SBIR-STTR Award

We plan to employ a holistic analysis approach that will extend existing static and dynamic analysis techniques augmenting them with our own forced path execution technology. Thus, we aim to combine static, dynamic, and forced-path analysis in order to maximize code coverage. The proposed approach enables the framework to address the program analysis shortcomings of each approach when they are used in isolation. We plan to leverage code pruning techniques to selectively remove application func- tionalities to restrict access without causing the program to terminate and in a manner that is not disruptive, whenever possible. The selective removal of application code enables a system operator or a user to make the applications conform to a customizable security policy. We plan to address novel and recurrent evasion techniques employed by applications to hide and subdue their behavior when under analysis.

Benefit:
Our target is to provide the means for non-expert users to remove unwanted functionalities of Android mobile applications with a click of a button. Recently, there has been mobile certification requirements for mobile apps when they are operating in a secure or critical infrastructure environ- ment including ones that seek NIAP Mobile Application Protection Profile [5], NIST 800-163 [17] or HIPAA [2] certifications. Many mobile applications are popular with users but they fail to meet privacy, enterprise, or government requirements rendering them undeployable in many sensitive contexts. If successful, our approach will enhance the security and performance of mobile devices for both commercial and critical environments where mobile applications and devices are deployed.

Keywords:
forced-path execution, forced-path execution, Application code pruning, Static and dynamic code analysis, mobile applications

Smartphones have become ubiquitous; a facet of everyday life for most people. Due to increasing computational power, these devices are used to perform a large number of tasks, from personal email to corporate expense account management. we plan to employ a holistic analysis approach that will extend existing static and dynamic analysis techniques augmenting them with our own forced path execution technology [15]. Thus, we aim to combine static, dynamic, and forced-path analysis in order to maximize code coverage. The proposed approach enables the framework to address the program analysis shortcomings of each approach when they are used in isolation. We plan to leverage code pruning techniques to selectively remove application functionality to restrict access without causing the program to terminate and in a manner that is not disruptive, whenever possible. The selective removal of application code enables a system operator or a user to make the applications conform to a customizable security policy. We plan to address novel and recurrent evasion techniques employed by applications to hide and subdue their behavior when under analysis. Our goal is to be able to fully parse Java, Javascript, and native ARM code achieving full coverage and thus, full code feature reduction capabilities.

Benefit:
At the conclusion of this project we were able to produce our AndroCutter prototype that is capable of identifying and removing software features in multiple ways. AndroCutter can leverage both static and dynamic analysis techniques to identify key features and functionality within applications. The prototype also allows users to target specific UI elements from the application along with their associated code for removal. We plan to evaluate AndroCutter with respect to accuracy, efficiency, scalability, and ease of deployment and use. We plan to spend significant time identifying potential transitions as the project matures. To quantify the success of our approach, we plan to use our initial TR3 prototype and evolve it to a TR7 system prototype that we can demonstrate in an operational environment either commercial or government using off-the-shelf Android binaries that we can prune functionality based on the customer requirements with less 0.1% failures or 99.9% success rate. Our aim is to offer a commercial solution that provides the means to reduce the attack surface and unwanted functionality from commercial and in-house Android mobile applications. We envision that the end-system will become a plug-in of Kryptowire's mobile analysis product that is currently deployed as a license paid model for both government and commercial applications.

Keywords:
Javascript analysis, Android Code Feature Removal, Java analysis, Code Reduction., ARM native libraries