallel Architectures, Algorithms and Programming (PAAP), 2014 Sixth International Symposium on, pp.224,229, 13-15 July 2014. doi: 10.1109/PAAP.2014.16 This paper proposes APIEM as an encoding mechanism for privacy information in Android system. By encoding privacy information in cursor queried from database and decoding them before drawing to the screen, the text-based privacy information can be protected from leaking by third-party applications. APIEM provides more protection and has less overhead compared to traditional taint and trace methods.
Keywords: Android (operating system); data protection; encoding; APIEM; Android privacy information encoding mechanism; text-based privacy information protection; Androids; Data privacy; Databases; Encoding; Humanoid robots; Painting; Privacy; Android; privacy; security (ID#: 15-4343)
URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6916469&isnumber=6916413

Wei Wang; Xing Wang; Dawei Feng; Jiqiang Liu; Zhen Han; Xiangliang Zhang, "Exploring Permission-Induced Risk in Android Applications for Malicious Application Detection," Information Forensics and Security, IEEE Transactions on, vol. 9, no. 11, pp.1869,1882, Nov. 2014. doi: 10.1109/TIFS.2014.2353996 Android has been a major target of malicious applications (malapps). How to detect and keep the malapps out of the app markets is an ongoing challenge. One of the central design points of Android security mechanism is permission control that restricts the access of apps to core facilities of devices. However, it imparts a significant responsibility to the app developers with regard to accurately specifying the requested permissions and to the users with regard to fully understanding the risk of granting certain combinations of permissions. Android permissions requested by an app depict the app's behavioral patterns. In order to help understanding Android permissions, in this paper, we explore the permission-induced risk in Android apps on three levels in a systematic manner. First, we thoroughly analyze the risk of an individual permission and the risk of a group of collaborative permissions. We employ three feature ranking methods, namely, mutual information, correlation coefficient, and T-test to rank Android individual permissions with respect to their risk. We then use sequential forward selection as well as principal component analysis to identify risky permission subsets. Second, we evaluate the usefulness of risky permissions for malapp detection with support vector machine, decision trees, as well as random forest. Third, we in depth analyze the detection results and discuss the feasibility as well as the limitations of malapp detection based on permission requests. We evaluate our methods on a very large official app set consisting of 310 926 benign apps and 4868 real-world malapps and on a third-party app sets. The empirical results show that our malapp detectors built on risky permissions give satisfied performance (a detection rate as 94.62% with a false positive rate as 0.6%), catch the malapps' essential patterns on violating permission access regulations, and are universally applicable to unknown malapps (detection rate as 74.03%).
Keywords: Android (operating system); invasive software; principal component analysis; smart phones; Android security mechanism; T-test; collaborative permissions; correlation coefficient; decision trees; malapp detection; malicious applications; mutual information; permission control; permission-induced risk; principal component analysis; random forest; sequential forward selection; support vector machine; third-party app sets; Androids; Correlation; Humanoid robots; Principal component analysis; Security; Smart phones; Support vector machines; Android security; Android system; intrusion detection; malware detection; permission usage analysis (ID#: 15-4344)
URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6891250&isnumber=6912034

Yang Chen; Ghorbanzadeh, M.; Ma, K.; Clancy, C.; McGwier, R., "A Hidden Markov Model Detection Of Malicious Android Applications At Runtime," Wireless and Optical Communication Conference (WOCC), 2014 23rd, pp.1,6, 9-10 May 2014. doi: 10.1109/WOCC.2014.6839912 A hidden Markov model approach is leveraged to detect potentially malicious Android applications at runtime based on analyzing the Intents passing through the binder. Real world applications are emulated, their Intents are parsed, and, after appropriate discretization of the Intent action fields, they train the hidden Markov models for recognizing anomalous and benign Android application behaviors. The inferred stochastic processes can probabilistically estimate whether an application is performing a malicious or benign action as it is running on the device. Such a decision is realized through a maximum likelihood estimation. The results show that the method is capable of detecting malicious Android applications as they run on the platform.
Keywords: Android (operating system); hidden Markov models; maximum likelihood estimation; mobile computing; security of data; Android application behaviors; hidden Markov model detection; malicious Android applications; maximum likelihood estimation; real world applications; stochastic processes; Androids; Hidden Markov models; Humanoid robots; Runtime; Security; Smart phones; Training (ID#: 15-4345)
URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6839912&isnumber=6839906

Jun Li; Lidong Zhai; Xinyou Zhang; Daiyong Quan, "Research of Android Malware Detection Based On Network Traffic Monitoring," Industrial Electronics and Applications (ICIEA), 2014 IEEE 9th Conference on, pp.1739, 1744, 9-11 June 2014. doi: 10.1109/ICIEA.2014.6931449 With Android terminal into the life of people, the spread of Android malware seriously affected people's life. As a result of the Android security flaws, attackers can easily collect private information of users, and the information can be utilized in APT attacks. It is not only a threat to the end user, but also poses a threat to industrial control systems and mobile Internet. In this paper, we propose a network traffic monitoring system used in the detection of Android malware. The system consists of four components: traffic monitoring, traffic anomaly recognition, response processing and cloud storage. The system parses the protocol of data packets and extracts the feature data, then use SVM classification algorithm for data classification, determine whether the network traffic is abnormal, and locate the application that produced abnormal through the correlation analysis. The system not only can automatic response and process the malicious software, but also can generate new security policy from existing information and training data; When training data is reaching a certain amount, it will trigger a new round of training to improve the ability of detection. Finally, we experiment on the system, the experimental results show that our system can effectively detect the Android malware and control the application.
Keywords: Android (operating system); cloud computing; invasive software; mobile computing; pattern classification; support vector machines; telecommunication traffic; APT attacks; Android malware detection; Android security flaws; Android terminal; SVM classification algorithm; cloud storage; correlation analysis; data packets protocol; feature data; industrial control systems; mobile Internet; network traffic; network traffic monitoring; private information; response processing; security policy; traffic anomaly recognition; Feature extraction; Malware; Monitoring; Smart phones; Software; Telecommunication traffic; Android; Malware; Network traffic monitoring; SVM (ID#: 15-4346)
URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6931449&isnumber=6931119

Naito, K.; Mori, K.; Kobayashi, H.; Kamienoo, K.; Suzuki, H.; Watanabe, A., "End-to-end IP Mobility Platform In Application Layer for iOS and Android OS," Consumer Communications and Networking Conference (CCNC), 2014 IEEE 11th, pp. 92, 97, 10-13 Jan. 2014. doi: 10.1109/CCNC.2014.6866554 Smartphones are a new type of mobile devices that users can install additional mobile software easily. In the almost all smartphone applications, client-server model is used because end-to-end communication is prevented by NAT routers. Recently, some smartphone applications provide real time services such as voice and video communication, online games etc. In these applications, end-to-end communication is suitable to reduce transmission delay and achieve efficient network usage. Also, IP mobility and security are important matters. However, the conventional IP mobility mechanisms are not suitable for these applications because most mechanisms are assumed to be installed in OS kernel. We have developed a novel IP mobility mechanism called NTMobile (Network Traversal with Mobility). NTMobile supports end-to-end IP mobility in IPv4 and IPv6 networks, however, it is assumed to be installed in Linux kernel as with other technologies. In this paper, we propose a new type of end-to-end mobility platform that provides end-to-end communication, mobility, and also secure data exchange functions in the application layer for smartphone applications. In the platform, we use NTMobile, which is ported as the application program. Then, we extend NTMobile to be suitable for smartphone devices and to provide secure data exchange. Client applications can achieve secure end-to-end communication and secure data exchange by sharing an encryption key between clients. Users also enjoy IP mobility which is the main function of NTMobile in each application. Finally, we confirmed that the developed module can work on Android system and iOS system.
Keywords: Android (operating system);IP networks; client-server systems; cryptography; electronic data interchange; iOS (operating system); real-time systems; smart phones; Android OS; IPv4 networks; IPv6 networks; Linux kernel; NAT routers; NTMobile; OS kernel; application layer; client-server model; encryption key; end-to-end IP mobility platform; end-to-end communication; iOS system ;network traversal with mobility; network usage; real time services; secure data exchange; smartphones; transmission delay; Authentication; Encryption; IP networks; Manganese; Relays; Servers (ID#: 15-4347)
URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6866554&isnumber=6866537

Ming-Yang Su; Wen-Chuan Chang, "Permission-based Malware Detection Mechanisms For Smart Phones," Information Networking (ICOIN), 2014 International Conference on, pp. 449, 452, 10-12 Feb. 2014. doi: 10.1109/ICOIN.2014.6799722 Smart phone users often neglect security issues, and directly confirm the pop-up windows without reading the permission requirement of the software. As a result, many smart phones have been implanted with virus. In the Android market, malicious software is disguised as games for users to download, thus resulting in malicious consumption, phone resource consumption, assistance in crime, or information theft. This study focuses on the prevention of the malware installed on Android smart phones, and analyzes whether an app is malware according to the announced permission combinations of the application.
Keywords: computer viruses; smart phones; Android market; crime assistance; information theft; malicious consumption; malicious software; permission requirement; permission-based malware detection mechanisms; phone resource consumption; security issues; smart phone users; Internet; Malware; Operating systems; Probability; Smart phones; Android; permission; security; smart phone (ID#: 15-4348)
URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6799722&isnumber=6799467

Khan, A.U.S.; Qureshi, M.N.; Qadeer, M.A., "Anti-Theft Application For Android Based Devices," Advance Computing Conference (IACC), 2014 IEEE International, pp.365, 369, 21-22 Feb. 2014. doi: 10.1109/IAdCC.2014.6779350 This paper presents a technique to improve anti-theft for android based mobile phones by using different services like MMS instead of SMS. As the use of smartphones, tablets, phablets based on android operating system is increasing, many scenarios related with anti-theft have already been proposed and many software based on anti-theft have also been developed, but most of these software are not freely available and it's difficult to identify the thief by using these software's e.g. GPS Tracking. We put forward a new scheme, which enhances the present scenario, based on new technologies like Multimedia Messages. The scenario proposed in this work is totally dependent on the hardware of your smartphone like camera (front & back) and support for multimedia messages. Once this software is installed, it will work in the background, stores the current SIM number in a variable and keeps checking continuously for SIM change, whenever SIM gets changed from mobile, it will take snapshots and record a video in the background i.e., without taking user permission and then it will send an MMS, and number of snap shots, to an alternate mobile number and an email id, which was provided during installation. The enviable advantage of this software is that it is very easy to configure and it keeps running in the background without interrupting the user. To some extent it helps the owner to identify the thief.
Keywords: Android (operating system); multimedia communication; security of data; smart phones; Android based devices; Android based mobile phones; Android operating system; GPS tracking; Global Positioning Systems; MMS; Multimedia Messaging Service; SIM change; SIM number; SMS; Short Messaging Service; anti-theft application; multimedia messages; phablets; smart phones; tablets; Androids; Cameras; Hardware; Humanoid robots; Mobile communication; Smart phones; Android; Email; MMS; Multimedia Messages; Snapshots (ID#: 15-4349)
URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6779350&isnumber=6779283

Junliang Shu; Juanru Li; Yuanyuan Zhang; Dawu Gu, "Android App Protection via Interpretation Obfuscation," Dependable, Autonomic and Secure Computing (DASC), 2014 IEEE 12th International Conference on, pp.63,68, 24-27 Aug. 2014. doi: 10.1109/DASC.2014.20 To protect Android app from malicious reproduction or tampering, code obfuscation techniques are introduced to increase the difficulty of reverse engineering and program understanding. Current obfuscation schemes focus more on the protection of the meta information over the executable code which contains valuable or patented algorithms. Therefore, a more sophisticated obfuscator is needed to improve the protection on the executable code. In this paper we propose SMOG, a comprehensive executable code obfuscation system to protect Android app. SMOG is composed of two parts, an obfuscation engine and an execution environment. The obfuscation engine is at software vendor's side to conduct the obfuscation on the app's executable code, and then release the obfuscated app to the end-user along with an execution token. The execution environment is setup by integrating the received execution token, which endows the Android Dalvik VM the capability to execute the obfuscated app. SMOG is an easily deployed system which proves fine-grained level protection. The obfuscated app generated by SMOG could resist static and dynamic reverse engineering. Moreover, the benchmark result shows SMOG only costs about 5% more performance in dispatching the incoming bytecode to the proper interpreter.
Keywords: Android (operating system); computer crime; data protection; reverse engineering; source code (software); Android Dalvik VM; Android app protection; SMOG; code obfuscation techniques; dynamic reverse engineering; executable code obfuscation system; executable code protection; execution environment; execution token; fine-grained level protection; interpretation obfuscation; malicious reproduction; meta information protection; obfuscated app; obfuscation engine; obfuscator; program understanding; software vendor; static reverse engineering; tampering; Conferences; Android App; Execution Token; Interpretation Obfuscation; Reverse Engineering; Static Disassembly (ID#: 15-4350)
URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6945305&isnumber=6945641

Borting Chen; Ming Wei Shih; Yu Lun Huang, "An Anomaly Detection Module for Firefox OS," Software Security and Reliability-Companion (SERE-C), 2014 IEEE Eighth International Conference on, pp. 176, 184, June 30 2014-July 2 2014. doi: 10.1109/SERE-C.2014.36 Firefox OS, a new Web-based OS developed by Mozilla mainly for mobile platforms, is designed to realize the "Boot to the Web" concept for the open Web. It supports users booting to the network directly, launching remote applications and accessing remote data with the standard Web technologies. Although Firefox OS has adopted several mechanisms to enhance its security, its current design is lack of a mechanism to detect 1) applications calling Web API with unusual frequency, and 2) applications consuming abnormal amount of resources. In this paper, we propose an anomaly detection module which takes the system resource usage and the amount of inter-process communication as the inputs to detect whether the system has an anomaly. We also conduct several experiments to examine the ability of the proposed module. The results show that detection accuracy of our module is 0% in false negative rate and 12.5% in false positive rate.
Keywords: Internet; application program interfaces; mobile computing; operating systems (computers); Firefox OS; Mozilla; Web API; Web-based OS; anomaly detection module; boot to the Web concept; detection accuracy; inter-process communication; mobile platforms; open Web; remote data; standard Web technology; system resource usage; Browsers; Kernel; Mobile communication; Permission; Training; Vectors; Anomaly Detection; Firefox OS; Mobile Security (ID#: 15-4351)
URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6901655&isnumber=6901618

Sharma, R.K.; Mohammad, A.; Kalita, H.; Kalita, D., "Android interface based GSM home security system," Issues and Challenges in Intelligent Computing Techniques (ICICT), 2014 International Conference on, pp. 196, 201, 7-8 Feb. 2014. doi: 10.1109/ICICICT.2014.6781278 The security of one's belongings when a person leaves his/her house is always a concern with increasing number of incidents of theft, robbery etc. Many automated systems has been developed which informs the owner in a remote location about any intrusion or attempt to intrude in the house. 8051 has been extensively used in past projects. However, this paper looks into the development of an ANDROID application which interprets the message a mobile device receives on possible intrusion and subsequently a reply (Short Message Service) SMS which triggers an alarm/buzzer in the remote house making others aware of the possible intrusion.
Keywords: Android (operating system) ;alarm systems; cellular radio; domestic safety; electronic messaging; home automation; mobile computing; Android interface; GSM home security system; SMS; mobile device; remote location; short message service; Androids; Automation; GSM; Ground penetrating radar; Humanoid robots; Land mobile radio; Switches; ANDROID; Global Communication for mobile system (GSM); Short Message Service (SMS) (ID#: 15-4352)
URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6781278&isnumber=6781240

Won Shin; Jin-Lee Lee; Doo-Ho Park; Chun-Hyon Chang, "Design of Authenticity Evaluation Metric For Android Applications," Digital Information and Communication Technology and it's Applications (DICTAP), 2014 Fourth International Conference on, pp.275,278, 6-8 May 2014. doi: 10.1109/DICTAP.2014.6821695 For enforcing security, Android platform uses authorizing system which grants permission per application at install-time. With authorized privilege, user applications can modify and delete user's personal information. Therefore, inspection of granted permission usage can be used to detect security vulnerabilities. ISO/IEC 25 010 defines software product security characteristic and provides guidelines to evaluate software product quality. Among sub-characteristics of security, Authenticity is related to Android permission system. In this paper, we present authenticity metric for android application. This metric can quantify the permission usage of application and measured information can be used to classify the malware applications. To verify the applicability of metric, we perform evaluation to benign and malware application and compare its results.
Keywords: Android (operating system); authorisation; invasive software; software metrics; software quality; Android applications; Android permission system; Android platform; authenticity evaluation metric design; authorizing system; malware applications; security vulnerabilities; software product quality; software product security; user personal information; Androids; Humanoid robots; Malware; Measurement; Smart phones; Software; android; authenticity; least privilege; metric; permissions; security (ID#: 15-4353)
URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6821695&isnumber=6821645

Al Barghouthy, N.B.; Marrington, A., "A Comparison of Forensic Acquisition Techniques for Android Devices: A Case Study Investigation of Orweb Browsing Sessions," New Technologies, Mobility and Security (NTMS), 2014 6th International Conference on, pp.1,4, March 30 2014-April 2 2014. doi: 10.1109/NTMS.2014.6813993 The issue of whether to "root" a small scale digital device in order to be able to execute acquisition tools with kernel-level privileges is a vexing one. In the early research literature about Android forensics, and in the commercial forensic tools alike, the common wisdom was that "rooting" the device modified its memory only minimally, and enabled more complete acquisition of digital evidence, and thus was, on balance, an acceptable procedure. This wisdom has been subsequently challenged, and alternative approaches to complete acquisition without "rooting" the device have been proposed. In this work, we address the issue of forensic acquisition techniques for Android devices through a case study we conducted to reconstruct browser sessions carried out using the Orweb private web browser. Orweb is an Android browser which uses Onion Routing to anonymize web traffic, and which records no browsing history. Physical and logical examinations were performed on both rooted and non-rooted Samsung Galaxy S2 smartphones running Android 4.1.1. The results indicate that for investigations of Orweb browsing history, there is no advantage to rooting the device. We conclude that, at least for similar investigations, rooting the device is unnecessary and thus should be avoided.
Keywords: Android (operating system); Internet; digital forensics; online front-ends; smart phones; Android 4.1.1; Android browser; Android devices; Android forensics; Onion Routing; Orweb browsing sessions; Orweb private Web browser; Web traffic anonymization; browser session reconstruction; browsing history; device rooting; digital evidence acquisition; forensic acquisition techniques; forensic tools; kernel-level privilege; nonrooted Samsung Galaxy S2 smartphone; small scale digital device; Androids; Browsers; Forensics; Humanoid robots; Random access memory; Smart phones; Workstations (ID#: 15-4354)
URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6813993&isnumber=6813963

Note:

Articles listed on these pages have been found on publicly available internet pages and are cited with links to those pages. Some of the information included herein has been reprinted with permission from the authors or data repositories. Direct any requests via Email to news@scienceofsecurity.net for removal of the links or modifications to specific citations. Please include the ID# of the specific citation in your correspondence.