CISPA
Browse
cispa_all_3032.pdf (555.37 kB)

Automatic Uncovering of Hidden Behaviors from Input Validation in Mobile Apps

Download (555.37 kB)
conference contribution
posted on 2023-11-29, 18:12 authored by Qingchuan Zhao, Chaoshun Zuo, Dolan-Gavitt Brendan, Giancarlo PellegrinoGiancarlo Pellegrino, Zhiqiang Lin
Mobile applications (apps) have exploded in popularity, with billions of smartphone users using millions of apps available through markets such as the Google Play Store or the Apple App Store. While these apps have rich and useful functionality that is publicly exposed to end users, they also contain hidden behaviors that are not disclosed, such as backdoors and blacklists designed to block unwanted content. In this paper, we show that the input validation behavior—the way the mobile apps process and respond to data entered by users—can serve as a powerful tool for uncovering such hidden functionality. We therefore have developed a tool, InputScope, that automatically detects both the execution context of user input validation and also the content involved in the validation, to automatically expose the secrets of interest. We have tested InputScope with over 150,000 mobile apps, including popular apps from major app stores and pre- installed apps shipped with the phone, and found 12,706 mobile apps with backdoor secrets and 4,028 mobile apps containing blacklist secrets.

History

Preferred Citation

Qingchuan Zhao, Chaoshun Zuo, Dolan-Gavitt Brendan, Giancarlo Pellegrino and Zhiqiang Lin. Automatic Uncovering of Hidden Behaviors from Input Validation in Mobile Apps. In: IEEE Symposium on Security and Privacy (S&P). 2020.

Primary Research Area

  • Threat Detection and Defenses

Secondary Research Area

  • Empirical and Behavioral Security

Name of Conference

IEEE Symposium on Security and Privacy (S&P)

Legacy Posted Date

2020-02-21

Open Access Type

  • Unknown

BibTeX

@inproceedings{cispa_all_3032, title = "Automatic Uncovering of Hidden Behaviors from Input Validation in Mobile Apps", author = "Zhao, Qingchuan and Zuo, Chaoshun and Brendan, Dolan-Gavitt and Pellegrino, Giancarlo and Lin, Zhiqiang", booktitle="{IEEE Symposium on Security and Privacy (S&P)}", year="2020", }

Usage metrics

    Categories

    No categories selected

    Exports

    RefWorks
    BibTeX
    Ref. manager
    Endnote
    DataCite
    NLM
    DC