SAM: The Static Analysis Module of the MAVERIC Mobile App Security Verification Platform

  • Alessandro Armando
  • Gianluca Bocci
  • Giantonio Chiarelli
  • Gabriele Costa
  • Gabriele De Maglie
  • Rocco Mammoliti
  • Alessio Merlo
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9035)

Abstract

The tremendous success of the mobile application paradigm is due to the ease with which new applications are uploaded by developers, distributed through the application markets (e.g. Google Play), and finally installed by the users. Yet, the very same model is causing serious security concerns, since users have no or little means to ascertain the trustworthiness of the applications they install on their devices. To protect their customers, Poste Italiane has defined the Mobile Application Verification Cluster (MAVERIC), a process for the systematic security analysis of third-party mobile apps that leverage the online services provided by the company (e.g. home banking, parcel tracking). We present SAM, a toolkit that supports this process by automating a number of operations including reverse engineering, privilege analysis, and automatic verification of security properties. We introduce the functionalities of SAM through a demonstration of the platform applied to real Android applications.

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. 1.
    Aktug, I., Naliuka, K.: ConSpec – A formal language for policy specification. Science of Computer Programming 74(1-2), 2–12 (2008) Special Issue on Security and TrustGoogle Scholar
  2. 2.
    Armando, A., Costa, G., Merlo, A., Verderame, L.: Enabling BYOD Through Secure Meta-market. In: Proceedings of the 2014 ACM Conference on Security and Privacy in Wireless & Mobile Networks, WiSec 2014, pp. 219–230. ACM, New York (2014)CrossRefGoogle Scholar
  3. 3.
    Christodorescu, M., Jha, S., Seshia, S.A., Song, D., Bryant, R.E.: Semantics-Aware Malware Detection. In: Proceedings of the 2005 IEEE Symposium on Security and Privacy, SP 2005, pp. 32–46. IEEE Computer Society, Washington, DC (2005)Google Scholar
  4. 4.
    Clarke, E.M., Emerson, E.A., Sistla, A.P.: Automatic verification of finite-state concurrent systems using temporal logic specifications. ACM Trans. Program. Lang. Syst. 8(2), 244–263 (1986)CrossRefMATHGoogle Scholar
  5. 5.
    Denning, P.J.: Fault tolerant operating systems. ACM Comput. Surv. 8(4), 359–389 (1976)CrossRefMATHGoogle Scholar
  6. 6.
    Idika, M.: A Survey of Malware Detection Techniques. Technical report, Purdue University (February 2007)Google Scholar
  7. 7.
    McGraw, G.: Automated Code Review Tools for Security. Computer 41(12), 108–111 (2008)CrossRefGoogle Scholar
  8. 8.
    McGraw, G., Morrisett, G.: Attacking malicious code: A report to the infosec research council. IEEE Softw. 17(5), 33–41 (2000)CrossRefGoogle Scholar
  9. 9.
    Quirolgico, S., Voas, J., Kuhn, R.: Vetting Mobile Apps. IT Professional 13(4), 9–11 (2011)CrossRefGoogle Scholar
  10. 10.
    Sekar, R., Gupta, A., Frullo, J., Shanbhag, T., Tiwari, A., Yang, H., Zhou, S.: Specification-based Anomaly Detection: A New Approach for Detecting Network Intrusions. In: Proceedings of the 9th ACM Conference on Computer and Communications Security, CCS 2002, pp. 265–274. ACM, New York (2002)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2015

Authors and Affiliations

  • Alessandro Armando
    • 1
    • 2
  • Gianluca Bocci
    • 3
  • Giantonio Chiarelli
    • 3
  • Gabriele Costa
    • 1
  • Gabriele De Maglie
    • 1
  • Rocco Mammoliti
    • 3
  • Alessio Merlo
    • 1
  1. 1.DIBRISUniversity of GenovaGenovaItaly
  2. 2.Bruno Kessler FoundationTrentoItaly
  3. 3.Poste ItalianeRomaItaly

Personalised recommendations