TY - GEN
T1 - Automatic uncovering of hidden behaviors from input validation in mobile apps
AU - Zhao, Qingchuan
AU - Zuo, Chaoshun
AU - Dolan-Gavitt, Brendan
AU - Pellegrino, Giancarlo
AU - Lin, Zhiqiang
N1 - Funding Information:
This research was supported in part by National Science Foundation (NSF) Awards 1657199, 1834215, and by the German Federal Ministry of Education and Research (BMBF) through funding for the CISPA-Stanford Center for Cybersecu-rity (FKZ: 13N1S0762). Any opinions, findings, conclusions, or recommendations expressed are those of the authors and not necessarily of the BMBF and NSF.
Publisher Copyright:
© 2020 IEEE.
PY - 2020/5
Y1 - 2020/5
N2 - Mobile applications (apps) have exploded in popularity, with billions of smartphone users using millions of apps available through markets such as the Google Play Store or the Apple App Store. While these apps have rich and useful functionality that is publicly exposed to end users, they also contain hidden behaviors that are not disclosed, such as backdoors and blacklists designed to block unwanted content. In this paper, we show that the input validation behavior - the way the mobile apps process and respond to data entered by users - can serve as a powerful tool for uncovering such hidden functionality. We therefore have developed a tool, InputScope, that automatically detects both the execution context of user input validation and also the content involved in the validation, to automatically expose the secrets of interest. We have tested InputScope with over 150,000 mobile apps, including popular apps from major app stores and preinstalled apps shipped with the phone, and found 12,706 mobile apps with backdoor secrets and 4,028 mobile apps containing blacklist secrets.
AB - Mobile applications (apps) have exploded in popularity, with billions of smartphone users using millions of apps available through markets such as the Google Play Store or the Apple App Store. While these apps have rich and useful functionality that is publicly exposed to end users, they also contain hidden behaviors that are not disclosed, such as backdoors and blacklists designed to block unwanted content. In this paper, we show that the input validation behavior - the way the mobile apps process and respond to data entered by users - can serve as a powerful tool for uncovering such hidden functionality. We therefore have developed a tool, InputScope, that automatically detects both the execution context of user input validation and also the content involved in the validation, to automatically expose the secrets of interest. We have tested InputScope with over 150,000 mobile apps, including popular apps from major app stores and preinstalled apps shipped with the phone, and found 12,706 mobile apps with backdoor secrets and 4,028 mobile apps containing blacklist secrets.
UR - http://www.scopus.com/inward/record.url?scp=85091586913&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85091586913&partnerID=8YFLogxK
U2 - 10.1109/SP40000.2020.00072
DO - 10.1109/SP40000.2020.00072
M3 - Conference contribution
AN - SCOPUS:85091586913
T3 - Proceedings - IEEE Symposium on Security and Privacy
SP - 1106
EP - 1120
BT - Proceedings - 2020 IEEE Symposium on Security and Privacy, SP 2020
PB - Institute of Electrical and Electronics Engineers Inc.
T2 - 41st IEEE Symposium on Security and Privacy, SP 2020
Y2 - 18 May 2020 through 21 May 2020
ER -