Security Analysis For Android Applications By Identifying Sensitive Routes

With the improvement of mobile phone hardware and the increasing quality of mobile network, cell phone has been widely used in daily life. High penetration rates of mobile phones make the mobile application market prosperous, which also bring a large number of malicious applications. Android system is the dominator in mobile operating system. When compared with iOS system, Android system is more open and has lots of third-party markets whose audit mechanisms are not rigorous. Therefore, there are more malwares in Android platform. Malware detection in Android has become a hot topic of current research. And there are four malware detecting methods for Android applications. They are signature-based methods, static analysis, dynamic analysis and machine learning methods. The signature-based approach needs malware record signature library, and it is a traditional method. Static analysis method has high coverage, but it cannot handle dynamic loading techniques. Dynamic analysis, costing too much time, has a lower coverage rate of the execution path. The results of machine learning methods depend on the selected applications in data set. Due to these shortcomings, combining these basic methods to detect malware is the current research trend. In this paper, we propose Android security analysis by identifying sensitive routes, which combined static analysis and machine learning methods with sensitive route selected as features. The main contributions of this paper are presented as follows:Firstly, since malicious behavior in malware has trigger conditions, we propose the concept of sensitive route. Sensitive route is consisted of sensitive activation and sensitive behavior. In this paper, sensitive behavior refers to the API functions which need the permission’s check and dynamic loading functions. Sensitive activation is the action triggers sensitive behavior. If there is UI-related functions in execution path which contains sensitive behavior, the UI function triggering the sensitive behavior will be considered as the sensitive activation; if not, the entry point of the execution path will be considered as the sensitive activation. Sensitive route can show that which sensitive activation triggers the sensitive behavior.Secondly, since there are a lot of inter-component call relations in Android applications, we propose a method to generate inter-component call graph based on APK files. We use tool FlowDroid to generate call graph of the app. With Intent Filters in the manifest file, we analyze Intents in the program to get the inter-component communications, which helps us to construct the inter-component call graph.Thirdly, since sensitive route cannot be directly applied as features, we propose a method to abstract the sensitive route. We divide sensitive activation into three types: hardware activation, user activation, and system activation. At the same time, we divide the sensitive behavior according to the permission need to be check when API functions are executed. After the pre-process of sensitive route information, we build app feature matrix according to whether the app contains the sensitive route.Finally, we collected 493 applications APK files from some markets and data sets, such as Google Play, Wandoujia, Drebin, to construct the data set. We experimented on the data set and gave three research questions. The experimental results show that:the accuracy of the method is higher when compared with the traditional method; the higher sensitivity level description of sensitive route will increase the efficiency of the method with the decrease of accuracy; APK file size has some effect on the experiment results.