The document discusses a research paper on detecting abnormal usage of sensitive data in mobile applications, focusing on Android APK malware analysis techniques that employ static and dynamic analysis methods like Mudflow and FlowDroid. The method is validated against a dataset of benign and malicious apps, highlighting the challenges of false positives and the need for performance optimization. Suggestions for extensions include improving analysis for varied app sizes and conducting a comparison with commercial tools.

1. MINING APPS FOR ABNORMAL USAGE OF SENSITIVE DATA
By Anik Ralhan(Paper 8 – Security)
Course Name: SENG 607 L01 - Special
Topics in Software Engineering
Supervisor: Prof. Hadi Hemmati
1

2. Plan
Authors
Task
Technique
Motivation –an example
Method
Data set
Related work
Critique
Extension
2

3. Authors
PhD student, Since summer
2014 I'm working as a
research assistant at
Software Engineering chair
Saarland University
Vitalii Avdiienko Konstantin Kuznetsov
PhD student in the
Software
Engineering Chair
at Saarland
University
Alessandra Gorla
Assistant researcher
professor at
the IMDEA Software
Institute in Madrid,
Spain.
3

4. Authors
Contd.
Andreas Zeller
Full professor for Software Engineering at Saarland University in Germany
4

5. Authors
Contd.
Head of Department
Secure Software
Engineering at Fraunhofer
SIT
Steven Arzt Siegfried Rasthofer
Researcher,
Fraunhofer
Institute for
Secure
Information
Technology
Head of program
committee of ACM
International
Symposium on
Engineering Secure
Software and
Systems (ESSoS)
Prof. Dr. Eric Bodden
5

6. Task
Detect whether a mobile application behaves as expected is a prominent
problem for users.
6

7. Technique
7

8. Technique
Contd.
Triage: Depending on workload, analysis what, how and fix.
Static: Like reading a map for directions on where to go.
Dynamic: deeper analysis of the program to understand hidden
functionality.
8

9. Technique:
MUDFLOW
Not just a pattern match.
Trained with flow of data in benign apps.
compares behavior of mined large set of benign apps.
If abnormal, it declares as
Malicious!!!!!!!!!
9

10. Motivation
10

11. Motivation
Contd.
11

12. Motivation
Contd.
12

13. Method
13

14. Method
Contd.
Flowdroid: The static taint analysis tool with 86% precise & 93% recall
on DroidBench
Analysis is based on Soot, Heros and SuSi.
Necessary meta information are extracted from Android’s
manifest file, dex files and layout xml files.
Step 1
14

15. Method
Contd.
15

16. Method
Contd.
16

17. Method
Contd.
java -Xmx4g -cp soot-trunk.jar;soot-infoflow.jar;soot-infoflow-
android.jar;slf4j-api-1.7.5.jar;slf4j-simple-1.7.5.jar;axml-2.0.jar
soot.jimple.infoflow.android.TestApps.Test "InsecureBank.apk"
C:UsersanikDownloadssdkplatforms
Heap size dependencies
Input file
17

18. Method
Contd.
Call graph
18

19. Method
Contd.
No. of source & sinks
Sink from source connection
Performance analysis
19

20. Method
Contd.
Automatic classification using ORCA method. Bay & Schwabacher
introduced this technique in 2003 in their research paper.
Step 2 & 3
20

21. Data
The initial test was conducted in March 2014 on 2950 apps from 30
app category. 2866 apps they could test.
Benign
25,577 apps selected from VirusShare and Genom malware projects .
15,338 apps were actually test.
Malicious
21

22. Data
Contd.
Ignored Log & Intent.
Network & SMS_MMS sinks.
False positives were almost 18.7 % while recognizing false positives.
Outlier score in individual categories are good indicators of malicious
behavior.
22

23. Related
Work
Hp Fortify - different kinds of findings
Data flows from sensitive sources to public sinks
Requests for security-sensitive permissions.
Calls to security-sensitive methods.
LeakMiner – appears similar to Mudflow
an app can be analyzed in 2.5 minutes on average.
23

24. Critique
FlowDroid performance tuning technique is not used to fix 16
apps RAM size issue.
24

25. Extension
Optimize analysis so that apps of varied sizes can be analyzed.1
Provide results in comparison commercial tools available in market like
we discussed and conduct a survey with industry experts.
2
25

26. Summary
Researchers of paper
Task – Android apk malware analysis
Technique – Reverse Engineering of .apk file
Triage, Static and Dynamic Analysis
Mudflow
Motivation – Local Restaurant example
Method – Static analysis tools
Step1 FlowDroid
Step2 ORCA method
Step3 Aggregate step 2 scores
Data set – Benign 2866
Malicious 15338
Related work – Commercial tool HP fortify, IBM AppScan
LeakMiner
Critique – FlowDroid performance tuning
Extension – Optimization, Survey with experts
26