driving apps to test third- party component security · 2019-12-18 · brahmastra vs. monkeys a 1 e...

Driving Apps to Test Third-Party Component Security

Jaeyeon JungMicrosoft Researchjjung@microsoft.com

Collaborators

3rd-party components used commonly

http://www.appbrain.com/stats/libraries/social

3rd-party components commonly used

http://www.prlog.org/10983527-hipaa-security-risk-analysis.jpg

Goal

app store operators, security researchers

at runtime

Key findings

2.7x

ad component

Facebook Connect

Example

Why not using Monkeys?

A1

P12

E1

P34

E2 E3 E4 E5

A2 A3 A4

A1

P12

E1

P34

E2 E3 E4 E5

A2 A3 A4

A1

P12

E1

P34

E2 E3 E4 E5

A2 A3 A4

A1

P12

E1

P34

E2 E3 E4 E5

A2 A3 A4

A1

P12

E1

P34

E2 E3 E4 E5

A2 A3 A4

A1

P12

E1

P34

E2 E3 E4 E5

A2 A3 A4

Our approach

Brahmastra vs. Monkeys

A1

E1 E2 E3 E4 E5

A2 A3 A4

P12 P34

Brahmastra vs. Monkeys

A1

E1 E2 E3 E4 E5

A2 A3 A4

P12 P34

A3

Brahmastra vs. Monkeys

A1

E1 E2 E3 E4 E5

A2 A3 A4

P12 P34

A3

Brahmastra vs. Monkeys

E4 E5

A3 A4

P34

A3

Brahmastra vs. Monkeys

E4 E5

A3 A4

P34

A3

Brahmastra vs. Monkeys

E4 E5

A3 A4

P34

A3

Execution Planner

Execution Planner: call graph

Facebook

authorize

ShareActivity

onCreate

onShareClick

onFacebookShare

share

Home

onCreate

onOptionItemSelected

showFeedBack

showMoreApps

showAbout AboutBox

onCreate

onLikeClicked

HomeFree

onCreate

...

Execution Planner: call graph

Facebook

authorize

ShareActivity

onCreate

onShareClick

onFacebookShare

share

Home

onCreate

onOptionItemSelected

showFeedBack

showMoreApps

showAbout AboutBox

onCreate

onLikeClicked

HomeFree

onCreate

...

Execution Planner: call graph

Facebook

authorize

ShareActivity

onCreate

onShareClick

onFacebookShare

share

Home

onCreate

onOptionItemSelected

showFeedBack

showMoreApps

showAbout AboutBox

onCreate

onLikeClicked

HomeFree

onCreate

...

(2) Activity transitions

Execution Planner: call graph

Facebook

authorize

ShareActivity

onCreate

onShareClick

onFacebookShare

share

Home

onCreate

onOptionItemSelected

showFeedBack

showMoreApps

showAbout AboutBox

onCreate

onLikeClicked

HomeFree

onCreate

...(2) Activity transitions

(3) Implicit calls due to user interactions

Execution Planner: call graph

Facebook

authorize

ShareActivity

onCreate

onShareClick

onFacebookShare

share

Home

onCreate

onOptionItemSelected

showFeedBack

showMoreApps

showAbout AboutBox

onCreate

onLikeClicked

HomeFree

onCreate

...(2) Activity transitions

(3) Implicit calls due to user interactions

Execution Planner

Facebook

authorize

ShareActivity

onCreate

onShareClick

onFacebookShare

share

Home

onCreate

onOptionItemSelected

showFeedBack

showMoreApps

showAbout AboutBox

onCreate

onLikeClicked

HomeFree

onCreate

...-> Home; .onCreate

-> Home; .onOptionsItemSelected

-> AboutBox; .onCreate

-> AboutBox; .onLikeClicked

-> ShareActivity; .onCreate

-> ShareActivity; .onShareClick

Execution Engine

Methodology

Hit rate

Test speed

COPPA

Test goal

Test procedure

Results: types of personal info. collected by landing pages

Information Type % apps

Home Address 26%

First and last name 79%

Online contact 42%

Phone number 7%

TOTAL 80%

Results: child-inappropriatecontent in adsContent Type % apps

Child Exploitation 3%

Gambling 1%

Misrepresentation 7%

Violence, weapons or gore 2%

Alcohol, tobacco, drugs 2%

Profanity and vulgarity 0%

Free Prize 26%

Sexual Content 13%

TOTAL 36%

Summary

ad component

Facebook Connect

Questions?