Yuta Ishii
Yuta Takata
Tatsuya Mori
ABSTRACT
As an open platform, Android enables the introduction of a variety of third-party marketplaces in which developers can provide mo- bile apps that are not provided in the official marketplace. Since the initial release of Android OS in 2008, many third-party app marketplaces have been launched all over the world. e diversity of which leads us to the following research question: are these third- party marketplaces securely managed? is work aims to answer this question through a large-scale empirical study. We collected more than 4.7 million Android apps from 27 third-party market- places, including ones that had not previously been studied in the research community, and analyzed them to study their security measures. Based on the results, we also a empt to quantify the security index of these marketplaces.
- Adding licensing to your app | android developers. https://developer.android. com/google/play/licensing/adding-licensing.html.Google Scholar
- Alexa - actionable analytics for the web. http://www.alexa.com/.Google Scholar
- Android operating system statistics - appbrain. http://www.appbrain.com/stats/.Google Scholar
- apktool. https://code.google.com/p/android-apktool/.Google Scholar
- F-Secure: Android accounted for 97% of all mobile malware in 2013, but only 0.1% of those were on Google Play. http://thenextweb.com/google/2014/03/04/fsecure-android-accounted-97-mobile-malware-2013-0-1-google-play/.Google Scholar
- Fake apps: Feigning legitimacy. http://www.trendmicro.com/cloud-content/us/ pdfs/security-intelligence/white-papers/wp-fake-apps.pdf.Google Scholar
- jadx. https://github.com/skylot/jadx.Google Scholar
- smali. https://code.google.com/p/smali/.Google Scholar
- Supported locations for distribution to google play users. https://support.google. com/googleplay/android-developer/table/3541286.Google Scholar
- Virustotal. https://www.virustotal.com/.Google Scholar
- K. Allix, T. F. Bissyandé, J. Klein, and Y. Le Traon. Androzoo: collecting millions of android apps for the research community. In Proceedings of the 13th International Workshop on Mining Software Repositories, pages 468–471. ACM, 2016. Google ScholarDigital Library
- Y. Ishii, T. Watanabe, M. Akiyama, and T. Mori. Clone or relative?: Understanding the origins of similar android apps. In Proceedings of the 2016 ACM on International Workshop on Security And Privacy Analytics, pages 25–32. ACM, 2016. Google ScholarDigital Library
- M. Lindorfer, S. Volanis, A. Sisto, M. Neugschwandtner, E. Athanasopoulos, F. Maggi, C. Platzer, S. Zanero, and S. Ioannidis. Andradar: fast discovery of android applications in alternative markets. In International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment, pages 51–71. Springer, 2014. Google ScholarCross Ref
- Y. Shao, X. Luo, C. Qian, P. Zhu, and L. Zhang. Towards a scalable resource-driven approach for detecting repackaged android applications. In Proceedings of the 30th Annual Computer Security Applications Conference, pages 56–65. ACM, 2014. Google ScholarDigital Library
- T. Vidas and N. Christin. Sweetening android lemon markets: measuring and combating malware in application marketplaces. In Proceedings of the third ACM conference on Data and application security and privacy, pages 197–208. ACM, 2013. Google ScholarDigital Library
- N. Viennot, E. Garcia, and J. Nieh. A measurement study of google play. Proc. of ACM SIGMETRICS 2014, June 2014. Google ScholarDigital Library
- T. Watanabe, M. Akiyama, F. Kanei, E. Shioji, Y. Takata, B. Sun, Y. Ishii, T. Shibahara, T. Yagi, and T. Mori. Understanding the Origins of Mobile App Vulnerabilities: A Large-scale Measurement Study of Free and Paid Apps. In Proceedings of IEEE/ACM 14th International Conference on Mining Software Repositories (MSR 2017), July 2017. Google ScholarDigital Library
- Zhauniarovich, Yury, Gadyatskaya, Olga, Crispo, Bruno, L. Spina, Francesco, Moser, and Ermanno. Fsquadra: Fast detection of repackaged applications. Proc. of IFIP DBSec ’14, pages 131–146, 2014.Google Scholar
- W. Zhou, Y. Zhou, M. Grace, X. Jiang, and S. Zou. Fast, scalable detection of "piggybacked" mobile applications. In Proc. of the third ACM CODASPY 2013, pages 185–196.Google Scholar
- W. Zhou, Y. Zhou, X. Jiang, and P. Ning. Detecting repackaged smartphone applications in third-party android marketplaces. In Proc. of the second ACM CODASPY 2012, pages 317–326. Google ScholarDigital Library
- Y. Zhou and X. Jiang. Dissecting android malware: Characterization and evolution. In 2012 IEEE Symposium on Security and Privacy, pages 95–109. IEEE, 2012. Google ScholarDigital Library
Index Terms
- Understanding the security management of global third-party Android marketplaces
Recommendations
Reliable Third-Party Library Detection in Android and its Security Applications
CCS '16: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications SecurityThird-party libraries on Android have been shown to be security and privacy hazards by adding security vulnerabilities to their host apps or by misusing inherited access rights. Correctly attributing improper app behavior either to app or library ...
Detecting repackaged smartphone applications in third-party android marketplaces
CODASPY '12: Proceedings of the second ACM conference on Data and Application Security and PrivacyRecent years have witnessed incredible popularity and adoption of smartphones and mobile devices, which is accompanied by large amount and wide variety of feature-rich smartphone applications. These smartphone applications (or apps), typically organized ...
Hybrid User-level Sandboxing of Third-party Android Apps
ASIA CCS '15: Proceedings of the 10th ACM Symposium on Information, Computer and Communications SecurityUsers of Android phones increasingly entrust personal information to third-party apps. However, recent studies reveal that many apps, even benign ones, could leak sensitive information without user awareness or consent. Previous solutions either require ...
Comments