AppJitsu: investigating the resiliency of Android applications
Files
Accepted manuscript
Date
2021-09
Authors
Zungur, Onur
Bianchi, Antonio
Stringhini, Gianluca
Egele, Manuel
Version
Accepted manuscript
OA Version
Citation
O. Zungur, A. Bianchi, G. Stringhini, M. Egele. 2021. "AppJitsu: Investigating the Resiliency of Android Applications." 2021 IEEE European Symposium on Security and Privacy (EuroS&P). 2021 IEEE European Symposium on Security and Privacy (EuroS&P). 2021-09-06 - 2021-09-10. https://doi.org/10.1109/eurosp51992.2021.00038
Abstract
The Android platform gives mobile device users the opportunity to extend the capabilities of their systems by installing developer-authored apps. Companies leverage this capability to reach their customers and conduct business operations such as financial transactions. End-users can obtain custom Android applications (apps) from the Google Play, some of which are security-sensitive due to the nature of the data that they handle, such as apps from the FINANCE category. Although there are recommendations and standardized guidelines for secure app development with various self-defense techniques, the adoption of such methods is not mandatory and is left to the discretion of developers. Unfortunately, malicious actors can tamper with the app runtime environment and then exploit the attack vectors which arise from the tampering, such as executing foreign code with elevated privileges on the mobile platform. In this paper, we present AppJITSU, a dynamic app analysis framework that evaluates the resiliency of security-critical apps. We exercise the most popular 455 financial apps in attack-specific hostile environments to demonstrate the current state of resiliency against known tampering methods. Our results indicate that 25.05% of the tested apps have no resiliency against any common hostile methods or tools, whereas only 10.77% employed all defensive methods.