Automatic uncovering of hidden behaviors from input validation in mobile apps

Qingchuan Zhao, Chaoshun Zuo, Brendan Dolan-Gavitt, Giancarlo Pellegrino, Zhiqiang Lin

    Research output: Chapter in Book/Report/Conference proceedingConference contribution

    Abstract

    Mobile applications (apps) have exploded in popularity, with billions of smartphone users using millions of apps available through markets such as the Google Play Store or the Apple App Store. While these apps have rich and useful functionality that is publicly exposed to end users, they also contain hidden behaviors that are not disclosed, such as backdoors and blacklists designed to block unwanted content. In this paper, we show that the input validation behavior - the way the mobile apps process and respond to data entered by users - can serve as a powerful tool for uncovering such hidden functionality. We therefore have developed a tool, InputScope, that automatically detects both the execution context of user input validation and also the content involved in the validation, to automatically expose the secrets of interest. We have tested InputScope with over 150,000 mobile apps, including popular apps from major app stores and preinstalled apps shipped with the phone, and found 12,706 mobile apps with backdoor secrets and 4,028 mobile apps containing blacklist secrets.

    Original languageEnglish (US)
    Title of host publicationProceedings - 2020 IEEE Symposium on Security and Privacy, SP 2020
    PublisherInstitute of Electrical and Electronics Engineers Inc.
    Pages1106-1120
    Number of pages15
    ISBN (Electronic)9781728134970
    DOIs
    StatePublished - May 2020
    Event41st IEEE Symposium on Security and Privacy, SP 2020 - San Francisco, United States
    Duration: May 18 2020May 21 2020

    Publication series

    NameProceedings - IEEE Symposium on Security and Privacy
    Volume2020-May
    ISSN (Print)1081-6011

    Conference

    Conference41st IEEE Symposium on Security and Privacy, SP 2020
    Country/TerritoryUnited States
    CitySan Francisco
    Period5/18/205/21/20

    ASJC Scopus subject areas

    • Safety, Risk, Reliability and Quality
    • Software
    • Computer Networks and Communications

    Fingerprint

    Dive into the research topics of 'Automatic uncovering of hidden behaviors from input validation in mobile apps'. Together they form a unique fingerprint.

    Cite this