Smartphones, tablets, and other mobile devices are becoming an integral part of our daily lives. We entrust these devices with sensitive information about ourselves and we take them everywhere we go. Thus, it is very important to protect this information, to keep the sensitive data secure. The Android platform, which is currently one of the most popular operating systems for mobile devices, already provides several security measurements in order to protect this data and to prevent unauthorized access. However, it is still possible for applications to spy on the user, execute harmful code, or leak sensitive information. Besides detecting such malicious behavior, it is also important to assess the security of benign applications, especially for security-critical scenarios, like for password safes, or for Bring-Your-Own-Device (BYOD) scenarios in corporate environments.
Hence, powerful analysis tools are demanded that are able to assess the functionality of applications and to detect suspicious behavior in order to mitigate the risks for users and to improve both the application quality and security.
In this thesis, we present a new static Android application analysis framework, called Semdroid, which employs several different analysis plugins that are capable of assessing an application's functionality. This proposed new framework performs application preprocessing, manages all analysis plugins, and collects the analysis results. Moreover, we introduce a new static analysis approach, the Semantic Pattern Analysis, which is able to accurately determine and pinpoint application functionality. Feature vectors containing analysis-relevant information are extracted from the Android application packages, converted to so-called Semantic Patterns and then classified using machine learning algorithms. Since the application's components are analyzed separately, the targeted functionality can be accurately pinpointed.
Implemented analysis plugins are able to detect custom cryptography, where it is possible to distinguish between asymmetric- and symmetric-key cryptosystems, and to detect SMS functionality included in Android applications. Identifying cryptographic code can help to assess an application's security and can be used as a starting point for subsequent analysis processes. Detecting SMS capabilities helps to identify possible security threats, like SMS spyware, or remote-control-functionality via SMS messages. All plugins have been thoroughly evaluated using both an automated and a manual, empiric evaluation process.
Semdroid can be used on a personal computer, or can be directly deployed onto an Android device for on-device analysis of installed applications.