Pre-Conference Talk by TANG Xiaoxiao | Towards Dynamically Monitoring Android Applications on Non-rooted Devices in the Wild

We propose to dynamically analyze app behavior on non-rooted devices used by the public so that it is possible to analyze dynamically in scale without input generators. By doing so, we also maximize the code coverage since the app behavior is invoked by real users of the apps. To achieve such a goal, we build UpDroid, a system for detecting sensitive behavior without modifying Android OS, rooting the device, or leveraging emulators. UpDroid detects sensitive events by monitoring the changing of public resources on the device, instead of accessing low-level events that require rooting or system modification. To identify the apps that trigger the detected events, UpDroid formulates the identification as a ranking problem and adopts learning to rank technique to solve it. Our experimental results demonstrate that UpDroid can successfully detect the use of 15 out of 26 permissions that are labeled dangerous in the official Android documentation. We also compare UpDroid with API hooking which can theoretically capture all sensitive behavior but requires root permission and system modifications. Results show that UpDroid can still achieve 70% coverage of API hooking even without root permission or any system modifications.

This a pre-conference talk for 11th ACM Conference on Security and Privacy in Wireless and Mobile Networks (ACM WiSec 2018).