On the effectiveness of API-level access control using bytecode rewriting in Android

Hao Hao; Vicky Singh; Wenliang Du

doi:10.1145/2484313.2484317

On the effectiveness of API-level access control using bytecode rewriting in Android

Hao Hao, Vicky Singh, Wenliang Du

Department of Electrical Engineering & Computer Science

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

41 Scopus citations

Abstract

Bytecode rewriting on Android applications has been widely adopted to implement fine-grained access control. It endows more flexibility and convenience without modifying the Android platform. Bytecode rewriting uses static analysis to identify the usage of security-sensitive API methods, before it instruments the bytecode to control the access to these API calls. Due to the significance of this technique, the effectiveness of its performance in providing fine-grained access control is crucial. We have provided a systematic evaluation to assess the effectiveness of API-level access control using bytecode rewriting on Android Operating System. In our evaluation, we have identified a number of potential attacks targeted at incomplete implementations of bytecode rewriting on Android OS, which can be applied to bypass access control imposed by bytecode rewriter. These attacks can either bypass the API-level access control or make such access control difficult to implement, exposing weak links in the bytecode rewriting process. Recommendations on engineering secure bytecode rewriting tools are presented based on the identified attacks. This work is the first systematic study on the effectiveness of using bytecode rewriting for API-level access control.

Original language	English (US)
Title of host publication	ASIA CCS 2013 - Proceedings of the 8th ACM SIGSAC Symposium on Information, Computer and Communications Security
Pages	25-36
Number of pages	12
DOIs	https://doi.org/10.1145/2484313.2484317
State	Published - May 27 2013
Event	8th ACM SIGSAC Symposium on Information, Computer and Communications Security, ASIA CCS 2013 - Hangzhou, China Duration: May 8 2013 → May 10 2013

Publication series

Name	ASIA CCS 2013 - Proceedings of the 8th ACM SIGSAC Symposium on Information, Computer and Communications Security

Other

Other	8th ACM SIGSAC Symposium on Information, Computer and Communications Security, ASIA CCS 2013
Country	China
City	Hangzhou
Period	5/8/13 → 5/10/13

Keywords

Android
access control
bytecode rewriting

ASJC Scopus subject areas

Computer Networks and Communications
Information Systems

Access to Document

10.1145/2484313.2484317

Fingerprint Dive into the research topics of 'On the effectiveness of API-level access control using bytecode rewriting in Android'. Together they form a unique fingerprint.

Cite this

Hao, H., Singh, V., & Du, W. (2013). On the effectiveness of API-level access control using bytecode rewriting in Android. In ASIA CCS 2013 - Proceedings of the 8th ACM SIGSAC Symposium on Information, Computer and Communications Security (pp. 25-36). (ASIA CCS 2013 - Proceedings of the 8th ACM SIGSAC Symposium on Information, Computer and Communications Security). https://doi.org/10.1145/2484313.2484317

On the effectiveness of API-level access control using bytecode rewriting in Android. / Hao, Hao; Singh, Vicky; Du, Wenliang.

ASIA CCS 2013 - Proceedings of the 8th ACM SIGSAC Symposium on Information, Computer and Communications Security. 2013. p. 25-36 (ASIA CCS 2013 - Proceedings of the 8th ACM SIGSAC Symposium on Information, Computer and Communications Security).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

Hao, H, Singh, V & Du, W 2013, On the effectiveness of API-level access control using bytecode rewriting in Android. in ASIA CCS 2013 - Proceedings of the 8th ACM SIGSAC Symposium on Information, Computer and Communications Security. ASIA CCS 2013 - Proceedings of the 8th ACM SIGSAC Symposium on Information, Computer and Communications Security, pp. 25-36, 8th ACM SIGSAC Symposium on Information, Computer and Communications Security, ASIA CCS 2013, Hangzhou, China, 5/8/13. https://doi.org/10.1145/2484313.2484317

Hao H, Singh V, Du W. On the effectiveness of API-level access control using bytecode rewriting in Android. In ASIA CCS 2013 - Proceedings of the 8th ACM SIGSAC Symposium on Information, Computer and Communications Security. 2013. p. 25-36. (ASIA CCS 2013 - Proceedings of the 8th ACM SIGSAC Symposium on Information, Computer and Communications Security). https://doi.org/10.1145/2484313.2484317

Hao, Hao ; Singh, Vicky ; Du, Wenliang. / On the effectiveness of API-level access control using bytecode rewriting in Android. ASIA CCS 2013 - Proceedings of the 8th ACM SIGSAC Symposium on Information, Computer and Communications Security. 2013. pp. 25-36 (ASIA CCS 2013 - Proceedings of the 8th ACM SIGSAC Symposium on Information, Computer and Communications Security).

@inproceedings{f95a1dce0c4b43f0b0097cd6c3dd2880,

title = "On the effectiveness of API-level access control using bytecode rewriting in Android",

abstract = "Bytecode rewriting on Android applications has been widely adopted to implement fine-grained access control. It endows more flexibility and convenience without modifying the Android platform. Bytecode rewriting uses static analysis to identify the usage of security-sensitive API methods, before it instruments the bytecode to control the access to these API calls. Due to the significance of this technique, the effectiveness of its performance in providing fine-grained access control is crucial. We have provided a systematic evaluation to assess the effectiveness of API-level access control using bytecode rewriting on Android Operating System. In our evaluation, we have identified a number of potential attacks targeted at incomplete implementations of bytecode rewriting on Android OS, which can be applied to bypass access control imposed by bytecode rewriter. These attacks can either bypass the API-level access control or make such access control difficult to implement, exposing weak links in the bytecode rewriting process. Recommendations on engineering secure bytecode rewriting tools are presented based on the identified attacks. This work is the first systematic study on the effectiveness of using bytecode rewriting for API-level access control.",

keywords = "Android, access control, bytecode rewriting",

author = "Hao Hao and Vicky Singh and Wenliang Du",

year = "2013",

month = may,

day = "27",

doi = "10.1145/2484313.2484317",

language = "English (US)",

isbn = "9781450317672",

series = "ASIA CCS 2013 - Proceedings of the 8th ACM SIGSAC Symposium on Information, Computer and Communications Security",

pages = "25--36",

booktitle = "ASIA CCS 2013 - Proceedings of the 8th ACM SIGSAC Symposium on Information, Computer and Communications Security",

note = "8th ACM SIGSAC Symposium on Information, Computer and Communications Security, ASIA CCS 2013 ; Conference date: 08-05-2013 Through 10-05-2013",

}

TY - GEN

T1 - On the effectiveness of API-level access control using bytecode rewriting in Android

AU - Hao, Hao

AU - Singh, Vicky

AU - Du, Wenliang

PY - 2013/5/27

Y1 - 2013/5/27

N2 - Bytecode rewriting on Android applications has been widely adopted to implement fine-grained access control. It endows more flexibility and convenience without modifying the Android platform. Bytecode rewriting uses static analysis to identify the usage of security-sensitive API methods, before it instruments the bytecode to control the access to these API calls. Due to the significance of this technique, the effectiveness of its performance in providing fine-grained access control is crucial. We have provided a systematic evaluation to assess the effectiveness of API-level access control using bytecode rewriting on Android Operating System. In our evaluation, we have identified a number of potential attacks targeted at incomplete implementations of bytecode rewriting on Android OS, which can be applied to bypass access control imposed by bytecode rewriter. These attacks can either bypass the API-level access control or make such access control difficult to implement, exposing weak links in the bytecode rewriting process. Recommendations on engineering secure bytecode rewriting tools are presented based on the identified attacks. This work is the first systematic study on the effectiveness of using bytecode rewriting for API-level access control.

AB - Bytecode rewriting on Android applications has been widely adopted to implement fine-grained access control. It endows more flexibility and convenience without modifying the Android platform. Bytecode rewriting uses static analysis to identify the usage of security-sensitive API methods, before it instruments the bytecode to control the access to these API calls. Due to the significance of this technique, the effectiveness of its performance in providing fine-grained access control is crucial. We have provided a systematic evaluation to assess the effectiveness of API-level access control using bytecode rewriting on Android Operating System. In our evaluation, we have identified a number of potential attacks targeted at incomplete implementations of bytecode rewriting on Android OS, which can be applied to bypass access control imposed by bytecode rewriter. These attacks can either bypass the API-level access control or make such access control difficult to implement, exposing weak links in the bytecode rewriting process. Recommendations on engineering secure bytecode rewriting tools are presented based on the identified attacks. This work is the first systematic study on the effectiveness of using bytecode rewriting for API-level access control.

KW - Android

KW - access control

KW - bytecode rewriting

UR - http://www.scopus.com/inward/record.url?scp=84877944138&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=84877944138&partnerID=8YFLogxK

U2 - 10.1145/2484313.2484317

DO - 10.1145/2484313.2484317

M3 - Conference contribution

AN - SCOPUS:84877944138

SN - 9781450317672

T3 - ASIA CCS 2013 - Proceedings of the 8th ACM SIGSAC Symposium on Information, Computer and Communications Security

SP - 25

EP - 36

BT - ASIA CCS 2013 - Proceedings of the 8th ACM SIGSAC Symposium on Information, Computer and Communications Security

T2 - 8th ACM SIGSAC Symposium on Information, Computer and Communications Security, ASIA CCS 2013

Y2 - 8 May 2013 through 10 May 2013

ER -