Mehmet Erkan YÜKSEL, Asım Sinan YÜKSEL, Ahmet SERTBAŞ, Abdül Halim ZAİM

Implementation of a web-based service for mobile application risk assessment

The Android operating system has increased in popularity and has been increasing its shares in the smart phone market. Users can carry out their daily work such as paying bills, being social, and sharing photos through mobile applications. These applications have access to sensitive information about the user, such as location, contacts, call logs, and SMS messages. However, the users have no knowledge of the applications or the personal information these applications have access to. Even if an application is not malware or does not have malicious behavior, it can compromise the security and privacy of the user by accessing the permissions and gathering sensitive personal information. In this study, we have designed and implemented a prototype of a novel fuzzy risk inference system that serves as a web- based service. The system analyzes the risks related to Android-based mobile applications and performs risk scoring by taking several features into account. The system presents the user with the risks of exposure before the installation of applications on the user's device and serves as an intelligent decision support system.

PDF

___

[1] Vilwock W, Madiraju P, Ahamed SI. A system implementation of interruption management for mobile devices. In: 16th International Conference on Computational Science and Engineering; 3{5 December 2013; Sydney, Australia. New York, NY, USA: IEEE. pp. 181-187.
[2] Beresford AR, Rice A, Skehin N, Sohan R. Mock-Droid: trading privacy for application functionality on smart- phones. In: 12th Workshop on Mobile Computing Systems and Applications; 1{3 March 2011; Phoenix, AZ, USA. New York, NY, USA: ACM. pp. 49-54.
[3] Wang X, Sun K, Wang Y, Jing J. DeepDroid: dynamically enforcing enterprise policy on Android devices. In: Network and Distributed System Security Symposium; 8{11 February 2015; San Diego, CA, USA. Reston, VA, USA: Internet Society. pp. 1-15.
[4] Cozzette A, Lingel K, Matsumoto S, Ortlieb O, Alexander J, Betser J, Reiher P. Improving the security of Android inter-component communication. In: International Symposium on Integrated Network Management; 27{31 May 2013; Ghent, Belgium. New York, NY, USA: IEEE. pp. 808-811.
[5] Isohara T, Takemori K, Kubota A. Kernel-based behavior analysis for Android malware detection. In: 7th Inter- national Conference on Computational Intelligence and Security; 3{4 December 2011; Hainan, China. New York, NY, USA: IEEE. pp. 1011-1015.
[6] Enck W, Octeau D, McDaniel P, Chaudhuri S. A study of Android application security. In: USENIX Security Symposium; 8{12 August 2011; San Francisco, CA, USA. Berkeley, CA, USA: Usenix. p. 2.
[7] Enck W, Ongtang M, McDaniel P. On lightweight mobile phone application certi cation. In: 16th ACM Conference on Computer and Communications Security; 9{13 November 2009; Chicago, IL, USA. New York, NY, USA: ACM. pp. 235-245.
[8] Xu R, Saidi H, Anderson R. Aurasium: practical policy enforcement for Android applications. In: USENIX 2012 Security Symposium; 8{10 August 2012; Washington, DC, USA. Berkeley, CA, USA: Usenix. pp. 539-552.
[9] Kaur A, Upadhyay D. PeMo: Modifying application's permissions and preventing information stealing on smart- phones. In: 5th International Conference-Con uence The Next Generation Information Technology Summit; 25{26 September 2014; Noida, India. New York, NY, USA: IEEE. pp. 905-910.
[10] Gilbert P, Chun BG, Cox LP, Jung J. Vision: automated security validation of mobile apps at app markets. In: 2nd International Workshop on Mobile Cloud Computing and Services; 28 June 28{1 July 2011; Bethesda, MD, USA. New York, NY, USA: ACM. pp. 21-26.
[11] Davis B, Sanders B, Khodaverdian A, Chen H. I-arm-droid: a rewriting framework for in-app reference monitors for Android applications. In: Mobile Security Technologies; 24 May 2012; San Francisco, CA, USA. New York, NY, USA: IEEE. pp. 33-41.
[12] Yuksel AS, Zaim AH, Aydin MA. A comprehensive analysis of Android security and proposed solutions. International Journal of Computer Network and Information Security 2014; 6: 9-20.
[13] Matenaar F, Schulz P, Galauner A, Schlosser M. Dexter: Android Analysis Framework. Available online at https://www.dexlabs.org/.
[14] Lindorfer M, Neugschwandtner M, Weichselbaum L, Fratantonio Y, Van Der Veen V, Platzer C. Andrubis - 1,000,000 apps later: a view on current android malware behaviors. In: 3rd International Workshop on Building Analysis Datasets and Gathering Experience Returns for Security; 11 September 2014; Wroclaw, Poland.
[15] AV Comparatives. AVC Undroid. Available online at https://www.av-comparatives.org/.
[16] Spreitzenbarth M, Freiling F, Echtler F, Schreck T, Hoffmann J. Mobile-sandbox: having a deeper look into android applications. In: Proceedings of the 28th Annual ACM Symposium on Applied Computing; 18{22 March 2013; New York, NY, USA. New York, NY, USA: ACM. pp. 1808-1815.
[17] Tam K, Khan SJ, Fattori A, Cavallaro L. CopperDroid: automatic reconstruction of android malware behaviors. In: Proceedings of the Symposium on Network and Distributed System Security; 8{11 February 2015; San Diego, CA, USA.
[18] Haffejee J, Irwin B. Testing antivirus engines to determine their effectiveness as a security layer. In: Information Security for South Africa; 13{14 August 2014; Johannesburg, South Africa.
[19] Zhou Y, Jiang X. Dissecting Android malware: characterization and evolution. In: Security and Privacy Symposium; 20{23 May 2012; San Francisco, CA, USA. New York, NY, USA: IEEE. pp. 95-109.
[20] Arp D, Spreitzenbarth M, Huebner M, Gascon H, Rieck K. Drebin: Efficient and explainable detection of android malware in your pocket. In: 21st Annual Network and Distributed System Security Symposium; 23{26 February 2014; San Diego, CA, USA.
[21] Mamdani EH, Assilian S. An experiment in linguistic synthesis with a fuzzy logic controller. Int J Man Mach Stud 1975; 7: 1-13.
[22] Enck W, Ongtang M, McDaniel P. Understanding Android security. Security & Privacy 2009; 1: 50-57.
[23] Zhou Y, Wang Z, Zhou W, Jiang X. Hey, you, get off of my market: detecting malicious apps in official and alternative Android markets. In: Network and Distributed System Security Symposium; 6{8 February 2012; San Diego, CA, USA. Reston, VA, USA: The Internet Society. pp. 1-13.
[24] Johnson R, Wang Z, Gagnon C, Stavrou A. Analysis of android applications' permissions. In: Sixth International Conference on Software Security and Reliability Companion; 20{22 June 2012; Washington, DC, USA. New York, NY, USA: IEEE. pp. 45-46.