Static analysis on mobile applications for security and privacy
Speaker: Manuel Egele, CMU
Mobile devices are ubiquitous. Apple sold more than 400 million iOS devices to date, and it has been reported that more than 500 million Android-based devices are in customers' hands. These devices open exciting new avenues of innovation, such as location based services and mobile payment. Of course, the user has a legitimate desire to keep the privacy-sensitive data that is managed by these smart devices safe and secure. Unfortunately, mobile devices frequently expose such information to prying third party applications (apps). In this talk, I will demonstrate how novel static analysis techniques can be used to automatically assess whether apps adhere to the user's expectation of privacy. My binary static analysis platform (PiOS) evaluates different security properties on iOS applications. For example, PiOS automatically detected numerous popular applications that leak privacy sensitive data, such as address book contents or location information over the Internet.
Android surpassed iOS as the most popular smart phone operating system. In this talk, I will also present CryptoLint -- a fully automated static analysis system that detects the misuse of cryptographic primitives in Android applications. An extensive evaluation of over 11,000 applications from Google's play store indicates that 88% of these applications misuse cryptographic primitives.
Manuel Egele is a systems scientist at Carnegie Mellon University, Cylab. Before starting at CMU, he was a post-doctoral researcher at the Computer Security Group of the Department of Computer Science at the University of California, Santa Barbara. He received his M.Sc. (2006) and Ph.D. (2011) degrees in computer science from the University of Technology in Vienna. His research interests span numerous areas of systems security -- in particular, mobile security, privacy, and malicious code analysis. His PiOS work received a distinguished paper award at the Network and Distributed Systems Security Symposium 2011. Recently, he has started investigating techniques to detect semantically similar code in binary executables.