TUM Logo

Developer driven Injection of Security Functionality into Android Apps

For developers, security is often a minor matter due to the lack of time, money, and knowledge, but nevertheless it is very important to protect private data. Therefore we developed several concepts (Precaution, Data-flow Analysis, Control-flow Analysis, Data Encryption, Access Restriction) to support developers to create more secure applications. An important point of this work is the differentiation of Third Party Libraries, because they are often treated like the main application by the system (e.g. Android Permission System). Most of these concepts are based on known vulnerabilities of existing systems and are used to protect applications.We applied these concepts to the Android system and implemented a toolchain to modify Android applications based on the developer’s preferences. We enforce these additional security functionalities by modifying the Dalvik byte-code of the application and can therefore modify the behaviour of Third Party Libraries, too. A developer only has to include our toolchain to his application and mark statements in the source code, because the modification steps are fully automated.

Developer driven Injection of Security Functionality into Android Apps

Supervisor(s): Dennis Titze ,Julian Schütte
Status: finished
Topic: Android stuff
Author: Lukas Heinzmann
Submission: 2016-08-16
Type of Thesis: Bachelorthesis
Proof of Concept No
Thesis topic in co-operation with the Fraunhofer Institute for Applied and Integrated Security AISEC, Garching

Astract:

For developers, security is often a minor matter due to the lack of time, money, and knowledge, but nevertheless it is very important to protect private data. Therefore we developed several concepts (Precaution, Data-flow Analysis, Control-flow Analysis, Data Encryption, Access Restriction) to support developers to create more secure applications. An important point of this work is the differentiation of Third Party Libraries, because they are often treated like the main application by the system (e.g. Android Permission System). Most of these concepts are based on known vulnerabilities of existing systems and are used to protect applications.We applied these concepts to the Android system and implemented a toolchain to modify Android applications based on the developer’s preferences. We enforce these additional security functionalities by modifying the Dalvik byte-code of the application and can therefore modify the behaviour of Third Party Libraries, too. A developer only has to include our toolchain to his application and mark statements in the source code, because the modification steps are fully automated.