[PAST EVENT] Automatic Security Analysis of Smartphone Applications: Challenges and Opportunities

February 5, 2016
8am - 9am
McGlothlin-Street Hall, Room 020
251 Jamestown Rd
Williamsburg, VA 23185Map this location
8:00 AM, McGlothlin-Street Hall 020

Xusheng Xiao, NEC Laboratories America

Title: Automatic Security Analysis of Smartphone Applications: Challenges and Opportunities


The increasing popularity of smartphones has made them a target for malware. Smartphone application markets like Google Play and App Store employ protection mechanisms based on permissions, which have shown limited success due to three major challenges: (1) permissions show only what sensitive user information is used by the applications; (2) permissions used in benign and malicious behaviors are often the same; (3) permissions do not protect all types of sensitive user information, such as sensitive information entered through graphical user interfaces (GUI). In this talk, I will present my work on developing automated security analysis techniques to address these three major challenges. My techniques automatically analyze application behaviors from various types of artifacts, including app code, app descriptions, API documents, app meta-data, and graphical user interfaces (GUI). In particular, I will discuss information flow classification and WHYPER, two techniques that explain How and Why sensitive user information is used by the applications to help users make better decisions in permission granting. In addition, I will present AppContext, a program analysis technique that analyzes the context in which a security-sensitive behavior occurs to determine whether the behavior is malicious, and SUPOR, a static analysis technique that detects sensitive information entered by users through GUIs.


{{https://sites.google.com/site/xushengxiaoshome/, Xusheng Xiao}} is a researcher at NEC Laboratories America. He received his Ph.D. degree in Computer Science at North Carolina State University, working under the guidance of Prof. Tao Xie from University of Illinois at Urbana-Champaign and Prof. Laurie Williams from North Carolina State University. He was a visiting student in Computer Science department of the University of Illinois at Urbana-Champaign in 2013-2014. His research interests are in software engineering and computer security, with a focus on improving software quality via program analysis, software testing, and text analytics. His work in mobile security has been selected as one of the top ten finalists for CSAW Best Applied Security Paper Award 2015. He was awarded the ICSE SRC Best Project Representing an Innovative Use of Microsoft Technology at ACM SRC Grand Final 2012. His static analysis tool on mobile security is integrated into TouchDevelop developed by Microsoft Research and is granted a U.S. patent. His research has been presented at top-tier venues such as ICSE, FSE, ISSTA, ASE, USENIX Security, and VLDB. He did internships at Microsoft Research, IBM Research, and NEC Labs. His home page is at https://sites.google.com/site/xushengxiaoshome/