File Download
There are no files associated with this item.
Links for fulltext
(May Require Subscription)
- Publisher Website: 10.1109/UIC-ATC.2017.8397610
- Scopus: eid_2-s2.0-85050204835
Supplementary
-
Citations:
- Scopus: 0
- Appears in Collections:
Conference Paper: SurgeScan: Enforcing security policies on untrusted third-party Android libraries
| Title | SurgeScan: Enforcing security policies on untrusted third-party Android libraries |
|---|---|
| Authors | |
| Issue Date | 2018 |
| Citation | 2017 IEEE SmartWorld Ubiquitous Intelligence and Computing, Advanced and Trusted Computed, Scalable Computing and Communications, Cloud and Big Data Computing, Internet of People and Smart City Innovation, SmartWorld/SCALCOM/UIC/ATC/CBDCom/IOP/SCI 2017 - Conference Proceedings, 2018, p. 1-8 How to Cite? |
| Abstract | Many Android apps include third-party libraries for advertising, payment, social media, etc. However, since the library code runs with the same privilege as the app code, the app developer has to either trust the library, a potential security risk, or refrain from using untrusted libraries. We designed and implemented SurgeScan, a framework for specifying and enforcing security policies on untrusted third-party code. We call this third-party codeplugins, as SurgeSCAN supports both statically and dynamically loaded code. SurgeScan consists of a static analysis component and code rewriting component. To use SurgeScan, the app developer selects a security policy that declares security-sensitive methods in the Android API. Then, using static analysis, SurgeScan finds all the Android API calls in the plugin binary that may reach those security-sensitive methods, and generates AspectJ code for enforcing the security policy on those API calls. Next, SuRGEScAN runs AspectJ to weave the policy into the plugin. After that, the app can safely load the plugin. SurgeScan requires no modification to the OS and incurs negligible runtime overhead. We describe our algorithms for achieving high accuracy in our static analysis. To evaluate SuRGEScAN, we designed policies on network and sensor access and applied them to open source apps. We demonstrated various use scenarios for SurgeScan, including securing distributed network measurement, securing ad libraries, controlling uI and screen estate, and patching applications. |
| Persistent Identifier | http://hdl.handle.net/10722/346680 |
| DC Field | Value | Language |
|---|---|---|
| dc.contributor.author | Vronsky, Jonathan | - |
| dc.contributor.author | Stevens, Ryan | - |
| dc.contributor.author | Chen, Hao | - |
| dc.date.accessioned | 2024-09-17T04:12:33Z | - |
| dc.date.available | 2024-09-17T04:12:33Z | - |
| dc.date.issued | 2018 | - |
| dc.identifier.citation | 2017 IEEE SmartWorld Ubiquitous Intelligence and Computing, Advanced and Trusted Computed, Scalable Computing and Communications, Cloud and Big Data Computing, Internet of People and Smart City Innovation, SmartWorld/SCALCOM/UIC/ATC/CBDCom/IOP/SCI 2017 - Conference Proceedings, 2018, p. 1-8 | - |
| dc.identifier.uri | http://hdl.handle.net/10722/346680 | - |
| dc.description.abstract | Many Android apps include third-party libraries for advertising, payment, social media, etc. However, since the library code runs with the same privilege as the app code, the app developer has to either trust the library, a potential security risk, or refrain from using untrusted libraries. We designed and implemented SurgeScan, a framework for specifying and enforcing security policies on untrusted third-party code. We call this third-party codeplugins, as SurgeSCAN supports both statically and dynamically loaded code. SurgeScan consists of a static analysis component and code rewriting component. To use SurgeScan, the app developer selects a security policy that declares security-sensitive methods in the Android API. Then, using static analysis, SurgeScan finds all the Android API calls in the plugin binary that may reach those security-sensitive methods, and generates AspectJ code for enforcing the security policy on those API calls. Next, SuRGEScAN runs AspectJ to weave the policy into the plugin. After that, the app can safely load the plugin. SurgeScan requires no modification to the OS and incurs negligible runtime overhead. We describe our algorithms for achieving high accuracy in our static analysis. To evaluate SuRGEScAN, we designed policies on network and sensor access and applied them to open source apps. We demonstrated various use scenarios for SurgeScan, including securing distributed network measurement, securing ad libraries, controlling uI and screen estate, and patching applications. | - |
| dc.language | eng | - |
| dc.relation.ispartof | 2017 IEEE SmartWorld Ubiquitous Intelligence and Computing, Advanced and Trusted Computed, Scalable Computing and Communications, Cloud and Big Data Computing, Internet of People and Smart City Innovation, SmartWorld/SCALCOM/UIC/ATC/CBDCom/IOP/SCI 2017 - Conference Proceedings | - |
| dc.title | SurgeScan: Enforcing security policies on untrusted third-party Android libraries | - |
| dc.type | Conference_Paper | - |
| dc.description.nature | link_to_subscribed_fulltext | - |
| dc.identifier.doi | 10.1109/UIC-ATC.2017.8397610 | - |
| dc.identifier.scopus | eid_2-s2.0-85050204835 | - |
| dc.identifier.spage | 1 | - |
| dc.identifier.epage | 8 | - |