Opposites Attract -- Static analysis on mobile apps for security and privacy

Manuel EGELE - systems scientist at Carnegie Mellon University, Cylab
Digital Security

Date: -
Location: Eurecom

Mobile devices are ubiquitous. Apple sold more than 400 million iOS devices to date, and it has been reported that more than 500 million Android-based devices are in customers' hands. These devices open exciting new avenues of innovation such as location-based services and mobile payment. Of course, the user has a legitimate desire to keep the privacy-sensitive data maintained and collected by these smart devices safe and secure. Unfortunately, mobile devices frequently expose such information to prying third-party applications (apps). In this talk, I will demonstrate how novel static analysis techniques can be used to automatically assess whether apps adhere to the user's expectation of privacy. My binary static analysis platform (PiOS) has the capability to evaluate many different security properties on iOS applications. For example, PiOS automatically detected numerous popular applications that leak privacy sensitive data, such as address book contents or location information over the Internet. Furthermore, based on PiOS, we were also able to retrofit iOS applications with control flow integrity protection. Android recently surpassed Apple as the most popular smart phone operating system. In this talk, I will also cover my research to leverage static analysis techniques to detect misuse of cryptographic primitives in Android apps.