Predicting the Security Behaviour of Mobile Apps

A cyber security research project at University of Edinburgh’s School of Informatics jointly funded by the US Office of Naval Research (ONR) and the Air Force Office of Scientific Research (AFOSR), 2017-2020.

Goals

In this project we undertook fundamental research on behavioural security policies for mobile applications at scale. Behavioural security policies move beyond access control policies which are all-or-nothing controls. With a behavioural policy, access depends in a context-sensitive way on behaviour and intent, and can vary over time. We worked on:

1. a formal, language-based abstraction that can capture behaviour of mobile apps precisely, going beyond resources, permissions and information flows;
2. new type-and-effect systems for policy-specific swift verification;
3. the infrastructure for a semi-supervised learning framework to support automatic construction and refinement of behavioural security policies.

This project built on some advances made in the UK EPSRC-funded project App Guarden, but taking a more foundational starting point.

Publications and software

• Checking Contact Tracing App Implementations. Robert Flood, Sheung Shi Chan, Wei Chen and David Aspinall, Proc. International Conf. on Informationc Systems Security and Privacy, ICISSP 2021. Investigates Android contact tracing apps using the Google-Apple Exposure Notifications API. Combines manual and generic static analysis alongside bespoke analysis to for behavioural policy enforcement using Presbema’s type-and-effect analysis. Flaws in API usage were identified in several apps which could compromise contact tracing effectiveness.
  • Authors’ PDF
• Traffic Generation using Containerization for Machine Learning. Henry Clausen, Robert Flood and David Aspinall. ACSAC DYNAMICS workshop, 2019. Introduces a data collection method designed to solve the ground truth problem with cyber security datasets. It can be applied to gather outputs for mobile applications.
  • Authors’ PDF
• Towards Intelligible Robust Anomaly Detection by Learning Interpretable Behavioural Models. Gudmund Grov, Marc Sabate, Wei Chen, and David Aspinall, Norwegian National Cyber Security Conf (NIKT), NISK 2019.
  • Authors’ PDF
• Extracting Functions from Mobile Apps, Harmony Singh, MSc thesis 2018. This MSc studies a functional form for Dalvik code, Light FuncDroid, used in the typing analysis for behavioural security policies.
  • MSc thesis
• A Data-driven Toolset Using Containers to Generate Datasets for Network Intrusion Detection, Robert Flood, MSc thesis 2019. This MSc introduces some of the methods and examples described in the above paper.
  • MSc thesis
• Flow and Effect Types via Büchi Automata, Wei Chen, Martin Hofmann, David Aspinall.
  • In submission

People

• David Aspinall, PI, Informatics, University of Edinburgh
• Wei Chen, Senior Researcher, University of Edinburgh (until 2019)
• [Rob Flood][rob], PhD Student, University of Edinburgh
• Arthur Chan, Researcher, University of Edinburgh
• Harmony Singh, MSc student, University of Edinburgh

Other collaborators include Henry Clausen and Martin Hofmann ()who sadly passed away in 2018).

Pointers

• More about the Informatics Security & Privacy Group.