Automatic analysis of network behavior for android applications

Abstract

The widespread adoption of mobile technologies and a significant increase in the number of smartphone users worldwide have led to high demand for a diversity of applications (``apps'' for short). As of February 2016, over 65 billion apps had been downloaded from the digital distribution service Google Play market, which had over two million apps available for users to download as of March 2016. Furthermore, to compete effectively in the highly competitive app market, developers are constantly adding features to their apps. With widespread demand for supporting a plethora of features, apps in general share notable characteristics in the use of their resources and services. A majority of apps access the Internet to receive their services by accessing external servers, most of which use the HTTP/HTTPS protocol. Most users tends to prefer dedicated apps to the mobile Web, meaning that they install a variety of apps on their devices for various purposes. Moreover, the number of Android devices being used on the enterprise network is growing rapidly. From the perspective of network management, it is crucial to have clear visibility into an app's network behavior. Understanding an app's behavior within the network is invaluable for operators, developers, and users. Using this knowledge, operators can not only improve existing network solutions, such as deep packet inspection (DPI), but can also provide value-added services, such as application acceleration and dynamic caching, to enhance the quality of user experience. Developers can likewise identify discrepancies between app specification and app implementation by observing different network behaviors. Users can also distinguish between malicious apps and benign ones by monitoring unexpected network behavior. Furthermore, they can identify potentially vulnerable apps by performing in-depth analyses of network behavior. However, network behavior analysis of Android apps is challenging due to the complexity of the protocols involved. In general, the network behavior of Android apps consists of complicated, predominantly proprietary protocols atop HTTP/HTTPS in common data representation, such as JSON and XML. Therefore, analyzing network behavior requires an in-depth characterization of app-level payload for each app. Furthermore, due to the complexity of the protocols, there are a variety of threats posed by irregular network behavior, such as privacy-sensitive information leaks. The problem is exacerbated by the fact that developers often overlook, or do not recognize, the security implications of network behavior. The goal of this study is two-fold: (i) to analyze apps' protocol behavior, and (ii) identify potentially vulnerable apps that stem from network behavior. First, in order to analyze the protocol behaviors of apps, we propose Extractocol, the first comprehensive protocol analysis framework that automatically extracts protocol behaviors, formats, and message signatures. Extractocol only uses Android app binary as input, accurately reconstructs HTTP transactions (request-response pairs) and identifies their message formats and relationships using binary analysis. Our evaluation and in-depth case studies on closed-source and open-source apps show that Extractocol accurately reconstructs network message formats and characterizes network-related app behaviors. Second, in order to identify potentially vulnerable apps that stem from network behavior, we focus on remote code injection attacks, which are still largely unknown. We first investigate three conditions that must be met for remote code injection attacks, and design and implement a static detection tool that automatically identifies apps that satisfy these conditions. Moreover, to identify the current status of vulnerable apps in the wild, we apply the detection tool to a large dataset comprising 9,054 apps of three types: official market, third-party market, and pre-installed apps. In the results obtained, including for popular apps and libraries, 97 apps were found to be potentially vulnerable, with 53 confirmed as vulnerable to remote code injection attacks. The results can provide a lower bound on the number of apps vulnerable to remote code injection attacks in the wild.