TY - GEN
T1 - Automatic uncovering of hidden behaviors from input validation in mobile apps
AU - Zhao, Qingchuan
AU - Zuo, Chaoshun
AU - Dolan-Gavitt, Brendan
AU - Pellegrino, Giancarlo
AU - Lin, Zhiqiang
PY - 2020
Y1 - 2020
N2 - Mobile applications (apps) have exploded in popularity, with billions of smartphone users using millions of apps available through markets such as the Google Play Store or the Apple App Store. While these apps have rich and useful functionality that is publicly exposed to end users, they also contain hidden behaviors that are not disclosed, such as backdoors and blacklists designed to block unwanted content. In this paper, we show that the input validation behavior - the way the mobile apps process and respond to data entered by users - can serve as a powerful tool for uncovering such hidden functionality. We therefore have developed a tool, INPUTSCOPE, that automatically detects both the execution context of user input validation and also the content involved in the validation, to automatically expose the secrets of interest. We have tested INPUTSCOPE with over 150,000 mobile apps, including popular apps from major app stores and preinstalled apps shipped with the phone, and found 12,706 mobile apps with backdoor secrets and 4,028 mobile apps containing blacklist secrets.
AB - Mobile applications (apps) have exploded in popularity, with billions of smartphone users using millions of apps available through markets such as the Google Play Store or the Apple App Store. While these apps have rich and useful functionality that is publicly exposed to end users, they also contain hidden behaviors that are not disclosed, such as backdoors and blacklists designed to block unwanted content. In this paper, we show that the input validation behavior - the way the mobile apps process and respond to data entered by users - can serve as a powerful tool for uncovering such hidden functionality. We therefore have developed a tool, INPUTSCOPE, that automatically detects both the execution context of user input validation and also the content involved in the validation, to automatically expose the secrets of interest. We have tested INPUTSCOPE with over 150,000 mobile apps, including popular apps from major app stores and preinstalled apps shipped with the phone, and found 12,706 mobile apps with backdoor secrets and 4,028 mobile apps containing blacklist secrets.
UR - https://www.scopus.com/pages/publications/85091586913
UR - https://www.scopus.com/record/pubmetrics.uri?eid=2-s2.0-85091586913&origin=recordpage
U2 - 10.1109/SP40000.2020.00072
DO - 10.1109/SP40000.2020.00072
M3 - RGC 32 - Refereed conference paper (with host publication)
SN - 9781728134970
T3 - Proceedings - IEEE Symposium on Security and Privacy
SP - 1106
EP - 1120
BT - Proceedings - 2020 IEEE Symposium on Security and Privacy, SP 2020
PB - IEEE
T2 - 41st IEEE Symposium on Security and Privacy (SP 2020)
Y2 - 18 May 2020 through 21 May 2020
ER -