Abstract
The use of native code (ARM binary code) libraries in Android apps greatly promotes the execution performance of frequently used algorithms. Nonetheless, it increases the complexity of app assessment since the binary code analysis is often sophisticated and time-consuming. As a result, many defects still exist in native code libraries and potentially threat the security of users. To assess the native code libraries, current researches mainly focus on the API invoking correctness and less dive into the details of code. Hence, flaws may hide in internal implementation when the analysis of API does not discover them effectively.
The assessment of native code requires a more detailed code comprehension process to pinpoint flaws. In response, we design and implement NativeSpeaker, an Android native code analysis system to assess native code libraries. NativeSpeaker provides not only the capability of recognizing certain pattern related to security flaws, but also the functionality of discovering and comparing native code libraries among a large-scale collection of apps from non-official Android markets. With the help of NativeSpeaker, we analyzed 20,353 dynamic libraries (.so) collected from 20,000 apps in non-official Android markets. Particularly, our assessment focuses on searching crypto misuse related insecure code pattern in those libraries. The analyzing results show even for those most frequently used (top 1%) native code libraries, one third of them contain at least one misuse. Furthermore, our observation indicates the misuse of crypto is often related to insecure data communication: about 25% most frequently used native code libraries suffer from this flaw. Our conducted analysis revealed the necessity of in-depth security assessment against popular native code libraries, and proved the effectiveness of the designed NativeSpeaker system.
This work was partially supported by the Key Program of National Natural Science Foundation of China (Grants No. U1636217), the Major Project of the National Key Research Project (Grants No. 2016YFB0801200), and the Technology Project of Shanghai Science and Technology Commission under Grants No. 15511103002.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Bouncy castle. https://www.bouncycastle.org/
Ida-python. https://github.com/idapython/src/
N-gram wiki. https://en.wikipedia.org/wiki/N-gram
openssl project. https://www.openssl.org/
Spongy castle. https://rtyley.github.io/spongycastle/
Acar, Y., Backes, M., Bugiel, S., Fahl, S., McDaniel, P., Smith, M.: SoK: lessons learned from android security research for appified software platforms. In: 2016 IEEE Symposium on Security and Privacy (SP), pp. 433–451. IEEE (2016)
Afonso, V.M., de Geus, P.L., Bianchi, A., Fratantonio, Y., Kruegel, C., Vigna, G., Doupé, A., Polino, M.: Going native: using a large-scale analysis of android apps to create a practical native-code sandboxing policy. In: NDSS (2016)
Arzt, S., Rasthofer, S., Fritz, C., Bodden, E., Bartel, A., Klein, J., Le Traon, Y., Octeau, D., McDaniel, P.: FlowDroid: precise context, flow, field, object-sensitive and lifecycle-aware taint analysis for android apps. Acm Sigplan Not. 49(6), 259–269 (2014)
Backes, M., Bugiel, S., Derr, E.: Reliable third-party library detection in android and its security applications. In: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, pp. 356–367. ACM (2016)
Caballero, J., Poosankam, P., Kreibich, C., Song, D.: Dispatcher: enabling active botnet infiltration using automatic protocol reverse-engineering. In: Proceedings of the 16th ACM Conference on Computer and Communications Security, pp. 621–634. ACM (2009)
Egele, M., Brumley, D., Fratantonio, Y., Kruegel, C.: An empirical study of cryptographic misuse in android applications. In: Proceedings of the 2013 ACM SIGSAC Conference on Computer & Communications Security, pp. 73–84. ACM (2013)
Enck, W., Gilbert, P., Han, S., Tendulkar, V., Chun, B.-G., Cox, L.P., Jung, J., McDaniel, P., Sheth, A.N.: Taintdroid: an information-flow tracking system for realtime privacy monitoring on smartphones. ACM Trans. Comput. Syst. (TOCS) 32(2), 5 (2014)
Enck, W., Octeau, D., McDaniel, P.D., Chaudhuri, S.: A study of android application security. In: USENIX Security Symposium, vol. 2, p. 2 (2011)
Henderson, A., Prakash, A., Yan, L.K., Hu, X., Wang, X., Zhou, R., Yin, H.: Make it work, make it right, make it fast: building a platform-neutral whole-system dynamic binary analysis platform. In: Proceedings of the 2014 International Symposium on Software Testing and Analysis, pp. 248–258. ACM (2014)
Li, L., Bissyandé, T.F., Klein, J., Le Traon, Y.: An investigation into the use of common libraries in android apps. In: 2016 IEEE 23rd International Conference on Software Analysis, Evolution, and Reengineering (SANER), vol. 1, pp. 403–414. IEEE (2016)
Li, M., Wang, W., Wang, P., Wang, S., Wu, D., Liu, J., Xue, R., Huo, W.: LibD: scalable and precise third-party library detection in android markets. In: Proceedings of the 39th International Conference on Software Engineering, pp. 335–346. IEEE Press (2017)
Meng, X., Miller, B.P.: Binary code is not easy. In: Proceedings of the 25th International Symposium on Software Testing and Analysis, pp. 24–35. ACM (2016)
Mochihashi, D., Yamada, T., Ueda, N.: Bayesian unsupervised word segmentation with nested Pitman-Yor language modeling. In: Proceedings of the Joint Conference of the 47th Annual Meeting of the ACL and the 4th International Joint Conference on Natural Language Processing of the AFNLP: vol. 1, pp. 100–108. Association for Computational Linguistics (2009)
Qian, C., Luo, X., Shao, Y., Chan, A.T.: On tracking information flows through JNI in android applications. In: 2014 44th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN), pp. 180–191. IEEE (2014)
Shuai, S., Guowei, D., Tao, G., Tianchang, Y., Chenjie, S.: Modelling analysis and auto-detection of cryptographic misuse in android applications. In: 2014 IEEE 12th International Conference on Dependable, Autonomic and Secure Computing (DASC), pp. 75–80. IEEE (2014)
Sun, M., Tan, G.: NativeGuard: protecting android applications from third-party native libraries. In: Proceedings of the 2014 ACM Conference on Security and Privacy in Wireless & Mobile Networks, pp. 165–176. ACM (2014)
Yan, L.-K., Yin, H.: DroidScope: seamlessly reconstructing the OS and Dalvik semantic views for dynamic android malware analysis. In: USENIX Security Symposium, pp. 569–584 (2012)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Appendices
AÂ Appendix
Monitored JNI Functions
AllocObject | CallStaticBooleanMethod | GetDoubleArrayRegion | NewObjectA |
CallBooleanMethod | CallStaticBooleanMethodA | GetDoubleField | NewObjectArray |
CallBooleanMethodA | CallStaticBooleanMethodV | GetFieldID | NewObjectV |
AllocObject | CallStaticBooleanMethod | GetDoubleArrayRegion | NewObjectA |
CallBooleanMethod | CallStaticBooleanMethodA | GetDoubleField | NewObjectArray |
CallBooleanMethodA | CallStaticBooleanMethodV | GetFieldID | NewObjectV |
CallBooleanMethodV | CallStaticByteMethod | GetFloatArrayElements | NewShortArray |
CallByteMethod | CallStaticByteMethodA | GetFloatArrayRegion | NewString |
CallByteMethodA | CallStaticByteMethodV | GetFloatField | NewStringUTF |
CallByteMethodV | CallStaticCharMethod | GetIntArrayElements | NewWeakGlobalRef |
CallCharMethod | CallStaticCharMethodA | GetIntArrayRegion | PopLocalFrame |
CallCharMethodA | CallStaticCharMethodV | GetIntField | PushLocalFrame |
CallCharMethodV | CallStaticDoubleMethod | GetJavaVM | RegisterNatives |
CallDoubleMethod | CallStaticDoubleMethodA | GetLongArrayElements | ReleaseBooleanArrayElements |
CallDoubleMethodA | CallStaticDoubleMethodV | GetLongArrayRegion | ReleaseByteArrayElements |
CallDoubleMethodV | CallStaticFloatMethod | GetLongField | ReleaseCharArrayElements |
CallFloatMethod | CallStaticFloatMethodA | GetMethodArgs | ReleaseDoubleArrayElements |
CallFloatMethodA | CallStaticFloatMethodV | GetMethodID | ReleaseFloatArrayElements |
CallFloatMethodV | CallStaticIntMethod | GetObjectArrayElement | ReleaseIntArrayElements |
CallIntMethod | CallStaticIntMethodA | GetObjectClass | ReleaseLongArrayElements |
CallIntMethodA | CallStaticIntMethodV | GetObjectField | ReleasePrimitiveArrayCritical |
CallIntMethodV | CallStaticLongMethod | GetPrimitiveArrayCritical | ReleaseShortArrayElements |
CallLongMethod | CallStaticLongMethodA | GetShortArrayElements | ReleaseStringChars |
CallLongMethodA | CallStaticLongMethodV | GetShortArrayRegion | ReleaseStringCritical |
CallLongMethodV | CallStaticObjectMethod | GetShortField | ReleaseStringUTFChars |
CallNonvirtualBooleanMethod | CallStaticObjectMethodA | GetStaticBooleanField | reserved1 |
CallNonvirtualBooleanMethodA | CallStaticObjectMethodV | GetStaticByteField | reserved2 |
CallNonvirtualBooleanMethodV | CallStaticShortMethod | GetStaticCharField | reserved3 |
CallNonvirtualByteMethod | CallStaticShortMethodA | GetStaticDoubleField | SetBooleanArrayRegion |
CallNonvirtualByteMethodA | CallStaticShortMethodV | GetStaticFieldID | SetBooleanField |
CallNonvirtualByteMethodV | CallStaticVoidMethod | GetStaticFloatField | SetByteArrayRegion |
CallNonvirtualCharMethod | CallStaticVoidMethodA | GetStaticIntField | SetByteField |
CallNonvirtualCharMethodA | CallStaticVoidMethodV | GetStaticLongField | SetCharArrayRegion |
CallNonvirtualCharMethodV | CallVoidMethod | GetStaticMethodID | SetCharField |
CallNonvirtualDoubleMethod | CallVoidMethodA | GetStaticObjectField | SetDoubleArrayRegion |
CallNonvirtualDoubleMethodA | CallVoidMethodV | GetStaticShortField | SetDoubleField |
CallNonvirtualDoubleMethodV | DefineClass | GetStringChars | SetFloatArrayRegion |
CallNonvirtualFloatMethod | DeleteGlobalRef | GetStringCritical | SetFloatField |
CallNonvirtualFloatMethodA | DeleteLocalRef | GetStringLength | SetIntArrayRegion |
CallNonvirtualFloatMethodV | DeleteWeakGlobalRef | GetStringRegion | SetIntField |
CallNonvirtualIntMethod | EnsureLocalCapacity | GetStringUTFChars | SetLongArrayRegion |
CallNonvirtualIntMethodA | ExceptionCheck | GetStringUTFLength | SetLongField |
CallNonvirtualIntMethodV | ExceptionClear | GetStringUTFRegion | SetObjectArrayElement |
CallNonvirtualLongMethod | ExceptionDescribe | GetSuperclass | SetObjectField |
CallNonvirtualLongMethodA | ExceptionOccurred | GetVersion | SetShortArrayRegion |
CallNonvirtualLongMethodV | FatalError | IsAssignableFrom | SetShortField |
CallNonvirtualObjectMethod | FindClass | IsInstanceOf | SetStaticBooleanField |
CallNonvirtualObjectMethodA | FromReflectedField | IsSameObject | SetStaticByteField |
CallNonvirtualObjectMethodV | FromReflectedMethod | MonitorEnter | SetStaticCharField |
CallNonvirtualShortMethod | GetArrayLength | MonitorExit | SetStaticDoubleField |
CallNonvirtualShortMethodA | GetBooleanArrayElements | NewBooleanArray | SetStaticFloatField |
CallNonvirtualShortMethodV | GetBooleanArrayRegion | NewByteArray | SetStaticIntField |
CallNonvirtualVoidMethod | GetBooleanField | NewCharArray | SetStaticLongField |
CallNonvirtualVoidMethodA | GetByteArrayElements | NewDirectByteBuffer | SetStaticObjectField |
CallNonvirtualVoidMethodV | GetByteArrayRegion | NewDoubleArray | SetStaticShortField |
CallObjectMethod | GetByteField | NewFloatArray | Throw |
CallObjectMethodA | GetCharArrayElements | NewGlobalRef | ThrowNew |
CallObjectMethodV | GetCharArrayRegion | NewIntArray | ToReflectedField |
CallShortMethod | GetCharField | NewLocalRef | UnregisterNatives |
CallShortMethodA | GetDirectBufferAddress | NewLongArray | Â |
CallShortMethodV | GetDoubleArrayElements | NewObject | Â |
Rights and permissions
Copyright information
© 2018 Springer International Publishing AG, part of Springer Nature
About this paper
Cite this paper
Wang, Q. et al. (2018). NativeSpeaker: Identifying Crypto Misuses in Android Native Code Libraries. In: Chen, X., Lin, D., Yung, M. (eds) Information Security and Cryptology. Inscrypt 2017. Lecture Notes in Computer Science(), vol 10726. Springer, Cham. https://doi.org/10.1007/978-3-319-75160-3_19
Download citation
DOI: https://doi.org/10.1007/978-3-319-75160-3_19
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-75159-7
Online ISBN: 978-3-319-75160-3
eBook Packages: Computer ScienceComputer Science (R0)