@inproceedings{weiAmandroidPreciseGeneral2014, title = {Amandroid: {{A Precise}} and {{General Inter-component Data Flow Analysis Framework}} for {{Security Vetting}} of {{Android Apps}}}, shorttitle = {Amandroid}, booktitle = {{{ACM SIGSAC Conference}} on {{Computer}} and {{Communications Security}}}, author = {Wei, Fengguo and Roy, Sankardas and Ou, Xinming and {Robby}}, year = {2014}, month = nov, pages = {1329--1341}, publisher = {{ACM}}, address = {{Scottsdale Arizona USA}}, doi = {10.1145/2660267.2660357}, urldate = {2024-01-25}, isbn = {978-1-4503-2957-6}, langid = {english} } @inproceedings{xiaEffectiveRealTimeAndroid2015, title = {Effective {{Real-Time Android Application Auditing}}}, booktitle = {2015 {{IEEE Symposium}} on {{Security}} and {{Privacy}}}, author = {Xia, Mingyuan and Gong, Lu and Lyu, Yuanhao and Qi, Zhengwei and Liu, Xue}, year = {2015}, month = may, pages = {899--914}, publisher = {{IEEE}}, address = {{San Jose, CA}}, doi = {10.1109/SP.2015.60}, isbn = {978-1-4673-6949-7}, file = {/home/jf/snap/zotero-snap/common/Zotero/storage/VTA4PNJJ/Xia et al. - 2015 - Effective Real-Time Android Application Auditing.pdf} } @inproceedings{octeau2013effective, title={Effective Inter-Component communication mapping in android: An essential step towards holistic security analysis}, author={Octeau, Damien and McDaniel, Patrick and Jha, Somesh and Bartel, Alexandre and Bodden, Eric and Klein, Jacques and Le Traon, Yves}, booktitle={22nd USENIX Security Symposium (USENIX Security 13)}, pages={543--558}, year={2013} } @inproceedings{Enck2010, title = {{{TaintDroid}}: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones}, booktitle = {9th {{USENIX Symposium}} on {{Operating Systems Design}} and {{Implementation}}}, author = {Enck, William and Gilbert, Peter and Chun, Byung-Gon and Cox, Landon P. and Jung, Jaeyeon and McDaniel, Patrick and Sheth, Anmol N.}, year = {2010}, month = oct, pages = {393--407}, publisher = {{USENIX Association}}, address = {{Vancouver, BC, Canada}}, isbn = {978-1-931971-79-9}, keywords = {\ding{72},Dynamic analysis,Taint analysis}, file = {/home/jf/snap/zotero-snap/common/Zotero/storage/J8R79TUL/Enck et al. - 2010 - TaintDroid an information-flow tracking system for realtime privacy monitoring on smartphones.pdf} } @inproceedings{liApkCombinerCombiningMultiple2015, title = {{{ApkCombiner}}: {{Combining Multiple Android Apps}} to {{Support Inter-App Analysis}}}, shorttitle = {{{ApkCombiner}}}, booktitle = {{{ICT Systems Security}} and {{Privacy Protection}}}, author = {Li, Li and Bartel, Alexandre and Bissyand{\'e}, Tegawend{\'e} F. and Klein, Jacques and Traon, Yves Le}, editor = {Federrath, Hannes and Gollmann, Dieter}, year = {2015}, volume = {455}, pages = {513--527}, publisher = {{Springer International Publishing}}, address = {{Cham}}, doi = {10.1007/978-3-319-18467-8_34}, isbn = {978-3-319-18466-1 978-3-319-18467-8}, langid = {english}, file = {/home/jf/snap/zotero-snap/common/Zotero/storage/DG5LXLJ8/Li et al. - 2015 - ApkCombiner Combining Multiple Android Apps to Su.pdf} } @inproceedings{allixAndroZooCollectingMillions2016, title = {{{AndroZoo}}: {{Collecting Millions}} of {{Android Apps}} for the {{Research Community}}}, shorttitle = {{{AndroZoo}}}, booktitle = {13th {{Working Conference}} on {{Mining Software Repositories}} ({{MSR}})}, author = {Allix, Kevin and Bissyand{\'e}, Tegawend{\'e} F. and Klein, Jacques and Traon, Yves Le}, year = {2016}, month = may, pages = {468--471}, abstract = {We present a growing collection of Android Applications col-lected from several sources, including the official GooglePlay app market. Our dataset, AndroZoo, currently contains more than three million apps, each of which has beenanalysed by tens of different AntiVirus products to knowwhich applications are detected as Malware. We provide thisdataset to contribute to ongoing research efforts, as well asto enable new potential research topics on Android Apps.By releasing our dataset to the research community, we alsoaim at encouraging our fellow researchers to engage in reproducible experiments.}, keywords = {Android Applications,Androids,APK,Crawlers,Google,HTML,Humanoid robots,Protocols,Software,Software Repository}, file = {/home/jf/snap/zotero-snap/common/Zotero/storage/5SNISVTP/7832927.html} } @inproceedings{Arp2014, title = {Drebin: {{Effective}} and {{Explainable Detection}} of {{Android Malware}} in {{Your Pocket}}}, booktitle = {Network and {{Distributed System Security Symposium}}}, author = {Arp, Daniel and Spreitzenbarth, Michael and Gascon, Hugo and Rieck, Konrad and Siemens, Germany and Munich, Cert}, year = {2014}, month = feb, publisher = {{The Internet Society}}, address = {{San Diego, California, USA}}, isbn = {1-891562-35-5}, keywords = {\ding{72},Static analysis}, file = {/home/jf/snap/zotero-snap/common/Zotero/storage/364XVWJK/Arp et al. - 2014 - Drebin Effective and Explainable Detection of And.pdf;/home/jf/snap/zotero-snap/common/Zotero/storage/ITE85DES/Arp et al. - 2014 - Drebin Effective and Explainable Detection of Android Malware in Your Pocket.pdf} } @article{Pendlebury2018, title = {{{TESSERACT}}: {{Eliminating Experimental Bias}} in {{Malware Classification}} across {{Space}} and {{Time}}}, author = {Pendlebury, Feargus and Pierazzi, Fabio and Jordaney, Roberto and Kinder, Johannes and Cavallaro, Lorenzo}, year = {2018}, eprint = {1807.07838}, abstract = {Is Android malware classification a solved problem? Published F1 scores of up to 0.99 appear to leave very little room for improvement. In this paper, we argue that results are commonly inflated due to two pervasive sources of experimental bias: "spatial bias" caused by distributions of training and testing data that are not representative of a real-world deployment; and "temporal bias" caused by incorrect time splits of training and testing sets, leading to impossible configurations. We propose a set of space and time constraints for experiment design that eliminates both sources of bias. We introduce a new metric that summarizes the expected robustness of a classifier in a real-world setting, and we present an algorithm to tune its performance. Finally, we demonstrate how this allows us to evaluate mitigation strategies for time decay such as active learning. We have implemented our solutions in TESSERACT, an open source evaluation framework for comparing malware classifiers in a realistic setting. We used TESSERACT to evaluate three Android malware classifiers from the literature on a dataset of 129K applications spanning over three years. Our evaluation confirms that earlier published results are biased, while also revealing counter-intuitive performance and showing that appropriate tuning can lead to significant improvements.}, archiveprefix = {arxiv}, file = {/home/jf/snap/zotero-snap/common/Zotero/storage/QXT9GLTX/Pendlebury et al. - 2018 - TESSERACT Eliminating Experimental Bias in Malware Classification across Space and Time.pdf} } @inproceedings{shanSelfhidingBehaviorAndroid2018, title = {Self-Hiding Behavior in {{Android}} Apps}, booktitle = {40th {{International Conference}} on {{Software Engineering}}}, author = {Shan, Zhiyong and Neamtiu, Iulian and Samuel, Raina}, year = {2018}, pages = {728--739}, publisher = {{ACM Press}}, address = {{New York, New York, USA}}, doi = {10.1145/3180155.3180214}, isbn = {978-1-4503-5638-1}, keywords = {Android,malware,mobile security,static analysis}, file = {/home/jf/snap/zotero-snap/common/Zotero/storage/FN53LJGG/Shan, Neamtiu, Samuel - 2018 - Self-hiding behavior in Android apps.pdf} } @article{DBLPjournalstifsMirandaGLTW22, author = {Tom{\'{a}}s Concepci{\'{o}}n Miranda and Pierre{-}Fran{\c{c}}ois Gimenez and Jean{-}Fran{\c{c}}ois Lalande and Val{\'{e}}rie Viet Triem Tong and Pierre Wilke}, title = {Debiasing Android Malware Datasets: How Can {I} Trust Your Results If Your Dataset Is Biased?}, journal = {{IEEE} Trans. Inf. Forensics Secur.}, volume = {17}, pages = {2182--2197}, year = {2022}, doi = {10.1109/TIFS.2022.3180184}, timestamp = {Thu, 25 Aug 2022 08:35:58 +0200}, biburl = {https://dblp.org/rec/journals/tifs/MirandaGLTW22.bib}, bibsource = {dblp computer science bibliography, https://dblp.org} } @inproceedings{Allix, title = {Are {{Your Training Datasets Yet Relevant}}?}, booktitle = {Engineering {{Secure Software}} and {{Systems}}}, author = {Allix, Kevin and Bissyand{\'e}, Tegawend{\'e} F. and Klein, Jacques and Le Traon, Yves}, year = {2015}, pages = {51--67}, doi = {10.1007/978-3-319-15618-7_5}, file = {/home/jf/snap/zotero-snap/common/Zotero/storage/RG6PLSKG/Allix - Unknown - Are Your Training Datasets Yet Relevant.pdf} } @inproceedings{pendlebury2019tesseract, title={TESSERACT: Eliminating experimental bias in malware classification across space and time}, author={Pendlebury, Feargus and Pierazzi, Fabio and Jordaney, Roberto and Kinder, Johannes and Cavallaro, Lorenzo and others}, booktitle={Proceedings of the 28th USENIX Security Symposium}, pages={729--746}, year={2019}, organization={USENIX Association} } @online{statcounter, author = {statcounter}, title = {Operating System Market Share Worldwide}, year = 2023, url = {https://gs.statcounter.com/os-market-share#monthly-200901-202304}, urldate = {2023-04-30} } @online{statista, author = {statista}, title = {Operating System Market Share Worldwide}, year = 2023, url = {https://www.statista.com/statistics/266210/number-of-available-applications-in-the-google-play-store/}, urldate = {2023-04-30} } @inproceedings{Arzt2014a, title = {{{FlowDroid}}: {{Precise Context}}, {{Flow}}, {{Field}}, {{Object-sensitive}} and {{Lifecycle-aware Taint Analysis}} for {{Android Apps}}}, booktitle = {{{ACM SIGPLAN Conference}} on {{Programming Language Design}} and {{Implementation}}}, author = {Arzt, Steven and Rasthofer, Siegfried and Fritz, Christian and Bodden, Eric and Bartel, Alexandre and Klein, Jacques and Le Traon, Yves and Octeau, Damien and McDaniel, Patrick}, date = {2014-06-05}, volume = {49}, number = {6}, pages = {259--269}, publisher = {{ACM Press}}, location = {{Edinburgh, UK}}, issn = {03621340}, doi = {10.1145/2666356.2594299}, keywords = {Static analysis}, file = {/home/jf/snap/zotero-snap/common/Zotero/storage/XS8BH65X/Arzt et al. - 2014 - FlowDroid Precise Context, Flow, Field, Object-sensitive and Lifecycle-aware Taint Analysis for Android Apps.pdf} } @article{blackshearThresherPreciseRefutations2013, title = {Thresher: Precise Refutations for Heap Reachability}, shorttitle = {Thresher}, author = {Blackshear, Sam and Chang, Bor-Yuh Evan and Sridharan, Manu}, date = {2013-06-23}, journaltitle = {ACM SIGPLAN Notices}, shortjournal = {SIGPLAN Not.}, volume = {48}, number = {6}, pages = {275--286}, issn = {0362-1340, 1558-1160}, doi = {10.1145/2499370.2462186}, urldate = {2023-02-11}, abstract = {We present a precise, path-sensitive static analysis for reasoning about heap reachability, that is, whether an object can be reached from another variable or object via pointer dereferences. Precise reachability information is useful for a number of clients, including static detection of a class of Android memory leaks. For this client, we found the heap reachability information computed by a state-of-the-art points-to analysis was too imprecise, leading to numerous false-positive leak reports. Our analysis combines a symbolic execution capable of path-sensitivity and strong updates with abstract heap information computed by an initial flow-insensitive points-to analysis. This novel mixed representation allows us to achieve both precision and scalability by leveraging the pre-computed points-to facts to guide execution and prune infeasible paths. We have evaluated our techniques in the Thresher tool, which we used to find several developer-confirmed leaks in Android applications.}, langid = {english}, file = {/home/jf/snap/zotero-snap/common/Zotero/storage/QZ9T3NC6/Blackshear et al. - 2013 - Thresher precise refutations for heap reachabilit.pdf} } @article{CHOI2014620, title = {A Type and Effect System for Activation Flow of Components in {{Android}} Programs}, author = {Choi, Kwanghoon and Chang, Byeong-Mo}, date = {2014}, journaltitle = {Information Processing Letters}, volume = {114}, number = {11}, pages = {620--627}, issn = {0020-0190}, doi = {10.1016/j.ipl.2014.05.011}, abstract = {This paper proposes a type and effect system for analyzing activation flow between components through intents in Android programs. The activation flow information is necessary for all Android analyses such as a secure information flow analysis for Android programs. We first design a formal semantics for a core of featherweight Android/Java, which can address interaction between components through intents. Based on the formal semantics, we design a type and effect system for analyzing activation flow between components and demonstrate the soundness of the system.}, keywords = {Android,Control flow,Formal semantics,Java,Program analysis}, file = {/home/jf/snap/zotero-snap/common/Zotero/storage/MF5DRVJP/Choi et Chang - 2014 - A type and effect system for activation flow of co.pdf} } @inproceedings{DBLPconfndssGordonKPGNR15, title = {Information Flow Analysis of Android Applications in {{DroidSafe}}}, booktitle = {22nd Annual Network and Distributed System Security Symposium, {{NDSS}} 2015, San Diego, California, {{USA}}, February 8-11, 2015}, author = {Gordon, Michael I. and Kim, Deokhwan and Perkins, Jeff H. and Gilham, Limei and Nguyen, Nguyen and Rinard, Martin C.}, date = {2015}, publisher = {{The Internet Society}}, bibsource = {dblp computer science bibliography, https://dblp.org}, biburl = {https://dblp.org/rec/conf/ndss/GordonKPGNR15.bib}, timestamp = {Thu, 22 Dec 2022 16:51:59 +0100}, file = {/home/jf/snap/zotero-snap/common/Zotero/storage/6JGWR4R5/Gordon et al. - 2015 - Information flow analysis of android applications .pdf} } @inproceedings{DBLPconfndssPoeplauFBKV14, title = {Execute This! {{Analyzing}} Unsafe and Malicious Dynamic Code Loading in Android Applications}, booktitle = {21st Annual Network and Distributed System Security Symposium, {{NDSS}} 2014, San Diego, California, {{USA}}, February 23-26, 2014}, author = {Poeplau, Sebastian and Fratantonio, Yanick and Bianchi, Antonio and Kruegel, Christopher and Vigna, Giovanni}, date = {2014}, publisher = {{The Internet Society}}, bibsource = {dblp computer science bibliography, https://dblp.org}, biburl = {https://dblp.org/rec/conf/ndss/PoeplauFBKV14.bib}, timestamp = {Mon, 01 Feb 2021 08:42:18 +0100}, file = {/home/jf/snap/zotero-snap/common/Zotero/storage/CQX3FINC/Poeplau et al. - 2014 - Execute this! Analyzing unsafe and malicious dynam.pdf} } @inproceedings{DBLPconfoopslaAzimN13, title = {Targeted and Depth-First Exploration for Systematic Testing of Android Apps}, booktitle = {Proceedings of the 2013 {{ACM SIGPLAN}} International Conference on Object Oriented Programming Systems Languages \& Applications, {{OOPSLA}} 2013, Part of {{SPLASH}} 2013, Indianapolis, {{IN}}, {{USA}}, October 26-31, 2013}, author = {Azim, Tanzirul and Neamtiu, Iulian}, editor = {Hosking, Antony L. and Eugster, Patrick Th. and Lopes, Cristina V.}, date = {2013}, pages = {641--660}, publisher = {{ACM}}, doi = {10.1145/2509136.2509549}, bibsource = {dblp computer science bibliography, https://dblp.org}, biburl = {https://dblp.org/rec/conf/oopsla/AzimN13.bib}, timestamp = {Thu, 24 Jun 2021 16:19:30 +0200}, file = {/home/jf/snap/zotero-snap/common/Zotero/storage/MVEBFDE8/Azim et Neamtiu - 2013 - Targeted and depth-first exploration for systemati.pdf} } @inproceedings{fahlWhyEveMallory2012, title = {Why Eve and Mallory Love Android: An Analysis of Android {{SSL}} (in)Security}, shorttitle = {Why Eve and Mallory Love Android}, booktitle = {Proceedings of the 2012 {{ACM}} Conference on {{Computer}} and Communications Security}, author = {Fahl, Sascha and Harbach, Marian and Muders, Thomas and Baumgärtner, Lars and Freisleben, Bernd and Smith, Matthew}, date = {2012-10-16}, pages = {50--61}, publisher = {{ACM}}, location = {{Raleigh North Carolina USA}}, doi = {10.1145/2382196.2382205}, urldate = {2023-02-11}, eventtitle = {{{CCS}}'12: The {{ACM Conference}} on {{Computer}} and {{Communications Security}}}, isbn = {978-1-4503-1651-4}, langid = {english}, file = {/home/jf/snap/zotero-snap/common/Zotero/storage/J3FSBFJ7/Fahl et al. - 2012 - Why eve and mallory love android an analysis of a.pdf} } @inproceedings{gasconStructuralDetectionAndroid2013, title = {Structural Detection of Android Malware Using Embedded Call Graphs}, booktitle = {Proceedings of the 2013 {{ACM}} Workshop on {{Artificial}} Intelligence and Security}, author = {Gascon, Hugo and Yamaguchi, Fabian and Arp, Daniel and Rieck, Konrad}, date = {2013-11-04}, pages = {45--54}, publisher = {{ACM}}, location = {{Berlin Germany}}, doi = {10.1145/2517312.2517315}, urldate = {2023-02-11}, eventtitle = {{{CCS}}'13: 2013 {{ACM SIGSAC Conference}} on {{Computer}} and {{Communications Security}}}, isbn = {978-1-4503-2488-5}, langid = {english}, file = {/home/jf/snap/zotero-snap/common/Zotero/storage/9LF4FR8Y/2517312.2517315.pdf;/home/jf/snap/zotero-snap/common/Zotero/storage/YYVYSARX/Gascon et al. - 2013 - Structural detection of android malware using embe.pdf} } @article{geneiatakisPermissionVerificationApproach2015, title = {A {{Permission}} Verification Approach for Android Mobile Applications}, author = {Geneiatakis, Dimitris and Fovino, Igor Nai and Kounelis, Ioannis and Stirparo, Pasquale}, date = {2015-03}, journaltitle = {Computers \& Security}, shortjournal = {Computers \& Security}, volume = {49}, pages = {192--205}, issn = {01674048}, doi = {10.1016/j.cose.2014.10.005}, urldate = {2023-02-11}, langid = {english}, file = {/home/jf/snap/zotero-snap/common/Zotero/storage/ENIVR8EY/Geneiatakis et al. - 2015 - A Permission verification approach for android mob.pdf} } @inproceedings{hoffmannSlicingDroidsProgram2013, title = {Slicing Droids: Program Slicing for Smali Code}, shorttitle = {Slicing Droids}, booktitle = {Proceedings of the 28th {{Annual ACM Symposium}} on {{Applied Computing}}}, author = {Hoffmann, Johannes and Ussath, Martin and Holz, Thorsten and Spreitzenbarth, Michael}, date = {2013-03-18}, series = {{{SAC}} '13}, pages = {1844--1851}, publisher = {{Association for Computing Machinery}}, location = {{New York, NY, USA}}, doi = {10.1145/2480362.2480706}, urldate = {2022-10-26}, abstract = {The popularity of mobile devices like smartphones and tablets has increased significantly in the last few years with many millions of sold devices. This growth also has its drawbacks: attackers have realized that smartphones are an attractive target and in the last months many different kinds of malicious software (short: malware) for such devices have emerged. This worrisome development has the potential to hamper the prospering ecosystem of mobile devices and the potential for damage is huge. Considering these aspects, it is evident that malicious apps need to be detected early on in order to prevent further distribution and infections. This implies that it is necessary to develop techniques capable of detecting malicious apps in an automated way. In this paper, we present SAAF, a Static Android Analysis Framework for Android apps. SAAF analyzes smali code, a disassembled version of the DEX format used by Android's Java VM implementation. Our goal is to create program slices in order to perform data-flow analyses to backtrack parameters used by a given method. This helps us to identify suspicious code regions in an automated way. Several other analysis techniques such as visualization of control flow graphs or identification of ad-related code are also implemented in SAAF. In this paper, we report on program slicing for Android and present results obtained by using this technique to analyze more than 136,000 benign and about 6,100 malicious apps.}, isbn = {978-1-4503-1656-9}, file = {/home/jf/snap/zotero-snap/common/Zotero/storage/XC3Z9ELA/Hoffmann et al. - 2013 - Slicing droids program slicing for smali code.pdf} } @inproceedings{jeonDrAndroidMr2012, title = {Dr. {{Android}} and {{Mr}}. {{Hide}}: Fine-Grained Permissions in Android Applications}, shorttitle = {Dr. {{Android}} and {{Mr}}. {{Hide}}}, booktitle = {Proceedings of the Second {{ACM}} Workshop on {{Security}} and Privacy in Smartphones and Mobile Devices}, author = {Jeon, Jinseong and Micinski, Kristopher K. and Vaughan, Jeffrey A. and Fogel, Ari and Reddy, Nikhilesh and Foster, Jeffrey S. and Millstein, Todd}, date = {2012-10-19}, pages = {3--14}, publisher = {{ACM}}, location = {{Raleigh North Carolina USA}}, doi = {10.1145/2381934.2381938}, urldate = {2023-02-10}, eventtitle = {{{CCS}}'12: The {{ACM Conference}} on {{Computer}} and {{Communications Security}}}, isbn = {978-1-4503-1666-8}, langid = {english}, file = {/home/jf/snap/zotero-snap/common/Zotero/storage/99J6WNGV/Jeon et al. - 2012 - Dr. Android and Mr. Hide fine-grained permissions.pdf} } @inproceedings{klieberAndroidTaintFlow2014, title = {Android Taint Flow Analysis for App Sets}, booktitle = {Proceedings of the 3rd {{ACM SIGPLAN International Workshop}} on the {{State}} of the {{Art}} in {{Java Program Analysis}}}, author = {Klieber, William and Flynn, Lori and Bhosale, Amar and Jia, Limin and Bauer, Lujo}, date = {2014-06-12}, pages = {1--6}, publisher = {{ACM}}, location = {{Edinburgh United Kingdom}}, doi = {10.1145/2614628.2614633}, urldate = {2023-02-10}, eventtitle = {{{PLDI}} '14: {{ACM SIGPLAN Conference}} on {{Programming Language Design}} and {{Implementation}}}, isbn = {978-1-4503-2919-4}, langid = {english}, file = {/home/jf/snap/zotero-snap/common/Zotero/storage/8X6YV3IE/2614628.2614633.pdf;/home/jf/snap/zotero-snap/common/Zotero/storage/9DBAXR49/Klieber et al. - 2014 - Android taint flow analysis for app sets.pdf} } @inproceedings{liangSoundPreciseMalware2013, title = {Sound and Precise Malware Analysis for Android via Pushdown Reachability and Entry-Point Saturation}, booktitle = {Proceedings of the {{Third ACM}} Workshop on {{Security}} and Privacy in Smartphones \& Mobile Devices}, author = {Liang, Shuying and Keep, Andrew W. and Might, Matthew and Lyde, Steven and Gilray, Thomas and Aldous, Petey and Van Horn, David}, date = {2013-11-08}, series = {{{SPSM}} '13}, pages = {21--32}, publisher = {{Association for Computing Machinery}}, location = {{New York, NY, USA}}, doi = {10.1145/2516760.2516769}, urldate = {2023-02-08}, abstract = {Sound malware analysis of Android applications is challenging. First, object-oriented programs exhibit highly interprocedural, dynamically dispatched control structure. Second, the Android programming paradigm relies heavily on the asynchronous execution of multiple entry points. Existing analysis techniques focus more on the second challenge, while relying on traditional analytic techniques that suffer from inherent imprecision or unsoundness to solve the first. We present Anadroid, a static malware analysis framework for Android apps. Anadroid exploits two techniques to soundly raise precision: (1) it uses a pushdown system to precisely model dynamically dispatched interprocedural and exception-driven control-flow; (2) it uses Entry-Point Saturation (EPS) to soundly approximate all possible interleavings of asynchronous entry points in Android applications. (It also integrates static taint-flow analysis and least permissions analysis to expand the class of malicious behaviors which it can catch.) Anadroid provides rich user interface support for human analysts which must ultimately rule on the "maliciousness" of a behavior. To demonstrate the effectiveness of Anadroid's malware analysis, we had teams of analysts analyze a challenge suite of 52 Android applications released as part of the Automated Program Analysis for Cybersecurity (APAC) DARPA program. The first team analyzed the apps using a version of Anadroid that uses traditional (finite-state-machine-based) control-flow-analysis found in existing malware analysis tools; the second team analyzed the apps using a version of Anadroid that uses our enhanced pushdown-based control-flow-analysis. We measured machine analysis time, human analyst time, and their accuracy in flagging malicious applications. With pushdown analysis, we found statistically significant (p {$<$} 0.05) decreases in time: from 85 minutes per app to 35 minutes per app in human plus machine analysis time; and statistically significant (p {$<$} 0.05) increases in accuracy with the pushdown-driven analyzer: from 71\% correct identification to 95\% correct identification.}, isbn = {978-1-4503-2491-5}, keywords = {abstract interpretation,malware detection,pushdown systems,static analysis,taint analysis}, file = {/home/jf/snap/zotero-snap/common/Zotero/storage/QKCQ4LWI/Liang et al. - 2013 - Sound and precise malware analysis for android via.pdf} } @inproceedings{liIccTADetectingInterComponent2015, title = {{{IccTA}}: {{Detecting Inter-Component Privacy Leaks}} in {{Android Apps}}}, shorttitle = {{{IccTA}}}, booktitle = {2015 {{IEEE}}/{{ACM}} 37th {{IEEE International Conference}} on {{Software Engineering}}}, author = {Li, Li and Bartel, Alexandre and Bissyande, Tegawende F. and Klein, Jacques and Le Traon, Yves and Arzt, Steven and Rasthofer, Siegfried and Bodden, Eric and Octeau, Damien and McDaniel, Patrick}, date = {2015-05}, pages = {280--291}, publisher = {{IEEE}}, location = {{Florence, Italy}}, doi = {10.1109/ICSE.2015.48}, url = {http://ieeexplore.ieee.org/document/7194581/}, urldate = {2023-02-11}, eventtitle = {2015 {{IEEE}}/{{ACM}} 37th {{IEEE International Conference}} on {{Software Engineering}} ({{ICSE}})}, isbn = {978-1-4799-1934-5}, file = {/home/jf/snap/zotero-snap/common/Zotero/storage/8HDRKSA2/IccTA_Detecting_Inter-Component_Privacy_Leaks_in_Android_Apps.pdf;/home/jf/snap/zotero-snap/common/Zotero/storage/K749QIGK/Li et al. - 2015 - IccTA Detecting Inter-Component Privacy Leaks in .pdf} } @inproceedings{lillackTrackingLoadtimeConfiguration2014, title = {Tracking Load-Time Configuration Options}, booktitle = {Proceedings of the 29th {{ACM}}/{{IEEE International Conference}} on {{Automated Software Engineering}}}, author = {Lillack, Max and Kästner, Christian and Bodden, Eric}, date = {2014-09-15}, series = {{{ASE}} '14}, pages = {445--456}, publisher = {{Association for Computing Machinery}}, location = {{New York, NY, USA}}, doi = {10.1145/2642937.2643001}, url = {https://doi.org/10.1145/2642937.2643001}, urldate = {2023-02-08}, abstract = {Highly-configurable software systems are pervasive, although configuration options and their interactions raise complexity of the program and increase maintenance effort. Especially load-time configuration options, such as parameters from command-line options or configuration files, are used with standard programming constructs such as variables and if statements intermixed with the program's implementation; manually tracking configuration options from the time they are loaded to the point where they may influence control-flow decisions is tedious and error prone. We design and implement Lotrack, an extended static taint analysis to automatically track configuration options. Lotrack derives a configuration map that explains for each code fragment under which configurations it may be executed. An evaluation on Android applications shows that Lotrack yields high accuracy with reasonable performance. We use Lotrack to empirically characterize how much of the implementation of Android apps depends on the platform's configuration options or interactions of these options.}, isbn = {978-1-4503-3013-8}, keywords = {configuration options,static analysis,variability mining}, file = {/home/jf/snap/zotero-snap/common/Zotero/storage/3BNMD58Z/Lillack et al. - 2014 - Tracking load-time configuration options.pdf} } @inproceedings{liuCharacterizingDetectingPerformance2014, title = {Characterizing and Detecting Performance Bugs for Smartphone Applications}, booktitle = {Proceedings of the 36th {{International Conference}} on {{Software Engineering}}}, author = {Liu, Yepang and Xu, Chang and Cheung, Shing-Chi}, date = {2014-05-31}, pages = {1013--1024}, publisher = {{ACM}}, location = {{Hyderabad India}}, doi = {10.1145/2568225.2568229}, url = {https://dl.acm.org/doi/10.1145/2568225.2568229}, urldate = {2023-02-11}, eventtitle = {{{ICSE}} '14: 36th {{International Conference}} on {{Software Engineering}}}, isbn = {978-1-4503-2756-5}, langid = {english}, file = {/home/jf/snap/zotero-snap/common/Zotero/storage/8JE5EF72/Liu et al. - 2014 - Characterizing and detecting performance bugs for .pdf} } @inproceedings{octeauCompositeConstantPropagation2015, title = {Composite {{Constant Propagation}}: {{Application}} to {{Android Inter-Component Communication Analysis}}}, shorttitle = {Composite {{Constant Propagation}}}, booktitle = {2015 {{IEEE}}/{{ACM}} 37th {{IEEE International Conference}} on {{Software Engineering}}}, author = {Octeau, Damien and Luchaup, Daniel and Dering, Matthew and Jha, Somesh and McDaniel, Patrick}, date = {2015-05}, pages = {77--88}, publisher = {{IEEE}}, location = {{Florence, Italy}}, doi = {10.1109/ICSE.2015.30}, url = {http://ieeexplore.ieee.org/document/7194563/}, urldate = {2023-02-11}, eventtitle = {2015 {{IEEE}}/{{ACM}} 37th {{IEEE International Conference}} on {{Software Engineering}} ({{ICSE}})}, isbn = {978-1-4799-1934-5}, file = {/home/jf/snap/zotero-snap/common/Zotero/storage/INM9WAVU/Octeau et al. - 2015 - Composite Constant Propagation Application to And.pdf} } @inproceedings{rountevStaticReferenceAnalysis2014, title = {Static {{Reference Analysis}} for {{GUI Objects}} in {{Android Software}}}, booktitle = {Proceedings of {{Annual IEEE}}/{{ACM International Symposium}} on {{Code Generation}} and {{Optimization}}}, author = {Rountev, Atanas and Yan, Dacong}, date = {2014-02-15}, pages = {143--153}, publisher = {{ACM}}, location = {{Orlando FL USA}}, doi = {10.1145/2544137.2544159}, url = {https://dl.acm.org/doi/10.1145/2544137.2544159}, urldate = {2023-02-11}, eventtitle = {{{CGO}} '14: 12th {{Annual IEEE}}/{{ACM International Symposium}} on {{Code Generation}} and {{Optimization}}}, isbn = {978-1-4503-2670-4}, langid = {english}, file = {/home/jf/snap/zotero-snap/common/Zotero/storage/QWSPKRZ4/Rountev et Yan - 2014 - Static Reference Analysis for GUI Objects in Andro.pdf} } @inproceedings{shenInformationFlowsPermission2014, title = {Information Flows as a Permission Mechanism}, booktitle = {Proceedings of the 29th {{ACM}}/{{IEEE International Conference}} on {{Automated Software Engineering}}}, author = {Shen, Feng and Vishnubhotla, Namita and Todarka, Chirag and Arora, Mohit and Dhandapani, Babu and Lehner, Eric John and Ko, Steven Y. and Ziarek, Lukasz}, date = {2014-09-15}, pages = {515--526}, publisher = {{ACM}}, location = {{Vasteras Sweden}}, doi = {10.1145/2642937.2643018}, url = {https://dl.acm.org/doi/10.1145/2642937.2643018}, urldate = {2023-02-11}, eventtitle = {{{ASE}} '14: {{ACM}}/{{IEEE International Conference}} on {{Automated Software Engineering}}}, isbn = {978-1-4503-3013-8}, langid = {english}, file = {/home/jf/snap/zotero-snap/common/Zotero/storage/ZQSXYZNX/Shen et al. - 2014 - Information flows as a permission mechanism.pdf} } @inproceedings{titzeAppareciumRevealingData2015, title = {Apparecium: {{Revealing Data Flows}} in {{Android Applications}}}, shorttitle = {Apparecium}, booktitle = {2015 {{IEEE}} 29th {{International Conference}} on {{Advanced Information Networking}} and {{Applications}}}, author = {Titze, Dennis and Schutte, Julian}, date = {2015-03}, pages = {579--586}, publisher = {{IEEE}}, location = {{Gwangiu, South Korea}}, doi = {10.1109/AINA.2015.239}, url = {http://ieeexplore.ieee.org/document/7098024/}, urldate = {2023-02-11}, eventtitle = {2015 {{IEEE}} 29th {{International Conference}} on {{Advanced Information Networking}} and {{Applications}} ({{AINA}})}, isbn = {978-1-4799-7905-9}, file = {/home/jf/snap/zotero-snap/common/Zotero/storage/T6I4SND6/Titze et Schutte - 2015 - Apparecium Revealing Data Flows in Android Applic.pdf} } @inproceedings{vidasA5AutomatedAnalysis2014, title = {A5: {{Automated Analysis}} of {{Adversarial Android Applications}}}, shorttitle = {A5}, booktitle = {Proceedings of the 4th {{ACM Workshop}} on {{Security}} and {{Privacy}} in {{Smartphones}} \& {{Mobile Devices}}}, author = {Vidas, Timothy and Tan, Jiaqi and Nahata, Jay and Tan, Chaur Lih and Christin, Nicolas and Tague, Patrick}, date = {2014-11-07}, pages = {39--50}, publisher = {{ACM}}, location = {{Scottsdale Arizona USA}}, doi = {10.1145/2666620.2666630}, url = {https://dl.acm.org/doi/10.1145/2666620.2666630}, urldate = {2023-02-11}, eventtitle = {{{CCS}}'14: 2014 {{ACM SIGSAC Conference}} on {{Computer}} and {{Communications Security}}}, isbn = {978-1-4503-3155-5}, langid = {english}, file = {/home/jf/snap/zotero-snap/common/Zotero/storage/CPKK7RNR/2666620.2666630.pdf;/home/jf/snap/zotero-snap/common/Zotero/storage/LJCIRR3J/Vidas et al. - 2014 - A5 Automated Analysis of Adversarial Android Appl.pdf} } @article{weiAmandroidPreciseGeneral2018, title = {Amandroid: {{A Precise}} and {{General Inter-component Data Flow Analysis Framework}} for {{Security Vetting}} of {{Android Apps}}}, shorttitle = {Amandroid}, author = {Wei, Fengguo and Roy, Sankardas and Ou, Xinming and {Robby}}, date = {2018-08-31}, journaltitle = {ACM Transactions on Privacy and Security}, shortjournal = {ACM Trans. Priv. Secur.}, volume = {21}, number = {3}, pages = {1--32}, issn = {2471-2566, 2471-2574}, doi = {10.1145/3183575}, url = {https://dl.acm.org/doi/10.1145/3183575}, urldate = {2023-02-11}, abstract = {We present a new approach to static analysis for security vetting of Android apps and a general framework called Amandroid. Amandroid determines points-to information for all objects in an Android app component in a flow and context-sensitive (user-configurable) way and performs data flow and data dependence analysis for the component. Amandroid also tracks inter-component communication activities. It can stitch the component-level information into the app-level information to perform intra-app or inter-app analysis. In this article, (a) we show that the aforementioned type of comprehensive app analysis is completely feasible in terms of computing resources with modern hardware, (b) we demonstrate that one can easily leverage the results from this general analysis to build various types of specialized security analyses—in many cases the amount of additional coding needed is around 100 lines of code, and (c) the result of those specialized analyses leveraging Amandroid is at least on par and often exceeds prior works designed for the specific problems, which we demonstrate by comparing Amandroid’s results with those of prior works whenever we can obtain the executable of those tools. Since Amandroid’s analysis directly handles inter-component control and data flows, it can be used to address security problems that result from interactions among multiple components from either the same or different apps. Amandroid’s analysis is sound in that it can provide assurance of the absence of the specified security problems in an app with well-specified and reasonable assumptions on Android runtime system and its library.}, langid = {english}, file = {/home/jf/snap/zotero-snap/common/Zotero/storage/5IDHRP5H/Wei et al. - 2018 - Amandroid A Precise and General Inter-component D.pdf} } @article{wognsenFormalisationAnalysisDalvik2014, title = {Formalisation and Analysis of {{Dalvik}} Bytecode}, author = {Wognsen, Erik Ramsgaard and Karlsen, Henrik Søndberg and Olesen, Mads Chr. and Hansen, René Rydhof}, date = {2014-10}, journaltitle = {Science of Computer Programming}, shortjournal = {Science of Computer Programming}, volume = {92}, pages = {25--55}, issn = {01676423}, doi = {10.1016/j.scico.2013.11.037}, url = {https://linkinghub.elsevier.com/retrieve/pii/S0167642313003304}, urldate = {2023-02-11}, langid = {english}, file = {/home/jf/snap/zotero-snap/common/Zotero/storage/69DQRABJ/Wognsen et al. - 2014 - Formalisation and analysis of Dalvik bytecode.pdf;/home/jf/snap/zotero-snap/common/Zotero/storage/X9LQ5YCI/1-s2.0-S0167642313003304-main.pdf} } @inproceedings{yangStaticControlFlowAnalysis2015, title = {Static {{Control-Flow Analysis}} of {{User-Driven Callbacks}} in {{Android Applications}}}, booktitle = {2015 {{IEEE}}/{{ACM}} 37th {{IEEE International Conference}} on {{Software Engineering}}}, author = {Yang, Shengqian and Yan, Dacong and Wu, Haowei and Wang, Yan and Rountev, Atanas}, date = {2015-05}, pages = {89--99}, publisher = {{IEEE}}, location = {{Florence, Italy}}, doi = {10.1109/ICSE.2015.31}, url = {http://ieeexplore.ieee.org/document/7194564/}, urldate = {2023-02-11}, eventtitle = {2015 {{IEEE}}/{{ACM}} 37th {{IEEE International Conference}} on {{Software Engineering}} ({{ICSE}})}, isbn = {978-1-4799-1934-5}, file = {/home/jf/snap/zotero-snap/common/Zotero/storage/LH7HE28Q/Yang et al. - 2015 - Static Control-Flow Analysis of User-Driven Callba.pdf} } @inproceedings{zhauniarovichStaDynAAddressingProblem2015, title = {{{StaDynA}}: {{Addressing}} the {{Problem}} of {{Dynamic Code Updates}} in the {{Security Analysis}} of {{Android Applications}}}, shorttitle = {{{StaDynA}}}, booktitle = {Proceedings of the 5th {{ACM Conference}} on {{Data}} and {{Application Security}} and {{Privacy}}}, author = {Zhauniarovich, Yury and Ahmad, Maqsood and Gadyatskaya, Olga and Crispo, Bruno and Massacci, Fabio}, date = {2015-03-02}, pages = {37--48}, publisher = {{ACM}}, location = {{San Antonio Texas USA}}, doi = {10.1145/2699026.2699105}, url = {https://dl.acm.org/doi/10.1145/2699026.2699105}, urldate = {2023-02-11}, eventtitle = {{{CODASPY}}'15: {{Fifth ACM Conference}} on {{Data}} and {{Application Security}} and {{Privacy}}}, isbn = {978-1-4503-3191-3}, langid = {english}, file = {/home/jf/snap/zotero-snap/common/Zotero/storage/Z9BCFAJY/Zhauniarovich et al. - 2015 - StaDynA Addressing the Problem of Dynamic Code Up.pdf} } @article{Li2017, title = {Static Analysis of Android Apps: {{A}} Systematic Literature Review}, author = {Li, Li and Bissyandé, Tegawendé F. and Papadakis, Mike and Rasthofer, Siegfried and Bartel, Alexandre and Octeau, Damien and Klein, Jacques and Le Traon, Yves}, date = {2017}, journaltitle = {Information and Software Technology}, volume = {88}, pages = {67--95}, issn = {09505849}, doi = {10.1016/j.infsof.2017.04.001}, abstract = {Context Static analysis exploits techniques that parse program source code or bytecode, often traversing program paths to check some program properties. Static analysis approaches have been proposed for different tasks, including for assessing the security of Android apps, detecting app clones, automating test cases generation, or for uncovering non-functional issues related to performance or energy. The literature thus has proposed a large body of works, each of which attempts to tackle one or more of the several challenges that program analyzers face when dealing with Android apps. Objective We aim to provide a clear view of the state-of-the-art works that statically analyze Android apps, from which we highlight the trends of static analysis approaches, pinpoint where the focus has been put, and enumerate the key aspects where future researches are still needed. Method We have performed a systematic literature review (SLR) which involves studying 124 research papers published in software engineering, programming languages and security venues in the last 5 years (January 2011–December 2015). This review is performed mainly in five dimensions: problems targeted by the approach, fundamental techniques used by authors, static analysis sensitivities considered, android characteristics taken into account and the scale of evaluation performed. Results Our in-depth examination has led to several key findings: 1) Static analysis is largely performed to uncover security and privacy issues; 2) The Soot framework and the Jimple intermediate representation are the most adopted basic support tool and format, respectively; 3) Taint analysis remains the most applied technique in research approaches; 4) Most approaches support several analysis sensitivities, but very few approaches consider path-sensitivity; 5) There is no single work that has been proposed to tackle all challenges of static analysis that are related to Android programming; and 6) Only a small portion of state-of-the-art works have made their artifacts publicly available. Conclusion The research community is still facing a number of challenges for building approaches that are aware altogether of implicit-Flows, dynamic code loading features, reflective calls, native code and multi-threading, in order to implement sound and highly precise static analyzers.}, file = {/home/jf/snap/zotero-snap/common/Zotero/storage/3JL36E6L/1-s2.0-S0950584917302987-main.pdf;/home/jf/snap/zotero-snap/common/Zotero/storage/4M2MB6RS/Li et al. - 2017 - Static analysis of android apps A systematic lite.pdf;/home/jf/snap/zotero-snap/common/Zotero/storage/U77CUK9D/S0950584917302987.html} } @article{luoTaintBenchAutomaticRealworld2022, title = {{{TaintBench}}: {{Automatic}} Real-World Malware Benchmarking of {{Android}} Taint Analyses}, shorttitle = {{{TaintBench}}}, author = {Luo, Linghui and Pauck, Felix and Piskachev, Goran and Benz, Manuel and Pashchenko, Ivan and Mory, Martin and Bodden, Eric and Hermann, Ben and Massacci, Fabio}, date = {2022-01}, journaltitle = {Empirical Software Engineering}, shortjournal = {Empir Software Eng}, volume = {27}, number = {1}, pages = {16}, issn = {1382-3256, 1573-7616}, doi = {10.1007/s10664-021-10013-5}, url = {https://link.springer.com/10.1007/s10664-021-10013-5}, urldate = {2023-02-13}, abstract = {Abstract Due to the lack of established real-world benchmark suites for static taint analyses of Android applications, evaluations of these analyses are often restricted and hard to compare. Even in evaluations that do use real-world apps, details about the ground truth in those apps are rarely documented, which makes it difficult to compare and reproduce the results. To push Android taint analysis research forward, this paper thus recommends criteria for constructing real-world benchmark suites for this specific domain, and presents TaintBench , the first real-world malware benchmark suite with documented taint flows. TaintBench benchmark apps include taint flows with complex structures, and addresses static challenges that are commonly agreed on by the community. Together with the TaintBench suite, we introduce the TaintBench framework, whose goal is to simplify real-world benchmarking of Android taint analyses. First, a usability test shows that the framework improves experts’ performance and perceived usability when documenting and inspecting taint flows. Second, experiments using TaintBench reveal new insights for the taint analysis tools Amandroid and FlowDroid : (i) They are less effective on real-world malware apps than on synthetic benchmark apps. (ii) Predefined lists of sources and sinks heavily impact the tools’ accuracy. (iii) Surprisingly, up-to-date versions of both tools are less accurate than their predecessors.}, langid = {english}, file = {/home/jf/snap/zotero-snap/common/Zotero/storage/8UTN2I89/Luo et al. - 2022 - TaintBench Automatic real-world malware benchmark.pdf} } @inproceedings{pauckAndroidTaintAnalysis2018, title = {Do {{Android}} Taint Analysis Tools Keep Their Promises?}, booktitle = {Proceedings of the 2018 26th {{ACM Joint Meeting}} on {{European Software Engineering Conference}} and {{Symposium}} on the {{Foundations}} of {{Software Engineering}}}, author = {Pauck, Felix and Bodden, Eric and Wehrheim, Heike}, date = {2018-10-26}, pages = {331--341}, publisher = {{ACM}}, location = {{Lake Buena Vista FL USA}}, doi = {10.1145/3236024.3236029}, url = {https://dl.acm.org/doi/10.1145/3236024.3236029}, urldate = {2023-02-13}, eventtitle = {{{ESEC}}/{{FSE}} '18: 26th {{ACM Joint European Software Engineering Conference}} and {{Symposium}} on the {{Foundations}} of {{Software Engineering}}}, isbn = {978-1-4503-5573-5}, langid = {english}, file = {/home/jf/snap/zotero-snap/common/Zotero/storage/DSMG5QEE/3236024.3236029.pdf;/home/jf/snap/zotero-snap/common/Zotero/storage/JVQWJV6Z/Pauck et al. - 2018 - Do Android taint analysis tools keep their promise.pdf} } @inproceedings{bosuCollusiveDataLeak2017, title = {Collusive {{Data Leak}} and {{More}}: {{Large-scale Threat Analysis}} of {{Inter-app Communications}}}, shorttitle = {Collusive {{Data Leak}} and {{More}}}, booktitle = {Proceedings of the 2017 {{ACM}} on {{Asia Conference}} on {{Computer}} and {{Communications Security}}}, author = {Bosu, Amiangshu and Liu, Fang and Yao, Danfeng (Daphne) and Wang, Gang}, date = {2017-04-02}, pages = {71--85}, publisher = {{ACM}}, location = {{Abu Dhabi United Arab Emirates}}, doi = {10.1145/3052973.3053004}, url = {https://dl.acm.org/doi/10.1145/3052973.3053004}, urldate = {2023-02-13}, eventtitle = {{{ASIA CCS}} '17: {{ACM Asia Conference}} on {{Computer}} and {{Communications Security}}}, isbn = {978-1-4503-4944-4}, langid = {english}, file = {/home/jf/snap/zotero-snap/common/Zotero/storage/KGRWZUY8/Bosu et al. - 2017 - Collusive Data Leak and More Large-scale Threat A.pdf} }, @article{desnos:adnroguard:2011, title={Android: From Reversing to Decompilation}, author={Desnos, Anthony and Gueguen, Geoffroy}, journal={Black Hat Abu Dhabi}, year={2011}, url={https://media.blackhat.com/bh-ad-11/Desnos/bh-ad-11-DesnosGueguen-Andriod-Reversing_to_Decompilation_WP.pdf}, }, @article{reaves_droid_2016, title = {*droid: {Assessment} and {Evaluation} of {Android} {Application} {Analysis} {Tools}}, volume = {49}, issn = {0360-0300}, shorttitle = {*droid}, url = {https://doi.org/10.1145/2996358}, doi = {10.1145/2996358}, abstract = {The security research community has invested significant effort in improving the security of Android applications over the past half decade. This effort has addressed a wide range of problems and resulted in the creation of many tools for application analysis. In this article, we perform the first systematization of Android security research that analyzes applications, characterizing the work published in more than 17 top venues since 2010. We categorize each paper by the types of problems they solve, highlight areas that have received the most attention, and note whether tools were ever publicly released for each effort. Of the released tools, we then evaluate a representative sample to determine how well application developers can apply the results of our community’s efforts to improve their products. We find not only that significant work remains to be done in terms of research coverage but also that the tools suffer from significant issues ranging from lack of maintenance to the inability to produce functional output for applications with known vulnerabilities. We close by offering suggestions on how the community can more successfully move forward.}, number = {3}, urldate = {2023-01-10}, journal = {ACM Computing Surveys}, author = {Reaves, Bradley and Bowers, Jasmine and Gorski III, Sigmund Albert and Anise, Olabode and Bobhate, Rahul and Cho, Raymond and Das, Hiranava and Hussain, Sharique and Karachiwala, Hamza and Scaife, Nolen and Wright, Byron and Butler, Kevin and Enck, William and Traynor, Patrick}, month = oct, year = {2016}, keywords = {Android, application security, program analysis}, pages = {55:1--55:30}, file = {Full Text PDF:/home/histausse/Zotero/storage/8JZFY54J/Reaves et al. - 2016 - droid Assessment and Evaluation of Android Appli.pdf:application/pdf}, } @inproceedings{mauthe_large-scale_2021, title = {A {Large}-{Scale} {Empirical} {Study} of {Android} {App} {Decompilation}}, doi = {10.1109/SANER50967.2021.00044}, abstract = {Decompilers are indispensable tools in Android malware analysis and app security auditing. Numerous academic works also employ an Android decompiler as the first step in a program analysis pipeline. In such settings, decompilation is frequently regarded as a "solved" problem, in that it is simply expected that source code can be accurately recovered from an app. While a large proportion of methods in an app can typically be decompiled successfully, it is common that at least some methods fail to decompile. In order to better understand the practical applicability of techniques in which decompilation is used as part of an automated analysis, it is important to know the actual expected failure rate of Android decompilation. To this end, we have performed what is, to the best of our knowledge, the first large-scale study of Android decompilation failure rates. We have used three sets of apps, consisting of, respectively, 3,018 open-source apps, 13,601 apps from a recent crawl of Google Play, and a collection of 24,553 malware samples. In addition to the state-of-the-art Dalvik bytecode decompiler jadx, we used three popular Java decompilers. While jadx achieves an impressively low failure rate of only 0.02\% failed methods per app on average, we found that it manages to recover source code for all methods in only 21\% of the Google Play apps.We have also sought to better understand the degree to which in-the-wild obfuscation techniques can prevent decompilation. Our empirical evaluation, complemented with an indepth manual analysis of a number of apps, indicate that code obfuscation is quite rarely encountered, even in malicious apps. Moreover, decompilation failures mostly appear to be caused by technical limitations in decompilers, rather than by deliberate attempts to thwart source-code recovery by obfuscation. This is an encouraging finding, as it indicates that near-perfect Android decompilation is, at least in theory, achievable, with implementation-level improvements to decompilation tools.}, booktitle = {2021 {IEEE} {International} {Conference} on {Software} {Analysis}, {Evolution} and {Reengineering} ({SANER})}, author = {Mauthe, Noah and Kargén, Ulf and Shahmehri, Nahid}, month = mar, year = {2021}, note = {ISSN: 1534-5351}, keywords = {Android, Java, Malware, malware, reverse engineering, mobile apps, obfuscation, Tools, Conferences, decompilation, Manuals, Pipelines, Process control}, pages = {400--410}, file = {IEEE Xplore Abstract Record:/home/histausse/Zotero/storage/RWT9CKBF/9425937.html:text/html;Mauthe et al. - 2021 - A Large-Scale Empirical Study of Android App Decom.pdf:/home/histausse/Zotero/storage/I8KKRIJV/Mauthe et al. - 2021 - A Large-Scale Empirical Study of Android App Decom.pdf:application/pdf}, } @ARTICLE{9118907, author={Pan, Ya and Ge, Xiuting and Fang, Chunrong and Fan, Yong}, journal={IEEE Access}, title={A Systematic Literature Review of Android Malware Detection Using Static Analysis}, year={2020}, volume={8}, number={}, pages={116363-116379}, keywords={Malware;Static analysis;Feature extraction;Analytical models;Bibliographies;Sensitivity;Systematics;Android malware detection;static analysis;systematic literature review}, doi={10.1109/ACCESS.2020.3002842}} @inproceedings{zhang2015dexhunter, author={Zhang, Yueqian and Luo, Xiapu and Yin, Haoyang}, title={Dexhunter: toward extracting hidden code from packed android applications}, booktitle={European Symposium on Research in Computer Security}, number={20}, address={Vienna, Austria}, pages={293--311}, month={nov}, year={2015}, publisher={Springer} } @inproceedings{liao2016automated, author={Liao, Yibin and Li, Jiakuan and Li, Bo and Zhu, Guodong and Yin, Yue and Cai, Ruoyan}, title={Automated Detection and Classification for Packed Android Applications}, booktitle={International Conference on Mobile Services}, address={San Francisco, USA}, pages={200--203}, month={jun}, year={2016}, publisher={IEEE} } @inproceedings{xue2017adaptive, author={Xue, Lei and Luo, Xiapu and Yu, Le and Wang, Shuai and Wu, Dinghao}, title={Adaptive unpacking of Android apps}, booktitle={International Conference on Software Engineering}, number={39}, address={Buenos Aires, Argentina}, pages={358--369}, month={may}, year={2017}, publisher={IEEE} } @inproceedings{wong2018tackling, author={Wong, Michelle Y and Lie, David}, title={Tackling runtime-based obfuscation in Android with TIRO}, booktitle={USENIX Security Symposium}, number={27}, address={Baltimore, USA}, pages={1247-1262}, month={aug}, year={2018}, publisher={USENIX} } @article{Egele2012, title = {A survey on automated dynamic malware-analysis techniques and tools}, volume = {44}, issn = {03600300}, doi = {10.1145/2089125.2089126}, number = {2}, journaltitle = {{ACM} Computing Surveys}, author = {Egele, Manuel and Scholte, Theodoor and Kirda, Engin and Kruegel, Christopher}, date = {2012}, note = {{ISBN}: 0360-0300}, file = {PDF:/home/jf/Zotero/storage/6FHSYVW2/Egele et al. - 2012 - A survey on automated dynamic malware-analysis techniques and tools.pdf:application/pdf}, } @inproceedings{Arzt2013, location = {Rennes, France}, title = {Instrumenting Android and Java Applications as Easy as abc}, volume = {8174}, isbn = {978-3-642-40786-4}, doi = {10.1007/978-3-642-40787-1_26}, pages = {364--381}, booktitle = {Fourth International Conference on Runtime Verification}, publisher = {Springer Berlin Heidelberg}, author = {Arzt, Steven and Rasthofer, Siegfried and Bodden, Eric}, date = {2013-09}, note = {Series Title: {LNCS}}, keywords = {★, security, dynamic analysis, android, java, runtime}, file = {PDF:/home/jf/Zotero/storage/LPNNXEJI/Arzt, Rasthofer, Bodden - 2013 - Instrumenting Android and Java Applications as Easy as abc.pdf:application/pdf}, } @inproceedings{mineau_evaluating_2024, location = {Limassol, Cyprus}, title = {Evaluating the Reusability of Android Static Analysis Tools}, volume = {{LNCS} 14614}, rights = {All rights reserved}, url = {http://dx.doi.org/10.1007/978-3-031-66459-5_10}, doi = {10.1007/978-3-031-66459-5_10}, series = {{LNCS}}, shorttitle = {Rank B in {CORE}.}, pages = {153--170}, booktitle = {{ICSR} 2024 - 21st International Conference on Software and Systems Reuse}, publisher = {Springer}, author = {Mineau, Jean-Marie and Lalande, Jean-François}, date = {2024-06}, note = {Medium: {ICSR} 2024}, } @inproceedings{Duan2018, title = {Things You May Not Know About Android (Un)Packers: A Systematic Study based on Whole-System Emulation}, booktitle = {24th Annual Network and Distributed System Security Symposium}, author = {Duan, Yue and Zhang, Mu and Bhaskar, Abhishek Vasisht and Yin, Heng and Pan, Xiaorui and Li, Tongxin and Wang, Xueqiang and Wang, Xiaofeng}, date = {2018}, note = {Issue: February}, keywords = {★}, file = {PDF:/home/jf/Zotero/storage/Y3TWNQKP/Duan et al. - 2018 - Things You May Not Know About Android (Un)Packers A Systematic Study based on Whole-System Emulation.pdf:application/pdf}, } @article{he_systematic_2023, title = {A {Systematic} {Study} of {Android} {Non}-{SDK} ({Hidden}) {Service} {API} {Security}}, volume = {20}, issn = {1941-0018}, url = {https://ieeexplore.ieee.org/abstract/document/9739878}, doi = {10.1109/TDSC.2022.3160872}, abstract = {Android allows apps to communicate with its system services via system service helpers so that these apps can use various functions provided by the system services. Meanwhile, the system services rely on their service helpers to enforce security checks for protection. Unfortunately, the security checks in the service helpers may be bypassed via directly exploiting the non-SDK (hidden) APIs, degrading the stability and posing severe security threats such as privilege escalation, automatic function execution without users’ interactions, crashes, and DoS attacks. Google has proposed various approaches to address this problem, e.g., case-by-case fixing the bugs or even proposing a blacklist to block all the non-SDK APIs. However, the developers can still figure out new ways of exploiting these hidden APIs to evade the non-SDKs restrictions. In this article, we systematically study the vulnerabilities due to the hidden API exploitation and analyze the effectiveness of Google’s countermeasures. We aim to answer if there are still vulnerable hidden APIs that can be exploited in newest Android 12. We develop a static analysis tool called {\textbackslash}sf ServiceAuditServiceAudit to automatically mine the inconsistent security enforcement between service helper classes and the hidden service APIs. We apply {\textbackslash}sf ServiceAuditServiceAudit to Android 6{\textbackslash}sim∼12. Our tool discovers 112 vulnerabilities in Android 6 with a higher precision than existing approaches. Moreover, in Android 11 and 12, we identify more than 25 hidden APIs with inconsistent protections; however, only one of the vulnerable APIs can lead to severe security problem in Android 11, and none of them work on Android 12.}, number = {2}, urldate = {2024-09-09}, journal = {IEEE Transactions on Dependable and Secure Computing}, author = {He, Yi and Gu, Yacong and Su, Purui and Sun, Kun and Zhou, Yajin and Wang, Zhi and Li, Qi}, month = mar, year = {2023}, note = {Conference Name: IEEE Transactions on Dependable and Secure Computing}, keywords = {Security, Android, security, Internet, Smart phones, Static analysis, Codes, Sun, Blocklists, non-sdk API}, pages = {1609--1623}, file = {IEEE Xplore Abstract Record:/home/histausse/Zotero/storage/7U7WUIFL/9739878.html:text/html;Submitted Version:/home/histausse/Zotero/storage/74BN4HRJ/He et al. - 2023 - A Systematic Study of Android Non-SDK (Hidden) Service API Security.pdf:application/pdf}, } @inproceedings{li_accessing_2016, title = {Accessing {Inaccessible} {Android} {APIs}: {An} {Empirical} {Study}}, shorttitle = {Accessing {Inaccessible} {Android} {APIs}}, url = {https://ieeexplore.ieee.org/abstract/document/7816486}, doi = {10.1109/ICSME.2016.35}, abstract = {As Android becomes a de-facto choice of development platform for mobile apps, developers extensively leverage its accompanying Software Development Kit to quickly build their apps. This SDK comes with a set of APIs which developers may find limited in comparison to what system apps can do or what framework developers are preparing to harness capabilities of new generation devices. Thus, developers may attempt to explore in advance the normally "inaccessible" APIs for building unique API-based functionality in their app. The Android programming model is unique in its kind. Inaccessible APIs, which however are used by developers, constitute yet another specificity of Android development, and is worth investigating to understand what they are, how they evolve over time, and who uses them. To that end, in this work, we empirically investigate 17 important releases of the Android framework source code base, and we find that inaccessible APIs are commonly implemented in the Android framework, which are further neither forward nor backward compatible. Moreover, a small set of inaccessible APIs can eventually become publicly accessible, while most of them are removed during the evolution, resulting in risks for such apps that have leveraged inaccessible APIs. Finally, we show that inaccessible APIs are indeed accessed by third-party apps, and the official Google Play store has tolerated the proliferation of apps leveraging inaccessible API methods.}, urldate = {2024-09-09}, booktitle = {2016 {IEEE} {International} {Conference} on {Software} {Maintenance} and {Evolution} ({ICSME})}, author = {Li, Li and Bissyandé, Tegawendé F. and Le Traon, Yves and Klein, Jacques}, month = oct, year = {2016}, keywords = {Androids, Google, Humanoid robots, Software, Libraries, Runtime, Ecosystems}, pages = {411--422}, file = {IEEE Xplore Abstract Record:/home/histausse/Zotero/storage/WQ564CZA/7816486.html:text/html;PDF:/home/histausse/Zotero/storage/ZTDU84BY/Li et al. - 2016 - Accessing Inaccessible Android APIs An Empirical Study.pdf:application/pdf}, } @article{tozawa_formalization_2002, title = {Formalization and {Analysis} of {Class} {Loading} in {Java}}, volume = {15}, issn = {1573-0557}, url = {https://doi.org/10.1023/A:1019912130555}, doi = {10.1023/A:1019912130555}, abstract = {Since Java security relies on the type-safety of the JVM, many formal approaches have been taken in order to prove the soundness of the JVM. This paper presents a new formalization of the JVM and proves its soundness. It is the first model to employ dynamic linking and bytecode verification to analyze the loading constraint scheme of Java2. The key concept required for proving the soundness of the new model is augmented value typing, which is defined from ordinary value typing combined with the loading constraint scheme. In proving the soundness of the model, it is shown that there are some problems inside the current reference implementation of the JVM with respect to our model. We also analyze the findClass scheme, newly introduced in Java2. The same analysis also shows why applets cannot exploit the type-spoofing vulnerability reported by Saraswat, which led to the introduction of the loading constraint scheme.}, language = {en}, number = {1}, urldate = {2024-04-30}, journal = {Higher-Order and Symbolic Computation}, author = {Tozawa, Akihiko and Hagiya, Masami}, month = mar, year = {2002}, keywords = {security, Java, class loading}, pages = {7--55}, file = {Tozawa and Hagiya - 2002 - Formalization and Analysis of Class Loading in Jav.pdf:/home/histausse/Zotero/storage/YCL3ULAF/Tozawa and Hagiya - 2002 - Formalization and Analysis of Class Loading in Jav.pdf:application/pdf}, } @article{gong_secure_1998, title = {Secure {Java} class loading}, volume = {2}, issn = {1941-0131}, url = {https://ieeexplore.ieee.org/abstract/document/735987}, doi = {10.1109/4236.735987}, abstract = {The class loading mechanism, central to Java, plays a key role in JDK 1.2 by enabling an improved security policy that is permission-based and extensible. The author concludes that JDK 1.2 has introduced a powerful and secure class loading mechanism. It not only enforces type safety and name space separation but also has a significant role in the new security architecture that supports fine grained, permission based access control. The new class loading mechanism's flexibility-through its delegation scheme and the rich set of class loader classes-gives Java applications and applets greater freedom to customize and specify how, when, and from where classes are loaded. Because the class loading mechanism is central to both the correctness and the security of the Java runtime system, we would like to model and define this mechanism, perhaps in a formal verification system. We can then obtain a formal specification and prove (or disprove) that the mechanism as currently designed is sufficient for security.}, number = {6}, urldate = {2024-04-30}, journal = {IEEE Internet Computing}, author = {Gong, Li}, month = nov, year = {1998}, note = {Conference Name: IEEE Internet Computing}, keywords = {Internet, Java, File systems, Access control, Computer architecture, Computer security, Layout, Permission, Public key, Sun}, pages = {56--61}, file = {Gong - 1998 - Secure Java class loading.pdf:/home/histausse/Zotero/storage/4REG3E94/Gong - 1998 - Secure Java class loading.pdf:application/pdf;IEEE Xplore Abstract Record:/home/histausse/Zotero/storage/5D7Z3JNH/735987.html:text/html}, } @article{liang_dynamic_1998, title = {Dynamic class loading in the {Java} virtual machine}, volume = {33}, issn = {0362-1340}, url = {https://dl.acm.org/doi/10.1145/286942.286945}, doi = {10.1145/286942.286945}, abstract = {Class loaders are a powerful mechanism for dynamically loading software components on the Java platform. They are unusual in supporting all of the following features: laziness, type-safe linkage, user-defined extensibility, and multiple communicating namespaces.We present the notion of class loaders and demonstrate some of their interesting uses. In addition, we discuss how to maintain type safety in the presence of user-defined dynamic class loading.}, number = {10}, urldate = {2024-10-15}, journal = {SIGPLAN Not.}, author = {Liang, Sheng and Bracha, Gilad}, month = oct, year = {1998}, pages = {36--44}, file = {Full Text PDF:/home/histausse/Zotero/storage/5N43QJ69/Liang and Bracha - 1998 - Dynamic class loading in the Java virtual machine.pdf:application/pdf}, } @inproceedings{zhou_dynamic_2022, title = {Dynamic {Class} {Generating} and {Loading} {Technology} in {Android} {Web} {Application}}, url = {https://ieeexplore.ieee.org/abstract/document/9851782}, doi = {10.1109/ISNCC55209.2022.9851782}, abstract = {Google’s android operating system has been widely used since being released, and occupies a major share of the market in the field of mobile computation. In Android, user applications mostly run in the dalvik virtual machine (DVM) due to the copyrights. The byte codes that the DVM use are different from the java virtual machine (JVM), so the class files that conform to the Java specification can’t be loaded and executed directly in android. Based on the analysis of the class loading mechanism of DVM and JVM, this paper proposes the dynamic class generating and loading mechanism in Android with existing technologies. The mechanism solves the compatibility problem caused by the differences of class file byte code, and extends the thought of ‘written once, run anywhere’. Two simple applications demonstrate the validity and effectiveness of the technology.}, urldate = {2024-04-30}, booktitle = {2022 {International} {Symposium} on {Networks}, {Computers} and {Communications} ({ISNCC})}, author = {Zhou, Wenwen and Yongzhi, Yang and Wang, Jiejuan}, month = jul, year = {2022}, keywords = {android, Java, Smart phones, dynamic, Loading, byte code, class load, Codes, compatibility, Computers, dalvik, java virtual machine, Operating systems, Virtual machining}, pages = {1--6}, file = {IEEE Xplore Abstract Record:/home/histausse/Zotero/storage/ZR9MJBAG/9851782.html:text/html;Zhou et al. - 2022 - Dynamic Class Generating and Loading Technology in.pdf:/home/histausse/Zotero/storage/5X4AAR9N/Zhou et al. - 2022 - Dynamic Class Generating and Loading Technology in.pdf:application/pdf}, } @inproceedings{kriz_provisioning_2015, title = {Provisioning of application modules to {Android} devices}, url = {https://ieeexplore.ieee.org/abstract/document/7129009}, doi = {10.1109/RADIOELEK.2015.7129009}, abstract = {The Google Android platform supports provisioning of packaged applications to an Android device. However, an existing approach requires user's interaction during the installation of a new application or its modules. We present a new approach to dynamic modules loading which enables provisioning of new modules to Android device dynamically without the interaction with the user. It will allow complex applications to adapt to the surrounding conditions and requirements of the user by downloading additional code from a server or a neighboring peer device. In our solution we propose to replace the default application class-loader with a custom one while employing some existing mechanisms of class-loading from APK packages at the Android platform.}, urldate = {2024-04-30}, booktitle = {2015 25th {International} {Conference} {Radioelektronika} ({RADIOELEKTRONIKA})}, author = {Kriz, Pavel and Maly, Filip}, month = apr, year = {2015}, keywords = {Android, Androids, Humanoid robots, Java, Mobile handsets, Servers, Loading, class loading, Java Reflection API, m-client, modular application, Reflection}, pages = {423--426}, file = {IEEE Xplore Abstract Record:/home/histausse/Zotero/storage/QEQLZHMD/7129009.html:text/html;Kriz and Maly - 2015 - Provisioning of application modules to Android dev.pdf:/home/histausse/Zotero/storage/8GRUYQLQ/Kriz and Maly - 2015 - Provisioning of application modules to Android dev.pdf:application/pdf}, } @inproceedings{ruggia_unmasking_2024, address = {New York, NY, USA}, series = {{ASIA} {CCS} '24}, title = {Unmasking the {Veiled}: {A} {Comprehensive} {Analysis} of {Android} {Evasive} {Malware}}, isbn = {979-8-4007-0482-6}, shorttitle = {Unmasking the {Veiled}}, url = {https://dl.acm.org/doi/10.1145/3634737.3637658}, doi = {10.1145/3634737.3637658}, abstract = {Since Android is the most widespread operating system, malware targeting it poses a severe threat to the security and privacy of millions of users and is increasing from year to year. The response from the community was swift, and many researchers have ventured to defend this system. In this cat-and-mouse game, attackers pay special attention to flying under the radar of analysis tools, and the techniques to understand whether their app is under analysis have become more and more sophisticated. Moreover, these evasive techniques are also adopted by benign apps to deter reverse engineering, making this phenomenon pervasive in the Android app ecosystem.While the scientific literature has proposed many evasive techniques and investigated their impact, one aspect still needs to be studied: how and to what extent Android apps, both malware and goodware, use such controls. This paper fills this gap by introducing a comprehensive taxonomy of evasive controls for the Android ecosystem and a proof-of-concept app that implements them all. We release the app as open source to help researchers and practitioners to assess whether their app analysis systems are sufficiently resilient to known evasion techniques. We also propose DroidDungeon, a novel probe-based sandbox, which circumvents evasive techniques thanks to a substantial engineering effort, making the apps under analysis believe they are running on an actual device. To the best of our knowledge, currently, DroidDungeon is the only solution providing anti-evasion capabilities, maintainability, and scalability at once.Using our sandbox, we studied evasive controls in both benign and malicious Android apps, revealing insights about their purpose, differences, and relationships between evasive controls and packers/protectors. Finally, we analyzed how the execution of an app differs depending on the presence or absence of evasive counter-measures. Our main finding is that 14\% and 4\% of malicious and benign samples refrain from running in an analysis environment that does not correctly mitigate evasive controls.}, urldate = {2025-07-22}, booktitle = {Proceedings of the 19th {ACM} {Asia} {Conference} on {Computer} and {Communications} {Security}}, publisher = {Association for Computing Machinery}, author = {Ruggia, Antonio and Nisi, Dario and Dambra, Savino and Merlo, Alessio and Balzarotti, Davide and Aonzo, Simone}, month = jul, year = {2024}, pages = {383--398}, file = {Full Text PDF:/home/histausse/Zotero/storage/V5LLQ8SP/Ruggia et al. - 2024 - Unmasking the Veiled A Comprehensive Analysis of Android Evasive Malware.pdf:application/pdf}, } @inproceedings {droidscope180237, author = {Lok Kwong Yan and Heng Yin}, title = {{DroidScope}: Seamlessly Reconstructing the {OS} and Dalvik Semantic Views for Dynamic Android Malware Analysis}, booktitle = {21st USENIX Security Symposium (USENIX Security 12)}, year = {2012}, isbn = {978-931971-95-9}, address = {Bellevue, WA}, pages = {569--584}, url = {https://www.usenix.org/conference/usenixsecurity12/technical-sessions/presentation/yan}, publisher = {USENIX Association}, month = aug } @inproceedings{Tam2015, address = {San Diego, California, USA}, title = {{CopperDroid}: {Automatic} {Reconstruction} of {Android} {Malware} {Behaviors}}, abstract = {Mobile devices and their application marketplaces drive the entire economy of the today’s mobile landscape. Android platforms alone have produced staggering revenues, exceeding five billion USD, which has attracted cybercriminals and increased malware in Android markets at an alarming rate. To better understand this slew of threats, we present CopperDroid , an automatic VMI-based dynamic analysis system to reconstruct the behaviors of Android malware. The novelty of CopperDroid lies in its agnostic approach to identify interesting OS- and high-level Android-specific behaviors. It reconstructs these behaviors by observing and dissecting system calls and, therefore, is resistant to the multitude of alterations the Android runtime is subjected to over its life-cycle. CopperDroid automatically and accurately reconstructs events of interest that describe, not only well-known process-OS interactions (e.g., file and process creation), but also complex intra- and inter-process communications (e.g., SMS reception), whose semantics are typically contextualized through complex Android objects. Because CopperDroid ’s reconstruction mechanisms are agnostic to the underlying action invocation methods, it is able to capture actions initiated both from Java and native code execution. CopperDroid ’s analysis generates detailed behavioral profiles that abstract a large stream of low-level—often uninteresting—events into concise, high-level semantics, which are well-suited to provide insightful behavioral traits and open the possibility to further research directions. We carried out an extensive evaluation to assess the capabilities and performance of CopperDroid on more than 2,900 Android malware samples. Our experiments show that CopperDroid faithfully reconstructs OS- and Android-specific behaviors. Additionally, we demonstrate how CopperDroid can be leveraged to disclose additional behaviors through the use of a simple, yet effective, app stimulation technique. Using this technique, we successfully triggered and disclosed additional behaviors on more than 60\% of the analyzed malware samples. This qualitatively demonstrates the versatility of CopperDroid ’s ability to improve dynamic-based code coverage.}, booktitle = {22nd {Annual} {Network} and {Distributed} {System} {Security} {Symposium}}, publisher = {The Internet Society}, author = {Tam, Kimberly and Khan, Salahuddin and Fattori, Aristide and Cavallaro, Lorenzo}, month = feb, year = {2015}, file = {PDF:/home/histausse/Zotero/storage/7TF382QC/Tam et al. - 2015 - CopperDroid Automatic Reconstruction of Android Malware Behaviors.pdf:application/pdf}, } @inproceedings{qu_dydroid_2017, title = {{DyDroid}: {Measuring} {Dynamic} {Code} {Loading} and {Its} {Security} {Implications} in {Android} {Applications}}, shorttitle = {{DyDroid}}, url = {https://ieeexplore.ieee.org/abstract/document/8023141}, doi = {10.1109/DSN.2017.14}, abstract = {Android has provided dynamic code loading (DCL) since API level one. DCL allows an app developer to load additional code at runtime. DCL raises numerous challenges with regards to security and accountability analysis of apps. While previous studies have investigated DCL on Android, in this paper we formulate and answer three critical questions that are missing from previous studies: (1) Where does the loaded code come from (remotely fetched or locally packaged), and who is the responsible entity to invoke its functionality? (2) In what ways is DCL utilized to harden mobile apps, specifically, application obfuscation? (3) What are the security risks and implications that can be found from DCL in off-the-shelf apps? We design and implement DyDroid, a system which uses both dynamic and static analysis to analyze dynamically loaded code. Dynamic analysis is used to automatically exercise apps, capture DCL behavior, and intercept the loaded code. Static analysis is used to investigate malicious behavior and privacy leakage in that dynamically loaded code. We have used DyDroid to analyze over 46K apps with little manual intervention, allowing us to conduct a large-scale measurement to investigate five aspects of DCL, such as source identification, malware detection, vulnerability analysis, obfuscation analysis, and privacy tracking analysis. We have several interesting findings. (1) 27 apps are found to violate the content policy of Google Play by executing code downloaded from remote servers. (2) We determine the distribution, pros/cons, and implications of several common obfuscation methods, including DEX encryption/loading. (3) DCL's stealthiness enables it to be a channel to deploy malware, and we find 87 apps loading malicious binaries which are not detected by existing antivirus tools. (4) We found 14 apps that are vulnerable to code injection attacks due to dynamically loading code which is writable by other apps. (5) DCL is mainly used by third-party SDKs, meaning that app developers may not know what sort of sensitive functionality is injected into their apps.}, urldate = {2024-04-30}, booktitle = {2017 47th {Annual} {IEEE}/{IFIP} {International} {Conference} on {Dependable} {Systems} and {Networks} ({DSN})}, author = {Qu, Zhengyang and Alam, Shahid and Chen, Yan and Zhou, Xiaoyong and Hong, Wangjun and Riley, Ryan}, month = jun, year = {2017}, note = {ISSN: 2158-3927}, keywords = {Security, Android, Androids, Google, Humanoid robots, Malware, Dynamic analysis, Dynamic Code Loading, Loading, Measurement, Mobile security, Runtime, Smartphone}, pages = {415--426}, file = {IEEE Xplore Abstract Record:/home/histausse/Zotero/storage/RFUDH972/8023141.html:text/html;Qu et al. - 2017 - DyDroid Measuring Dynamic Code Loading and Its Se.pdf:/home/histausse/Zotero/storage/27Z9P5T4/Qu et al. - 2017 - DyDroid Measuring Dynamic Code Loading and Its Se.pdf:application/pdf}, } @article{bernardi_dynamic_2019, title = {Dynamic malware detection and phylogeny analysis using process mining}, volume = {18}, issn = {1615-5270}, url = {https://doi.org/10.1007/s10207-018-0415-3}, doi = {10.1007/s10207-018-0415-3}, abstract = {In the last years, mobile phones have become essential communication and productivity tools used daily to access business services and exchange sensitive data. Consequently, they also have become one of the biggest targets of malware attacks. New malware is created everyday, most of which is generated as variants of existing malware by reusing its malicious code. This paper proposes an approach for malware detection and phylogeny studying based on dynamic analysis using process mining. The approach exploits process mining techniques to identify relationships and recurring execution patterns in the system call traces gathered from a mobile application in order to characterize its behavior. The recovered characterization is expressed in terms of a set of declarative constraints between system calls and represents a sort of run-time fingerprint of the application. The comparison between the so defined fingerprint of a given application with those of known malware is used to verify: (1) if the application is malware or trusted, (2) in case of malware, which family it belongs to, and (3) how it differs from other known variants of the same malware family. An empirical study conducted on a dataset of 1200 trusted and malicious applications across ten malware families has shown that the approach exhibits a very good discrimination ability that can be exploited for malware detection and malware evolution studying. Moreover, the study has also shown that the approach is robust to code obfuscation techniques increasingly being used by nowadays malware.}, language = {en}, number = {3}, urldate = {2025-07-28}, journal = {International Journal of Information Security}, author = {Bernardi, Mario Luca and Cimitile, Marta and Distante, Damiano and Martinelli, Fabio and Mercaldo, Francesco}, month = jun, year = {2019}, keywords = {Biometrics, Computational Anthropology, Data Mining, Declare, Lineage tracking, Linear temporal logic, Malware detection, Malware evolution, Malware phylogeny, Paleogenetics, Process mining, Security, Sequence Annotation}, pages = {257--284}, } @inproceedings{Andriatsimandefitra2012, address = {Ottawa, Canada}, title = {Designing information flow policies for {Android}'s operating system}, isbn = {978-1-4577-2053-6}, url = {http://ieeexplore.ieee.org/lpdocs/epic03/wrapper.htm?arnumber=6364161}, doi = {10.1109/ICC.2012.6364161}, booktitle = {{IEEE} {International} {Conference} on {Communications}}, publisher = {IEEE Computer Society}, author = {Andriatsimandefitra, Radoniaina and Geller, Stéphane and Viet Triem Tong, Valérie}, month = jun, year = {2012}, keywords = {★}, pages = {976--981}, file = {PDF:/home/histausse/Zotero/storage/5AD2IJP6/Andriatsimandefitra, Geller, Viet Triem Tong - 2012 - Designing information flow policies for Android's operating system.pdf:application/pdf}, } @inproceedings{andriatsimandefitra_detection_2015, title = {Detection and {Identification} of {Android} {Malware} {Based} on {Information} {Flow} {Monitoring}}, url = {https://ieeexplore.ieee.org/abstract/document/7371481}, doi = {10.1109/CSCloud.2015.27}, abstract = {Information flow monitoring has been mostly used to detect privacy leaks. In a previous work, we showed that they can also be used to characterize Android malware behaviours and in the current one we show that these flows can also be used to detect and identify Android malware. The characterization consists in computing automatically System Flow Graphs that describe how a malware disseminates its data in the system. In the current work, we propose a method that uses these SFG-based malware profile to detect the execution of Android malware by monitoring the information flows they cause in the system. We evaluated our method by monitoring the execution of 39 malware samples and 70 non malicious applications. Our results show that our approach detected the execution of all the malware samples and did not raise any false alerts for the 70 non malicious applications.}, urldate = {2025-07-28}, booktitle = {2015 {IEEE} 2nd {International} {Conference} on {Cyber} {Security} and {Cloud} {Computing}}, author = {Andriatsimandefitra, Radoniaina and Tong, Valérie Viet Triem}, month = nov, year = {2015}, keywords = {android security, Androids, Containers, Humanoid robots, information flow, Java, Kernel, Malware, malware classification, malware detection, Monitoring}, pages = {200--203}, file = {Snapshot:/home/histausse/Zotero/storage/7FLAJ437/7371481.html:text/html;Submitted Version:/home/histausse/Zotero/storage/JR2N8XXZ/Andriatsimandefitra and Tong - 2015 - Detection and Identification of Android Malware Based on Information Flow Monitoring.pdf:application/pdf}, } @inproceedings{yang_appspear_2015, address = {Cham}, series = {Lecture {Notes} in {Computer} {Science}}, title = {{AppSpear}: {Bytecode} {Decrypting} and {DEX} {Reassembling} for {Packed} {Android} {Malware}}, isbn = {978-3-319-26362-5}, shorttitle = {{AppSpear}}, doi = {10.1007/978-3-319-26362-5_17}, abstract = {As the techniques for Android malware detection are progressing, malware also fights back through deploying advanced code encryption with the help of Android packers. An effective Android malware detection therefore must take the unpacking issue into consideration to prove the accuracy. Unfortunately, this issue is not easily addressed. Android packers often adopt multiple complex anti-analysis defenses and are evolving frequently. Current unpacking approaches are either based on manual efforts, which are slow and tedious, or based on coarse-grained memory dumping, which are susceptible to a variety of anti-monitoring defenses.}, language = {en}, booktitle = {Research in {Attacks}, {Intrusions}, and {Defenses}}, publisher = {Springer International Publishing}, author = {Yang, Wenbo and Zhang, Yuanyuan and Li, Juanru and Shu, Junliang and Li, Bodong and Hu, Wenjun and Gu, Dawu}, editor = {Bos, Herbert and Monrose, Fabian and Blanc, Gregory}, year = {2015}, keywords = {Android malware, Code protection, DEX reassembling}, pages = {359--381}, file = {Yang et al. - 2015 - AppSpear Bytecode Decrypting and DEX Reassembling.pdf:/home/histausse/Zotero/storage/HR2UALQW/Yang et al. - 2015 - AppSpear Bytecode Decrypting and DEX Reassembling.pdf:application/pdf}, } @article{cui_droidhook_2023, title = {{DroidHook}: a novel {API}-hook based {Android} malware dynamic analysis sandbox}, volume = {30}, issn = {1573-7535}, shorttitle = {{DroidHook}}, url = {https://doi.org/10.1007/s10515-023-00378-w}, doi = {10.1007/s10515-023-00378-w}, abstract = {With the popularity of Android devices, mobile apps are prevalent in our daily life, making them a target for attackers to steal private data and push advertisements. Dynamic analysis is an effective approach to detect runtime behavior of Android malware and can reduce the impact of code obfuscation. However, some dynamic sandboxes commonly used by researchers are usually based on emulators with older versions of Android, for example, the state-of-the-art sandbox, DroidBox. These sandboxes are vulnerable to evasion attacks and may not work with the latest apps. In this paper, we propose a prototype framework, DroidHook, as a novel automated sandbox for Android malware dynamic analysis. Unlike most existing tools, DroidHook has two obvious advantages. Firstly, the set of APIs to be monitored by DroidHook can be easily modified, so that DroidHook is ideally suitable for diverse situations, including the detection of a specific family of malware and unknown malware. Secondly, DroidHook does not depend on a specific Android OS but only on Xposed, so it can work with multiple Android versions and can perform normally on both emulators and real devices. Experiments show that DroidHook can provide more fine-grained and precise results than DroidBox. Moreover, with the support for real devices and new versions of Android, DroidHook can run most samples properly and acquire stronger detection results, compared to emulator-based tools.}, language = {en}, number = {1}, urldate = {2023-03-17}, journal = {Automated Software Engineering}, author = {Cui, Yuning and Sun, Yi and Lin, Zhaowen}, month = feb, year = {2023}, keywords = {Android, Dynamic analysis, Mobile malware, Sandbox}, pages = {10}, file = {Cui et al. - 2023 - DroidHook a novel API-hook based Android malware .pdf:/home/histausse/Zotero/storage/I3BLZDLC/Cui et al. - 2023 - DroidHook a novel API-hook based Android malware .pdf:application/pdf}, } @article{faghihi_camodroid_2022, title = {{CamoDroid}: {An} {Android} application analysis environment resilient against sandbox evasion}, volume = {125}, issn = {1383-7621}, shorttitle = {{CamoDroid}}, url = {https://www.sciencedirect.com/science/article/pii/S1383762122000467}, doi = {10.1016/j.sysarc.2022.102452}, abstract = {In the past few years, numerous attempts have been made to mitigate evasive Android malware. However, it remains one of the challenges in smartphone security. Evasive malware can dodge dynamic analysis by detecting execution in sandboxes and hiding its malicious behaviors during the investigation. In this work, we present CamoDroid, an open-source and extendable dynamic analysis environment resilient against detection by state-of-the-art evasive Android malware. Our technique mimics data, sensors, user input, static and network features of actual devices and cloaks the existence of the analysis environment. It further improves dynamic analysis and provides a broad view of an application’s behavior by monitoring and logging the dangerous Application Programming Interface (API) calls executed by applications. We implement CamoDroid and assess its resiliency to sandbox detection. We first demonstrate that our sandbox cannot be detected using modern existing academic and commercial applications that can distinguish analysis environments from real devices. We also assess the dependability of CamoDroid against real-world evasive malware and show that it can successfully cloak the existence of the analysis environment to more than 96 percent of evasive Android malware. Moreover, we investigate other popular Android sandboxes and show that they are vulnerable to at least one type of sandbox detection heuristic.}, urldate = {2025-07-28}, journal = {Journal of Systems Architecture}, author = {Faghihi, Farnood and Zulkernine, Mohammad and Ding, Steven}, month = apr, year = {2022}, keywords = {Android, Dynamic analysis, Malware detection}, pages = {102452}, file = {ScienceDirect Snapshot:/home/histausse/Zotero/storage/36WARYCE/S1383762122000467.html:text/html}, } @article{sutter_dynamic_2024, title = {Dynamic {Security} {Analysis} on {Android}: {A} {Systematic} {Literature} {Review}}, volume = {12}, issn = {2169-3536}, shorttitle = {Dynamic {Security} {Analysis} on {Android}}, url = {https://ieeexplore.ieee.org/abstract/document/10504267}, doi = {10.1109/ACCESS.2024.3390612}, abstract = {Dynamic analysis is a technique that is used to fully understand the internals of a system at runtime. On Android, dynamic security analysis involves real-time assessment and active adaptation of an app’s behaviour, and is used for various tasks, including network monitoring, system-call tracing, and taint analysis. The research on dynamic analysis has made significant progress in the past years. However, to the best of our knowledge, there is a lack in secondary studies that analyse the novel ideas and common limitations of current security research. The main aim of this work is to understand dynamic security analysis research on Android to present the current state of knowledge, highlight research gaps, and provide insights into the existing body of work in a structured and systematic manner. We conduct a systematic literature review (SLR) on dynamic security analysis for Android. The systematic review establishes a taxonomy, defines a classification scheme, and explores the impact of advanced Android app testing tools on security solutions in software engineering and security research. The study’s key findings centre on tool usage, research objectives, constraints, and trends. Instrumentation and network monitoring tools play a crucial role, with research goals focused on app security, privacy, malware detection, and software testing automation. Identified limitations include code coverage constraints, security-related analysis obstacles, app selection adequacy, and non-deterministic behaviour. Our study results deepen the understanding of dynamic analysis in Android security research by an in-depth review of 43 publications. The study highlights recurring limitations with automated testing tools and concerns about detecting or obstructing dynamic analysis.}, urldate = {2025-07-28}, journal = {IEEE Access}, author = {Sutter, Thomas and Kehrer, Timo and Rennhard, Marc and Tellenbach, Bernhard and Klein, Jacques}, year = {2024}, keywords = {Android, Androids, Codes, dynamic analysis, fuzzing, Fuzzing, instrumentation, Instrumentation and measurement, machine learning, Machine learning, monitoring, Monitoring, Operating systems, security, Security, software testing, Software testing, Systematics, Taxonomy, tracing, vulnerabilities}, pages = {57261--57287}, file = {Full Text PDF:/home/histausse/Zotero/storage/RGVZFQY8/Sutter et al. - 2024 - Dynamic Security Analysis on Android A Systematic Literature Review.pdf:application/pdf}, } @inproceedings{mao_sapienz_2016, address = {New York, NY, USA}, series = {{ISSTA} 2016}, title = {Sapienz: multi-objective automated testing for {Android} applications}, isbn = {978-1-4503-4390-9}, shorttitle = {Sapienz}, url = {https://doi.org/10.1145/2931037.2931054}, doi = {10.1145/2931037.2931054}, abstract = {We introduce Sapienz, an approach to Android testing that uses multi-objective search-based testing to automatically explore and optimise test sequences, minimising length, while simultaneously maximising coverage and fault revelation. Sapienz combines random fuzzing, systematic and search-based exploration, exploiting seeding and multi-level instrumentation. Sapienz significantly outperforms (with large effect size) both the state-of-the-art technique Dynodroid and the widely-used tool, Android Monkey, in 7/10 experiments for coverage, 7/10 for fault detection and 10/10 for fault-revealing sequence length. When applied to the top 1,000 Google Play apps, Sapienz found 558 unique, previously unknown crashes. So far we have managed to make contact with the developers of 27 crashing apps. Of these, 14 have confirmed that the crashes are caused by real faults. Of those 14, six already have developer-confirmed fixes.}, urldate = {2025-07-29}, booktitle = {Proceedings of the 25th {International} {Symposium} on {Software} {Testing} and {Analysis}}, publisher = {Association for Computing Machinery}, author = {Mao, Ke and Harman, Mark and Jia, Yue}, month = jul, year = {2016}, pages = {94--105}, file = {Submitted Version:/home/histausse/Zotero/storage/BXPWWPAU/Mao et al. - 2016 - Sapienz multi-objective automated testing for Android applications.pdf:application/pdf}, } @inproceedings{su_guided_2017, address = {New York, NY, USA}, series = {{ESEC}/{FSE} 2017}, title = {Guided, stochastic model-based {GUI} testing of {Android} apps}, isbn = {978-1-4503-5105-8}, url = {https://doi.org/10.1145/3106237.3106298}, doi = {10.1145/3106237.3106298}, abstract = {Mobile apps are ubiquitous, operate in complex environments and are developed under the time-to-market pressure. Ensuring their correctness and reliability thus becomes an important challenge. This paper introduces Stoat, a novel guided approach to perform stochastic model-based testing on Android apps. Stoat operates in two phases: (1) Given an app as input, it uses dynamic analysis enhanced by a weighted UI exploration strategy and static analysis to reverse engineer a stochastic model of the app's GUI interactions; and (2) it adapts Gibbs sampling to iteratively mutate/refine the stochastic model and guides test generation from the mutated models toward achieving high code and model coverage and exhibiting diverse sequences. During testing, system-level events are randomly injected to further enhance the testing effectiveness. Stoat was evaluated on 93 open-source apps. The results show (1) the models produced by Stoat cover 17{\textasciitilde}31\% more code than those by existing modeling tools; (2) Stoat detects 3X more unique crashes than two state-of-the-art testing tools, Monkey and Sapienz. Furthermore, Stoat tested 1661 most popular Google Play apps, and detected 2110 previously unknown and unique crashes. So far, 43 developers have responded that they are investigating our reports. 20 of reported crashes have been confirmed, and 8 already fixed.}, urldate = {2025-07-29}, booktitle = {Proceedings of the 2017 11th {Joint} {Meeting} on {Foundations} of {Software} {Engineering}}, publisher = {Association for Computing Machinery}, author = {Su, Ting and Meng, Guozhu and Chen, Yuting and Wu, Ke and Yang, Weiming and Yao, Yao and Pu, Geguang and Liu, Yang and Su, Zhendong}, month = aug, year = {2017}, pages = {245--256}, } @inproceedings{abraham_grodddroid_2015, title = {{GroddDroid}: a gorilla for triggering malicious behaviors}, shorttitle = {{GroddDroid}}, url = {https://ieeexplore.ieee.org/abstract/document/7413692}, doi = {10.1109/MALWARE.2015.7413692}, abstract = {Android malware authors use sophisticated techniques to hide the malicious intent of their applications. They use cryptography or obfuscation techniques to avoid detection during static analysis. They can also avoid detection during a dynamic analysis. Frequently, the malicious execution is postponed as long as the malware is not convinced that it is running in a real smartphone of a real user. However, we believe that dynamic analysis methods give good results when they really monitor the malware execution. In this article1, we propose a method to enhance the execution of the malicious code of unknown malware. We especially target malware that have triggering protections, for example branching conditions that wait for an event or expect a specific value for a variable before triggering malicious execution. In these cases, solely executing the malware is far from being sufficient. We propose to force the triggering of the malicious code by combining two contributions. First, we define an algorithm that automatically identifies potentially malicious code. Second, we propose an enhanced monkey called GroddDroid, that stimulates the GUI of an application and forces the execution of some branching conditions if needed. The forcing is used by GroddDroid to push the execution flow towards the previously identified malicious parts of the malware and execute it. The source code for our experiments with GroddDroid is released as free software2. We have verified on a malware dataset that we investigated manually that the malicious code is accurately executed by GroddDroid. Additionally, on a large dataset of 100 malware we precisely identify the nature of the suspicious code and we succeed to execute it at 28\%.}, urldate = {2025-07-29}, booktitle = {2015 10th {International} {Conference} on {Malicious} and {Unwanted} {Software} ({MALWARE})}, author = {Abraham, A. and Andriatsimandefitra, R. and Brunelat, A. and Lalande, J.-F. and Viet Triem Tong, V.}, month = oct, year = {2015}, keywords = {Androids, Force, Graphical user interfaces, Humanoid robots, Java, Malware, Monitoring}, pages = {119--127}, file = {Snapshot:/home/histausse/Zotero/storage/E4949JUV/7413692.html:text/html;Submitted Version:/home/histausse/Zotero/storage/CPJLKBNJ/Abraham et al. - 2015 - GroddDroid a gorilla for triggering malicious behaviors.pdf:application/pdf}, } @inproceedings{adjibi_devil_2022, title = {The {Devil} is in the {Details}: {Unwrapping} the {Cryptojacking} {Malware} {Ecosystem} on {Android}}, shorttitle = {The {Devil} is in the {Details}}, url = {https://ieeexplore.ieee.org/abstract/document/10006806}, doi = {10.1109/SCAM55253.2022.00023}, abstract = {This paper investigates the various technical and non-technical tools and techniques that software developers use to build and disseminate crypto mining apps on Android devices. Our study of 346 potential Android mining apps, collected between April 2019 and May 2022, has revealed the presence of more than ten mining apps on the Google Play Store, with at least half of those still available at the time of writing this (June 2022). We observed that many of those mining apps do not conceal their usage of the device's resource for mining which is considered a violation of the store's policies for developers. We estimate that more than ten thousand users have run mining apps downloaded directly from the Google Play Store, which puts the supposedly “stringent” vetting process into question. Furthermore, we prove that covert mining apps tend to be embedded into supposedly free versions of premium apps or pose as utility apps that provide valuable features to users. Finally, we empirically demonstrate that cryptojacking apps' resource consumption and malicious behavior could be insignificant. We presume that typical users, even though they might be running a mobile antivirus solution, could execute a mining app for an extended period without being alerted. We expect our results to inform the various actors involved in the security of Android devices against the lingering threat of cryptojacking and help them better assess the problem.}, urldate = {2025-07-29}, booktitle = {2022 {IEEE} 22nd {International} {Working} {Conference} on {Source} {Code} {Analysis} and {Manipulation} ({SCAM})}, author = {Adjibi, Boladji Vinny and Mbodji, Fatou Ndiaye and Bissyandé, Tegawendé F. and Allix, Kevin and Klein, Jacques}, month = oct, year = {2022}, note = {ISSN: 2470-6892}, keywords = {android, cryptojacking, Ecosystems, google play store, Internet, malware, Malware, manual analysis, Operating systems, Safety, Source coding, Writing}, pages = {153--163}, file = {Snapshot:/home/histausse/Zotero/storage/BAIMVA8E/10006806.html:text/html;Submitted Version:/home/histausse/Zotero/storage/QZ4CZAJL/Adjibi et al. - 2022 - The Devil is in the Details Unwrapping the Cryptojacking Malware Ecosystem on Android.pdf:application/pdf}, } @article{mayrhofer_android_2021, title = {The {Android} {Platform} {Security} {Model}}, volume = {24}, issn = {2471-2566}, url = {https://dl.acm.org/doi/10.1145/3448609}, doi = {10.1145/3448609}, abstract = {Android is the most widely deployed end-user focused operating system. With its growing set of use cases encompassing communication, navigation, media consumption, entertainment, finance, health, and access to sensors, actuators, cameras, or microphones, its underlying security model needs to address a host of practical threats in a wide variety of scenarios while being useful to non-security experts. The model needs to strike a difficult balance between security, privacy, and usability for end users, assurances for app developers, and system performance under tight hardware constraints. While many of the underlying design principles have implicitly informed the overall system architecture, access control mechanisms, and mitigation techniques, the Android security model has previously not been formally published. This article aims to both document the abstract model and discuss its implications. Based on a definition of the threat model and Android ecosystem context in which it operates, we analyze how the different security measures in past and current Android implementations work together to mitigate these threats. There are some special cases in applying the security model, and we discuss such deliberate deviations from the abstract model.}, number = {3}, urldate = {2025-07-29}, journal = {ACM Trans. Priv. Secur.}, author = {Mayrhofer, René and Stoep, Jeffrey Vander and Brubaker, Chad and Kralevich, Nick}, month = apr, year = {2021}, pages = {19:1--19:35}, file = {Full Text PDF:/home/histausse/Zotero/storage/I6H4B9IU/Mayrhofer et al. - 2021 - The Android Platform Security Model.pdf:application/pdf}, }