Abstract #99 Multilevel Android Exploit Protection Smartphones have become an emerging platform for both personal and business applications. As the most popular mobile operating system for smartphones, Android offers great flexibility not only for users but also for application developers. However, this flexibility exposes users to additional security threats. This poster describes our ongoing research effort towards Android security issues. We first instantiate two types of possible attacks that can be launched on current Android applications available on the market. To further explore the vulnerabilities, particularly in the finance and health sector, we are developing a tool that leverages data mining techniques to automatically extract and analyze the security information of these applications, in order to detect and report the potential security threats. Moreover, we have analyzed and categorized more than a dozen security solutions proposed by different research groups. This poster provides a concise overview of this survey result. Most tools prevent potentially malicious communication within the Android operating system by repeatedly checking all communication channels and making security decisions based on a predefined security policy. Addressing the limitations of the current approaches, we propose two directions for further research. First is to implement a probabilistic protection mechanism as part of the Android framework that leverages the historical data to make better security decisions while reducing the energy overhead. The second proposed research direction is developing an Eclipse plug-in to prevent attacks by educating developers to write more secure Android applications. Boston University – Metropolitan College (MET) Felix Rohrer, Nebiyu Feleke, Kenneth Nimley Supervised by: Yuting Zhang, Lou Chitkushev, Tanya Zlateva Two Proof of Concept Attacks Android Overview Operating System for Mobile Devices PoC App: Funny Game Resource request Request accepted Request denied PoC App: Mail Bomber Based on Linux Current solutions Analyzed 13 security solutions from different research groups 8 solutions introduce substantial overhead (delays or energy consumption) Resource 11 solutions require modification of framework code and therefore difficult to distribute Market Share of Smartphones by Platform 17% Google Apple Symbian Microsoft RIM 5% 2% 47% Android Market reached 10 Billion App downloads by December 2011 IPC Inspection Privileged App Real Unprivileged App Quire Quire Saint Apex Juniper Networks – 2011 Mobile Thread Report ComDroid 450'000 Apps Rely on user/developer Malware analysis Android Security Cumulative Android Malware Increase SMS Trojans and how they operate SMS Flooder SMS Trojan W orm Spyware 3,500% - Send to premium number - Send to third-party 3,000% 2,500% 2,000% Resources are labelled with permissions (i.e. INTERNET, RECEIVE_SMS) 1% 1,500% 0% Jun Our current research (focus: Finance and Medical sector) Commonly requested permissions USE_CREDENTIALS RECORD_AUDIO ACCESS_FINE_LOCATION READ_CONTACTS WAKE_LOCK VIBRATE GET_ACCOUNTS READ_PHONE_STATE WRITE_EXTERNAL_STORAGE ACCESS_NETWORK_STATE INTERNET Finance Medicine 0 20 40 60 80 100 # Apps (Data: 50 medical Apps, 50 financial Apps) Permission usage 31% Not used Used 69% (Data: 100 Apps, 165 Permissions) XManDroid ComDroid Saint IPC Inspection Subject to false-positive/false-negative - Matches user expectation 1,000% 500% Application Analysis through Data mining CRePE Reduce device functionality 4,000% 62% External DBs XManDroid 1% Inter-application communication provided by Android Framework (very flexible but introduces vulnerabilities) App Security information Apex Saint June - December 2011 35% Web interface Source: Juniper Networks – 2011 Mobile Thread Report Types of Malware (2011) Each App runs in its own Virtual Machine (Dalvik), therefore isolated from other Apps. ... SELinux Deal with Privilege Escalation attacks CRePE 29% Static Code Analysis XManDroid Application Phishing Permission Re-delegation Growth rate of 1 Billion App downloads per month Fake TrustDroid Jul Aug Sep Oct Educate developers to write secure Code Add a mock-up screen here from the Eclipse Plugin Nov Dec Proposed work Provide Security on several levels ● Create an access control based on roles in order to simplify dealing with permissions ● Minimize energy consumption of solution by introducing probabilistic security checks ●