automated assessment of security risks for mobile …science of security lablet security...

Science of Security Lablet

Security Metrics-Driven Evaluation, Design, Development, & Deployment

Automated Assessment of Security Risks for Mobile Applications

Rahul Pandita, Xusheng Xiao, Wei Yang, William Enck, and Tao Xie

Department of Computer Science North Carolina State University



Source: https://blog.lookout.com/blog/2011/12/12/2012-mobile-threat-predictions

Lookout Mobile Security has reported that android malware resulted in a loss of US $1 million in 2011.



Source : http://www.f-secure.com/static/doc/labs_global/Research/Mobile%20Threat%20Report%20Q4%202012.pdf

F-Secure MOBILE THREAT REPORT Q4 2012



Approach to Mobile Apps Distribution

® Google Inc.

Open system

Users can directly install the Apps

Developer releases the App on Play Store

User has to explicitly grant permissions requested by the App

SECURITY



Problem Felt, Adrienne Porter, et al. "Android permissions: User attention, comprehension, and behavior."

Proceedings of the Eighth Symposium on Usable Privacy and Security. ACM, 2012.

Only 17% users (participating in the study) paid attention to permissions.



Source: http://security.networksasia.net/system/files/Security+Asia+-+Symantec+-+Motivations+of+recent+android+malware.PDF

Motivations of Recent Android Malware

"Yet another modification of the Google Android Snake game. This one listens to

the taps for its turn directions."



Solution



Simple Solution: Keyword-based search

Keyword-based search on application descriptions

Photo Credit: Ahora estoy en via Flickr



Problems with Keyword-based Search

Confounding effects: Certain keywords such as contact have a confounding meaning

... displays user contact, .... …contact me at [email protected]

Semantic Inference:

Sentences often describe a sensitive operation such as reading contacts without actually referring to keyword contact. share yoga exercises with your friends via email, sms.



WHYPER Implementation

APP Description

APP Permission Semantic Engine

API Docs

Annotated Description

WHYPER

NLP Parser



Example



For suggestion please contact me at [email protected]

Example

For suggestion please contact me at [email protected]



Also you can share the yoga exercise to your friends via Email and SMS.

Example

Also you can share the yoga exercise to your friends via Email and SMS.

Email a sub resource of Contacts

share semantically equivalent to send



Evaluation Results

PERMISSION No. of Apps

Sent. Permission Sentences

Annotated

Precision

Recall F-Score

READ CONTACTS

190 3379 235 204 91.2 79.2 84.8

READ CALENDAR

191 2752 283 288 83.7 85.2 84.5

RECORD AUDIO

200 3822 245 259 75.3 79.6 77.4

TOTAL 581 9953 763 751 82.9 81.6 82.3



PERMISSION Delta Precision

Delta Recall

Delta F-score

Delta Accuracy

READ CONTACTS 50.3 1.3 31.1 7.2 READ CALENDAR 39.2 1.5 26.3 9.2 RECORD AUDIO 36.8 -6.7 24.1 6.7 TOTAL 41.6 -1.2 27.2 7.6

Evaluation Results Contd.



Improvement

Better NLP infrastructure

Better Semantic Representation of Permissions “Blow into the microphone to extinguish candle”

“record calls”



Future Work

refine the NLP infrastructure input from the third-party mobile developers propose security metrics (Transparency Metrics)

“quantifying the degree to which an application description describes the privacy and security sensitive operations”



Industrial Collaboration

Text analytics for security

Text construction for security

Repository of textual artifacts for security



Our evaluation results show that WHYPER achieves an average precision of 82.8%, and an average recall of 81.5% for three permissions. In summary, our results demonstrate great promise in using NLP techniques to access security risks in mobile applications.

Summary

automated assessment of security risks for mobile …science of security lablet security...

Documents