Finish: Jan. 2018
Thesis Title: A Model Driven Reverse Engineering Approach for Evaluating the Implemented Access Control Policies
Supervisor: Dr. Bahman Zamani Advisor: Dr. Behrouz Tork Ladani
Current Position: Ph.D. Candidate at University of Isfahan
Atefeh Nirumand received her B.Sc. from University of Isfahan, Isfahan, Iran, in 2015, and her M.Sc. from University of Isfahan, Isfahan, Iran, in 2017, both in Computer Engineering (Software). Her research interests include Model-Driven Software Engineering (MDSE), Model Driven Reverse Engineering (MDRE), and security analysis of Android applications. She is a member of Model-Driven Software Engineering Research Group (MDSERG) at University of Isfahan.
Android, as a free and open source platform, is extensively used worldwide by mobile application developers. Android applications can be easily downloaded or be accessed via several Android marketplaces. Since, mobile phones are used to store personal and sensitive information, there is a need for high level of privacy and security. Android provides a message passing system that can communicate within and between applications. To secure the device and avoid any attack, Android message passing system needs to be used appropriately and its possible weaknesses must be identified. One of the security vulnerabilities in the context of user privacy is the unauthorized access to sensitive data. In this case, a malicious application may take advantage of security holes in the application, or may deceive the user for excessive access, that will result in vulnerability of information and sensitive resources. Therefore, the risks associated with the Android message passing system should be evaluated to detect the unsafe operations and potential vulnerabilities.
To achieve this goal, an approach based on Model Driven Reverse Engineering (MDRE) is presented, that identifies security risks and vulnerabilities related to the Android application communication. The MDRE can represent the systems as the models to make the system better comprehension. Directly benefiting from MDE technology, discovery and display of security information will be achieved at higher level of abstraction. The proposed approach identifies vulnerabilities in the context of Inter-Component Communication (ICC). In this approach, the security information included in an Android app are collected by extracting app as several models. Then, this information is unified and integrated in a domain-specific model by the means of model transformations. Based on this model, some operations, such as queries can be later applied to analyze, manage the security configurations, and identify vulnerabilities in the corresponding application. The proposed approach is implemented as an Eclipse-based tool called VAnDroid, which stands for “Vulnerability Analysis of Android Applications”. To evaluate the approach, the VAnDroid tool has been applied to several real-world Android applications. In this evaluation, 20 apps in Google Play and 110 apps in F-Droid repository are selected, and three features of usability, scalability, and correctness have been evaluated. VAnDroid is also compared with several existing analysis tools. The results indicate that the proposed approach is superior to existing tools. Specifically, the high scalability, usability, and accuracy in discovering vulnerabilities are the key advantages of this tool.
Papers in English
- VAnDroid: A framework for vulnerability analysis of Android applications using a model‐driven reverse engineering technique
- ATL rules and OCL queries implemented in VAnDroid
- The evaluation results of VAnDroid for the selected apps from Google Play and F-Droid