RiskMeter: A Tool for Measuring Precise Security Risk Values of Mobile Device Applications

Deypir, Mahmood

doi:10.29252/jsdp.14.3.23

Volume 14, Issue 3 (12-2017) JSDP 2017, 14(3): 23-36 | Back to browse issues page

‎ 10.29252/jsdp.14.3.23

RiskMeter: A Tool for Measuring Precise Security Risk Values of Mobile Device Applications

Mahmood Deypir ^*

Abstract: (5127 Views)

Nowadays smartphones and tablets are widely used due to their various capabilities and features for end users. In these devices, accessing a wide range of services and sensitive information including private personal data, contact list, geolocation, sending and receiving messages, accessing social networks and etc. are provided via numerous application programs. These types of accessibilities, functionalities, and facilities make privacy and security issues more critical. Therefore, traditional security mechanism including biometric authentication, data encryption, access control, and etc. are not adequate. Therefore, danger of installing and using malwares must be taken into account in order to provide practical security for end users. Installing new and unknown applications on these devices might lead to security threats. Recently, smartphones and tablets utilize powerful operating system in which security of application is provided by application permissions. Android and BlackBerry are two examples of operating systems which reduce attack surface by using application permissions. In these operating systems, in order to perform malicious activities, an attacker must deceive users to install a malicious app since other ways of intrusion are almost closed. Recent statistics show that Android is the most popular operating system. For installing an app, Android requires the user to grant privileges through the requested permissions. There is a large number of applications (Apps) developed for this operating system which require various permissions based on their functionalities and provided services. Therefore, measuring security risks of applications can help us to make better decision regarding to apps installation and removal. There exists some research regarding to enhance the Android security model and its security risk communication mechanism. In this mobile operating system, security risk values of applications can be computed using their requested permissions. In this study, a new software tool is designed and implemented to measure security risk values of mobile applications. This tool benefits from a new metric to compute the risk values. This risk metric exploits statistics of permission usages in known malwares and goodwares. However, they can be simply extended to other features of Android apps including static and dynamic ones. Moreover, we have attempted to give a better definition of permission criticality to aim users for making best decision in new apps installation or previously installed ones removal. In fact, we have designated a new formulation to assign higher risk values to permissions with a higher usage in malwares and very lower usage in benign apps. The idea is quite simple but produces interesting results. That is, the security risk of a permission is directly related to the difference of its usage in malicious and non-malicious apps. Given risk values of permissions, one can compute risk of an Android app based on its permission list. Since the proposed measurement compute the risk values of permissions according to simple statistics of known malwares and useful Android apps, they have good explainability. Users can be informed regarding to danger about approving risky permissions and they can make reasonable decisions based on total risk score of an app which can be simply computed using security risks of its requested permissions. In order to purpose the metric, we have analyzed requested permissions of large number of malicious and ordinary applications. Moreover, for realistic evaluations, we have constructed two new datasets of applications belonging to an Iranian market and new malwares. Experimental evaluations on real known malwares and benign apps reveal the superiority of the proposed criterion with respect to previously proposed method in terms of assigning higher risk values to malwares and lower risk values to the benign applications.

Keywords: Security of mobile devices, Security risk, Malwares, Permissions, RiskMeter

Full-Text [PDF 4906 kb] (2031 Downloads)

Type of Study: Research | Subject: Paper
Received: 2015/12/30 | Accepted: 2017/03/5 | Published: 2018/01/29 | ePublished: 2018/01/29

References

1. [1] F. Sadat Lesani, F. Fotouhi Ghazvini, and R. Dianat, " Lip Reading: a New authentication method in Android mobile phone's applications," Journal of Signal and Data Processing, vol. 14, no. 1, pp. 3-14, 2017. [DOI:10.18869/acadpub.jsdp.14.1.3]

2. [2] A. Armando, A. Merlo, and L. Verderame, "Security considerations related to the use of mobile devices in the operation of critical infrastructures," International Journal of Critical Infrastructure Protection, vol. 7, no. 4, pp. 247–256, 2014. [DOI:10.1016/j.ijcip.2014.10.002]

3. [3] Y. Au, K. Wain, Y. F. Zhou, Z. Huang, and D. Lie, "PScout : Analyzing the Android Permission Specification," in CCS '12 Proceedings of the 2012 ACM conference on Computer and communications security, 2012, pp. 217–228. [DOI:10.1145/2382196.2382222]

4. [4] D. Barrera, H. G. üne ş Kayacik, P. C. van Oorschot, and A. Somayaji, "A methodology for empirical analysis of permission-based security models and its application to android," in Proceedings of the 17th ACM conference on Computer and communications security - CCS '10, 2010, p. 73.

5. [5] I. Burguera, U. Zurutuza, and S. Nadjm-Tehrani, "Crowdroid: Behavior-Based Malware Detection System for Android," in Proceedings of the 1st ACM workshop on Security and privacy in smartphones and mobile devices - SPSM '11, 2011, p. 15. [DOI:10.1145/2046614.2046619]

6. [6] L. Cen, C. S. Gates, L. Si, and N. Li, "A Probabilistic Discriminative Model for Android Malware Detection with Decompiled Source Code," IEEE Transactions on Dependable and Secure Computing, vol. 12, no. 4, pp. 400–412, 2015. [DOI:10.1109/TDSC.2014.2355839]

7. [7] S. Chakradeo, B. Reaves, and W. Enck, "MAST: Triage for Market-scale Mobile Malware Analysis," in ACM Conference on Security and Privacy in Wireless and Mobile Networks (WiSec), 2013, pp. 13–24. [DOI:10.1145/2462096.2462100]

8. [8] E. Chin, A. P. Felt, V. Sekar, and D. Wagner, "Measuring user confidence in smartphone security and privacy," in Proceedings of the Eighth Symposium on Usable Privacy and Security - SOUPS '12, 2012, p. 1. [DOI:10.1145/2335356.2335358]

9. [9] M. Christodorescu, S. Jha, and C. Kruegel, "Mining specifications of malicious behavior," in Proceedings of the 1st conference on India software engineering conference - ISEC '08, 2008, p. 5. [DOI:10.1145/1342211.1342215]

10. [10] A. Desnos, "Android: Static analysis using similarity distance," in Proceedings of the Annual Hawaii International Conference on System Sciences, 2011, no. X, pp. 5394–5403.

11. [11] W. Enck, D. Octeau, P. McDaniel, and S. Chaudhuri, "A Study of Android Application Security.," in USENIX Security, 2011, vol. 39, no. August, pp. 21–21.

12. [12] W. Enck, M. Ongtang, and P. McDaniel, "On lightweight mobile phone application certifica-tion," in Proceedings of the 16th ACM conference on Computer and communications security - CCS '09, 2009, p. 235.

13. [13] A. Felt, K. Greenwood, and D. Wagner, "The effectiveness of application permissions," in WebApps '11: 2nd USENIX Conference on Web Application Development, 2011, pp. 75–86.

14. [14] A. Felt, E. Ha, S. Egelman, and A. Haney, "Android permissions: User attention, comprehension, and behavior," in Proc. of SOUPS, 2012, pp. 1–14. [DOI:10.1145/2335356.2335360]

15. [15] C. S. Gates, J. Chen, N. Li, and R. W. Proctor, "Effective risk communication for Android apps," IEEE Transactions on Dependable and Secure Computing, vol. 11, no. 3, pp. 252–265, 2014. [DOI:10.1109/TDSC.2013.58]

16. [16] C. S. Gates, N. Li, H. Peng, B. Sarma, Y. Qi, R. Potharaju, C. Nita-Rotaru, and I. Molloy, "Generating summary risk scores for mobile applications," IEEE Transactions on Dependable and Secure Computing, vol. 11, no. 3, pp. 238–251, 2014. [DOI:10.1109/TDSC.2014.2302293]

17. [17] P. G. Kelley, S. Consolvo, L. F. Cranor, J. Jung, N. Sadeh, and D. Wetherall, "A conundrum of permissions: Installing applications on an android smartphone," in Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), 2012, vol. 7398 LNCS, pp. 68–79.

18. [18] P. G. Kelley, L. F. Cranor, and N. Sadeh, "Privacy as part of the app decision-making process," in Proceedings of the SIGCHI Conference on Human Factors in Computing Systems - CHI '13, 2013, p. 3393. [DOI:10.1145/2470654.2466466]

19. [19] H. Peng, C. Gates, B. Sarma, N. Li, Y. Qi, R. Potharaju, C. Nita-Rotaru, I. Molloy, and I. Molloy, "Using Probabilistic Generative Models for Ranking Risks of Android Apps," Proceedings of the 2012 ACM Conference on Computer and Communications Security, pp. 241–252, 2012. [DOI:10.1145/2382196.2382224]

20. [20] K.Rieck, T. Holz, C. Willems, P. Dussel, and P. Laskov, " Learning and classification of malwa-re behavior, " in Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), 2008, vol. 5137 LNCS, pp. 108-125.

21. [21] B. Sarma, N. Li, C. Gates, R. Potharaju, C. Nita-rotaru, and I. Molloy, "Android Permissions: A Perspective Combining Risks and Benefits," in Symposium on Access Control Models and Technologies (SACMAT), 2012, pp. 13–22. [DOI:10.1145/2295136.2295141]

22. [22] A. D. Schmidt, R. Bye, H. G. Schmidt, J. Clausen, O. Kiraz, K. A. Yüksel, S. A. Camtepe, and S. Albayrak, "Static analysis of executables for collaborative malware detection on andr-oid," in IEEE International Conference on Communications, 2009.

23. [23] A. Shabtai and Y. Elovici, "Applying behavioral detection on android-based devices," in Lecture Notes of the Institute for Computer Sciences, Social-Informatics and Telecommunications Engineering, 2010, vol. 48 LNICST, pp. 235–249.

24. [24] B. Shebaro, O. Oluwatimi, and E. Bertino, "Context-based access control systems for mobile devices," IEEE Transactions on Dependable and Secure Computing, vol. 12, no. 2, pp. 150–163, 2015. [DOI:10.1109/TDSC.2014.2320731]

25. [25] Z. Tu, O. Turel, Y. Yuan, and N. Archer, "Learning to cope with information security risks regarding mobile device loss or theft: An empirical examination," Information and Management, vol. 52, no. 4, pp. 506–517, 2015. [DOI:10.1016/j.im.2015.03.002]

26. [26] Y. Zhou and X. Jiang, "Dissecting Android malware: Characterization and evolution," in Proceedings - IEEE Symposium on Security and Privacy, 2012, pp. 95–109. [DOI:10.1109/SP.2012.16]

27. [27] Y. Zhou, Z. Wang, W. Zhou, and X. Jiang, "Hey, You, Get Off of My Market: Detecting Malicious Apps in Official and Alternative Android Markets," in Proceedings of the 19th Annual Network and Distributed System Security Symposium, 2012, no. 2, pp. 5–8.

28. [28] H. Zhu, H. Xiong, Y. Ge, and E. Chen, "Discovery of ranking fraud for mobile apps," IEEE Transactions on Knowledge and Data Engineering, vol. 27, no. 1, pp. 74–87, 2015. [DOI:10.1109/TKDE.2014.2320733]

Rights and permissions
	This work is licensed under a Creative Commons Attribution-NonCommercial 4.0 International License.