Our usability and compatibility experiments with 32 pop-
ular Android apps show that app developers can easily adopt
FLEXDROID’s policy to third-party libraries without any code
modification except the manifest. Also, our evaluation shows
that FLEXDROID successfully regulates resource access of
third-party libraries with imperceptible performance over-
heads.
ACKNOWLEDGMENT
We thank the anonymous reviewers and our shepherd,
David Lie, for their helpful feedback. This work was sup-
ported in part by Institute for Information & communications
Technology Promotion (IITP) grant funded by the Korea
government(MSIP) (No.10041313, UX-oriented Mobile SW
Platform). Taesoo Kim was supported in part by the NSF award
(DGE-1500084), by the ONR grant (N00014-15-1-2162), and
by the DARPA Transparent Computing program under contract
No. DARPA-15-15-TC-FP-006.
REFERENCES
[1] acl(5) Linux man page. http://linux.die.net/man/5/acl.
[2] Actionbarsherlock Android SDK. http://actionbarsherlock.com/.
[3] Adobe Pdf Library SDK. http://www.adobe.com/devnet/pdf/library.html.
[4] android-apktool: A tool for reverse engineering Android apk files. https:
//code.google.com/p/android-apktool/.
[5] App annie. https://www.appannie.com.
[6] Dropbox Android SDK. https://www.dropbox.com/developers/core/sdks/
android.
[7] FFMPEG. https://www.ffmpeg.org/.
[8] Google Analytics Android SDK. https://developers.google.com/
analytics/devguides.
[9] Firm fined for angry birds mobile billing scam. http://ipkonfig.com/firm-
fined-for-angry-birds-mobile-billing-scam.
[10] K-9 mail. https://en.wikipedia.org/wiki/K-9
Mail.
[11] Mp4parser. https://code.google.com/p/mp4parser/.
[12] Nineoldandroids. http://nineoldandroids.com/.
[13] Open Rich Media Mobile Advertising. https://code.google.com/p/
ormma/.
[14] Paypal Android SDK. https://developer.paypal.com.
[15] Proguard. http://developer.android.com/tools/help/proguard.html.
[16] Snappydb. https://github.com/nhachicha/SnappyDB.
[17] Unity3d SDK. http://docs.unity3d.com/Manual/android-sdksetup.html.
[18] Yahoo news. https://play.google.com/store/apps/details?id=com.yahoo.
mobile.client.android.yahoo.
[19] K. W. Y. Au, Y. F. Zhou, Z. Huang, and D. Lie. Pscout: Analyzing
the android permission specification. In Proceedings of the 2012 ACM
Conference on Computer and Communications Security, 2012.
[20] A. R. Beresford, A. Rice, N. Skehin, and R. Sohan. Mockdroid: Trading
privacy for application functionality on smartphones. In Proceedings
of the 12th Workshop on Mobile Computing Systems and Applications,
2011.
[21] R. Bhoraskar, S. Han, J. Jeon, T. Azim, S. Chen, J. Jung, S. Nath,
R. Wang, and D. Wetherall. Brahmastra: Driving apps to test the security
of third-party components. In 23rd USENIX Security Symposium, Aug.
2014.
[22] T. Book, A. Pridgen, and D. S. Wallach. Longitudinal analysis of android
ad library permissions. arXiv preprint arXiv:1303.0857, 2013.
[23] S. Bugiel, L. Davi, A. Dmitrienko, T. Fischer, and A.-R. Sadeghi. Xman-
droid: A new android evolution to mitigate privilege escalation attacks.
Technical report, 2011. URL http://www.trust.informatik.tu-darmstadt.
de/fileadmin/user upload/Group TRUST/PubsPDF/xmandroid.pdf.
[24] S. Bugiel, L. Davi, A. Dmitrienko, T. Fischer, A.-R. Sadeghi, and
B. Shastry. Towards taming privilege-escalation attacks on android. In
NDSS, 2012.
[25] J. Crussell, R. Stevens, and H. Chen. Madfraud: Investigating ad fraud
in android applications. In Proceedings of the 12th Annual International
Conference on Mobile Systems, Applications, and Services, 2014.
[26] M. Dietz, S. Shekhar, Y. Pisetsky, A. Shu, and D. S. Wallach. Quire:
Lightweight provenance for smart phone operating systems. In 20th
USENIX Security Symposium, Aug. 2011.
[27] W. Enck, P. Gilbert, B.-G. Chun, L. P. Cox, J. Jung, P. McDaniel,
and A. N. Sheth. Taintdroid: An information-flow tracking system for
realtime privacy monitoring on smartphones. In Proceedings of the 9th
USENIX Conference on Operating Systems Design and Implementation,
2010.
[28] F-Secure. Mobile Threat Report Q3 2013. https://www.f-secure.com/
documents/996508/1030743/Mobile Threat Report Q3 2013.pdf.
[29] A. P. Felt, H. J. Wang, A. Moshchuk, S. Hanna, and E. Chin. Permission
re-delegation: Attacks and defenses. In USENIX Security Symposium,
2011.
[30] E. Fragkaki, L. Bauer, L. Jia, and D. Swasey. Modeling and enhancing
androids permission system. In 17th European Symposium on Research
in Computer Security, 2012.
[31] J. Gosling, B. Joy, and G. Steele. The Java Language Specification.
1996.
[32] M. C. Grace, W. Zhou, X. Jiang, and A. Sadeghi. Unsafe exposure
analysis of mobile in-app advertisements. In Proceedings of the Fifth
ACM Conference on Security and Privacy in Wireless and Mobile
Networks, 2012.
[33] P. Hornyack, S. Han, J. Jung, S. Schechter, and D. Wetherall. These
aren’t the droids you’re looking for: Retrofitting android to protect
data from imperious applications. In Proceedings of the 18th ACM
Conference on Computer and Communications Security, 2011.
[34] D. Lea. Dlmalloc, 2010. URL http://g.oswego.edu/dl/html/malloc.html.
[35] B. Livshits and J. Jung. Automatic mediation of privacy-sensitive
resource access in smartphone applications. In Presented as part of
the 22nd USENIX Security Symposium, 2013.
[36] G. McGraw and E. W. Felten. Securing Java: Getting Down to Business
with Mobile Code. John Wiley & Sons, Inc., New York, NY, USA, 1999.
ISBN 0-471-31952-X.
[37] P. Pearce, A. P. Felt, G. Nunez, and D. Wagner. Addroid: Privilege
separation for applications and advertisers in android. In Proceedings of
the 7th ACM Symposium on Information, Computer and Communications
Security, 2012.
[38] F. Roesner and T. Kohno. Securing embedded user interfaces: Android
and beyond. In Presented as part of the 22nd USENIX Security
Symposium, 2013.
[39] S. Shekhar, M. Dietz, and D. S. Wallach. Adsplit: Separating smartphone
advertising from applications. In Presented as part of the 21st USENIX
Security Symposium, 2012.
[40] R. Stevens, C. Gibler, J. Crussell, J. Erickson, and H. Chen. Investigating
user privacy in android ad libraries. In IEEE MOST 2012, 2012.
[41] M. Sun and G. Tan. NativeGuard: Protecting android applications from
third-party native libraries. In Proceedings of the 2014 ACM conference
on Security and privacy in wireless & mobile networks, 2014.
[42] N. Viennot, E. Garcia, and J. Nieh. A measurement study of google
play. In The 2014 ACM International Conference on Measurement and
Modeling of Computer Systems, 2014.
[43] Y. Wang, S. Hariharan, C. Zhao, J. Liu, and W. Du. Compac: Enforce
component-level access control in android. In 4th ACM conference on
Data and application security and privacy, 2014.
[44] L. K. Yan and H. Yin. Droidscope: Seamlessly reconstructing the os
and dalvik semantic views for dynamic android malware analysis. In
Presented as part of the 21st USENIX Security Symposium, 2012.
[45] X. Zhang, A. Ahlawat, and W. Du. Aframe: Isolating advertisements
from mobile applications in android. In Proceedings of the 29th Annual
Computer Security Applications Conference, 2013.
[46] Y. Zhou, X. Wang, Y. Chen, and Z. Wang. Armlock: Hardware-based
fault isolation for arm. In Proceedings of the 2014 ACM SIGSAC
Conference on Computer and Communications Security, CCS ’14, pages
558–569, 2014. ISBN 978-1-4503-2957-6.
[47] Y. Zhou, K. Patel, L. Wu, Z. Wang, and X. Jiang. Hybrid user-level
sandboxing of third-party android apps. In Proceedings of the 10th ACM
Symposium on Information, Computer and Communications Security,
ASIA CCS ’15, pages 19–30, 2015. ISBN 978-1-4503-3245-3.
15