Anonymous attackers have been targeting the Android ecosystem for performing severe malicious activities. Despite the complement of various vulnerabilities by security researchers, new vulnerabilities are continuously emerging. In this paper, we introduce a new type of vulnerability that can be exploited to hide data in an application file, bypassing the Android's signing policy. Specifically, we exploit padding areas that can be created by using the alignment option when applications are packaged. We present a proof-of-concept implementation for exploiting the vulnerability. Finally, we demonstrate the effectiveness of VeileDroid by using a synthetic application that hides data in the padding area and updates the data without re-signing and updating the application on an Android device.

Android operating system occupies a high share in the mobile terminal market. It promotes the rapid development of Android applications (apps). However, the emergence of Android malware greatly endangers the security of Android smartphone users. Existing research works have proposed a lot of methods for Android malware detection, but they did not make the utilization of apps' functional category information so that the strong similarity between benign apps in the same functional category is ignored. In this paper, we propose an Android malware detection scheme based on the functional classification. The benign apps in the same functional category are more similar to each other, so we can use less features to detect malware and improve the detection accuracy in the same functional category. The aim of our scheme is to provide an automatic application functional classification method with high accuracy. We design an Android application functional classification method inspired by the hyperlink induced topic search (HITS) algorithm. Using the results of automatic classification, we further design a malware detection method based on app similarity in the same functional category. We use benign apps from the Google Play Store and use malware apps from the Drebin malware set to evaluate our scheme. The experimental results show that our method can effectively improve the accuracy of malware detection.

In this paper, we consider the collaborative editing of two-dimensional (2D) data such as handwritten letters and illustrations. In contrast to the editing of 1D data, which is generally realized by the combination of insertion/deletion of characters, overriding of strokes can have a specific meaning in editing 2D data. In other words, the appearance of the resulting picture depends on the reflection order of strokes to the shared canvas in addition of the absolute coordinate of the strokes. We propose a Peer-to-Peer (P2P) collaborative drawing system consisting of several nodes with replica canvas, in which the consistency among replica canvases is maintained through data channel of WebRTC. The system supports three editing modes concerned with the reflection order of strokes generated by different users. The result of experiments indicates that the proposed system realizes a short latency of around 120 ms, which is a half of a cloud-based system implemented with Firebase Realtime Database. In addition, it realizes a smooth drawing of pictures on remote canvases with a refresh rate of 12 fps.

Detecting Android malwares is imperative. As a promising Android malware detection scheme, we focus on the scheme leveraging the differences of traffic patterns between benign apps and malwares. Those differences can be captured even if the packet is encrypted. However, since such features are just statistic based ones, they cannot identify whether each traffic is malicious. Thus, it is necessary to design the scheme which is applicable to encrypted traffic data and supports identification of malicious traffic. In this paper, we propose an Android malware detection scheme based on level of SSL server certificate. Attackers tend to use an untrusted certificate to encrypt malicious payloads in many cases because passing rigorous examination is required to get a trusted certificate. Thus, we utilize SSL server certificate based features for detection since their certificates tend to be untrusted. Furthermore, in order to obtain the more exact features, we introduce required permission based weight values because malwares inevitably require permissions regarding malicious actions. By computer simulation with real dataset, we show our scheme achieves an accuracy of 92.7%. True positive rate and false positive rate are 5.6% higher and 3.2% lower than the previous scheme, respectively. Our scheme can cope with encrypted malicious payloads and 89 malwares which are not detected by the previous scheme.

Android malwares are rapidly becoming a potential threat to users. Among several Android malware detection schemes, the scheme using Inter-Component Communication (ICC) is gathering attention. That scheme extracts numerous ICC-related features to detect malwares by machine learning. In order to mitigate the degradation of detection performance caused by redundant features, Correlation-based Feature Selection (CFS) is applied to feature before machine learning. CFS selects useful features for detection in accordance with the theory that a good feature subset has little correlation with mutual features. However, CFS may remove useful ICC-related features because of strong correlation between them. In this paper, we propose an effective feature selection scheme for Android ICC-based malware detection using the gap of the appearance ratio. We argue that the features frequently appearing in either benign apps or malwares are useful for malware detection, even if they are strongly correlated with each other. To select useful features based on our argument, we introduce the proportion of the appearance ratio of a feature between benign apps and malwares. Since the proportion can represent whether a feature frequently appears in either benign apps or malwares, this metric is useful for feature selection based on our argument. Unfortunately, the proportion is ineffective when a feature appears only once in all apps. Thus, we also introduce the difference of the appearance ratio of a feature between benign apps and malwares. Since the difference simply represents the gap of the appearance ratio, we can select useful features by using this metric when such a situation occurs. By computer simulation with real dataset, we demonstrate our scheme improves detection accuracy by selecting the useful features discarded in the previous scheme.

Permission warnings and privacy policy enforcement are widely used to inform mobile app users of privacy threats. These mechanisms disclose information about use of privacy-sensitive resources such as user location or contact list. However, it has been reported that very few users pay attention to these mechanisms during installation. Instead, a user may focus on a more user-friendly source of information: text description, which is written by a developer who has an incentive to attract user attention. When a user searches for an app in a marketplace, his/her query keywords are generally searched on text descriptions of mobile apps. Then, users review the search results, often by reading the text descriptions; i.e., text descriptions are associated with user expectation. Given these observations, this paper aims to address the following research question: What are the primary reasons that text descriptions of mobile apps fail to refer to the use of privacy-sensitive resources? To answer the research question, we performed empirical large-scale study using a huge volume of apps with our ACODE (Analyzing COde and DEscription) framework, which combines static code analysis and text analysis. We developed light-weight techniques so that we can handle hundred of thousands of distinct text descriptions. We note that our text analysis technique does not require manually labeled descriptions; hence, it enables us to conduct a large-scale measurement study without requiring expensive labeling tasks. Our analysis of 210,000 apps, including free and paid, and multilingual text descriptions collected from official and third-party Android marketplaces revealed four primary factors that are associated with the inconsistencies between text descriptions and the use of privacy-sensitive resources: (1) existence of app building services/frameworks that tend to add API permissions/code unnecessarily, (2) existence of prolific developers who publish many applications that unnecessarily install permissions and code, (3) existence of secondary functions that tend to be unmentioned, and (4) existence of third-party libraries that access to the privacy-sensitive resources. We believe that these findings will be useful for improving users' awareness of privacy on mobile software distribution platforms.

We study an authentication method using secret figures of Pattern Lock, called pass patterns. In recent years, it is important to prevent the leakage of personal and company information on mobile devices. Android devices adopt a login authentication called Pattern Lock, which achieves both high resistance to Brute Force Attack and usability by virtue of pass pattern. However, Pattern Lock has a problem that pass patterns directly input to the terminal can be easily remembered by shoulder-surfing attack. In this paper, we propose a shoulder-surfing resistant authentication using pass pattern of Pattern Lock, which adopts a challenge & response authentication and also uses users' short-term memory. We implement the proposed method as an Android application and measure success rate, authentication time and the resistance against shoulder surfing. We also evaluate security and usability in comparison with related work.

Android is one of the most popular mobile device platforms. However, since Android apps can be disassembled easily, attackers inject additional advertisements or malicious codes to the original apps and redistribute them. There are a non-negligible number of such repackaged apps. We generally call those malicious repackaged apps “clones.” However, there are apps that are not clones but are similar to each other. We call such apps “relatives.” In this work, we developed a framework called APPraiser that extracts similar apps and classifies them into clones and relatives from the large dataset. We used the APPraiser framework to study over 1.3 million apps collected from both official and third-party marketplaces. Our extensive analysis revealed the following findings: In the official marketplace, 79% of similar apps were attributed to relatives, while in the third-party marketplace, 50% of similar apps were attributed to clones. The majority of relatives are apps developed by prolific developers in both marketplaces. We also found that in the third-party market, of the clones that were originally published in the official market, 76% of them are malware.

The Android pattern unlock is a widely adopted graphical password system that requires a user to draw a secret pattern connecting points arranged in a grid. The theoretical security of pattern unlock can be defined by the number of possible patterns. However, only upper bounds of the number of patterns have been known except for 3×3 and 4×4 grids for which the exact number of patterns was found by brute-force enumeration. In this letter, we present the first lower bound by computing the minimum number of visible points from each point in various subgrids.

The Android pattern unlock is a popular graphical password scheme, where a user is presented a 3×3 grid and required to draw a pattern on the onscreen grid. Each pattern is a sequence of at least four contact points with some restrictions. Theoretically, the security level of unlock patterns is determined by the size of the pattern space. However, the number of possible patterns is only known for 3×3 and 4×4 grids, which was computed by brute-force enumeration. The only mathematical formula for the number of possible patterns is a permutation-based upper bound. In this article, we present an improved upper bound by counting the number of “visible” points that can be directly reached by a point.

In Android OS, we discover that a notification service called inotify is a new side-channel allowing malware to identify file accesses associated with the display of a security-relevant UI screen. This paper proposes a phishing attack that detects victim UI screens by their file accesses in applications and steals private information.

Most Android applications are written in JAVA and run on a Dalvik virtual machine. For smartphone vendors and users who wish to know the performance of an application on a particular smartphone but cannot obtain the source code, we propose a new technique, Dalvik Profiler for Applications (DPA), to profile an Android application on a Dalvik virtual machine without the support of source code. Within a Dalvik virtual machine, we determine the entry and exit locations of a method, log its execution time, and analyze the log to determine the performance of the application. Our experimental results show an error ratio of less than 5% from the baseline tool Traceview which instruments source code. The results also show some interesting behaviors of applications and smartphones: the performance of some smartphones with higher hardware specifications is 1.5 times less than the phones with lower specifications. DPA is now publicly available as an open source tool.

The built-in Pseudo Random Number Generator (PRNG) of OpenSSL on Android platform is important for producing the encryption keys and nonce needed for SSL/TLS communication. In addition, it is also widely used in generating random numbers for many applications irrelevant to SSL. We demonstrated that the initial OpenSSL PRNG state of Android apps can be restored practically, and claimed that a PreMasterSecret (PMS) can be recovered in certain apps using the RSA key agreement scheme at CCS2013. In this paper, we investigate more deeply the practical effect of the predictability of OpenSSL PRNG. First, we precisely analyze, and reduce the complexity of a PMS recovery attack on SSL with the RSA key exchange by analyzing the ASLR mechanism of Android. As a result, we show that the PMS can be recovered in O(246) computations with a probability of 25%. Next, we show that the attack is also applicable to the PMS of the ECDH key exchange by analyzing the heap memory pattern. We confirmed experimentally that the PMS can be recovered in real-time with a probability of 20%. Finally, we show the relation between the predictability of OpenSSL PRNG and the vulnerability of Android SecureRandom java class.

Android applications that using WebView can load and display web pages. Interaction with web pages allows JavaScript code within the web pages to access resources on the Android device by using the Java object, which is registered into WebView. If this WebView feature were exploited by an attacker, JavaScript code could be used to launch attacks, such as stealing from or tampering personal information in the device. To address these threats, we propose an access control on the security-sensitive APIs at the Java object level. The proposed access control uses static analysis to identify these security-sensitive APIs, detects threats at runtime, and notifies the user if threats are detected, thereby preventing attacks from web pages.

Smartphones have become vital devices in the current on-the-go Thai culture. Typically, virtual keyboards serve as tools for text input on smartphones. Due to the limited screen area and the large number of Thai characters, the size of each button on the keyboard is quite small. This leads to character mistyping and low typing speed. In this paper, we present a typical framework of a Thai Input Method on smartphones which includes four processes; Character Candidate Generation, Word Candidate Generation, Word Candidate Display, and Model Update. This framework not only works with Thai, it works with other letter-based languages as well. We also review virtual keyboards and techniques currently used and available for Thai text input.

It is not always easy for an Android user to choose the most suitable application for a particular task from the great number of applications available. In this paper, we propose a semi-automatic approach to extract feature names from Android applications. The case study verifies that we can associate common sequences of Android API calls with feature names.

The computing of applications in embedded devices suffers tight constraints on computation and energy resources. Thus, it is important that applications running on these resource-constrained devices are aware of the energy constraint and are able to execute efficiently. The existing execution time and energy profiling tools could help developers to identify the bottlenecks of applications. However, the profiling tools need large space to store detailed profiling data at runtime, which is a hard demand upon embedded devices. In this article, a reconfigurable multi-resolution profiling (RMP) approach is proposed to handle this issue on embedded devices. It first instruments all profiling points into source code of the target application and framework. Developers can narrow down the causes of bottleneck by adjusting the profiling scope using the configuration tool step by step without recompiling the profiled targets. RMP has been implemented as an open source tool on Android systems. Experiment results show that the required log space using RMP for a web browser application is 25 times smaller than that of Android debug class, and the profiling error rate of execution time is proven 24 times lower than that of debug class. Besides, the CPU and memory overheads of RMP are only 5% and 6.53% for the browsing scenario, respectively.

This paper presents an algorithmic approach to acquiring the influencing relationships among users by discovering implicit influencing group structure from smartphone usage. The method assumes that a time series of users' application downloads and activations can be represented by individual inter-personal influence factors. To achieve better predictive performance and also to avoid over-fitting, a latent feature model is employed. The method tries to extract the latent structures by monitoring cross validating predictive performances on approximated influence matrices with reduced ranks, which are generated based on an initial influence matrix obtained from a training set. The method adopts Nonnegative Matrix Factorization (NMF) to reduce the influence matrix dimension and thus to extract the latent features. To validate and demonstrate its ability, about 160 university students voluntarily participated in a mobile application usage monitoring experiment. An empirical study on real collected data reveals that the influencing structure consisted of six influencing groups with two types of mutual influence, i.e. intra-group influence and inter-group influence. The results also highlight the importance of sparseness control on NMF for discovering latent influencing groups. The obtained influencing structure provides better predictive performance than state-of-the-art collaborative filtering methods as well as conventional methods such as user-based collaborative filtering techniques and simple popularity.

In this paper, we have proposed a new method of observing walking traces, which can observe people's indoor movement for life-logging. Particularly emphasized new techniques in this paper are methods to detect locations, where walking directions are changed, by analyzing azimuth orientations measured by an orientation sensor of an Android mobile device, and to decide walking traces by a map matching with a vector map. The experimental evaluation has shown that the proposed method can determine the correct paths of walking traces.