Software Analysis for Android: Infrastructure for Security, Verification, and Reliability

Iulian Neamtiu
University of California


Abstract

Users are increasingly relying on smartphones, hence concerns such as mobile app security, privacy, and correctness have become increasingly pressing. Software analysis has been successful in tackling many such concerns, albeit on other platforms, such as desktop and server. To fill this gap, my group has been developing infrastructural tools that permit a wide range of software analyses for the Android smartphone platform. Developing these tools has required surmounting many challenges unique to the smartphone platform: dealing with input non-determinism in sensor-oriented apps, non-standard control flow, low-overhead yet high-fidelity record-and-replay. Our tools can analyze substantial, widely-popular apps running directly on smartphones, and do not require access to the app's source code. I will begin by presenting three such tools we have developed for dynamic analysis, automatic exploration, and custom static analysis. Next, I will present two main applications of our infrastructure. First, Android security: finding deceitful practices in free apps, and Moving Target Defense for thwarting attacks. Second, Android verification and reliability techniques (automated test case generation, finding data loss bugs, failure detection and recovery) that have helped us find, reproduce, and recover from bugs in popular apps.