CRII: SaTC: Enhancing Mobile App Security by Detecting Icon-Behavior Contradiction

CRII：SaTC：通过检测图标行为矛盾来增强移动应用程序安全性

• 批准号: 1755772
• 负责人: Xusheng Xiao
• 金额: $ 17.49万
• 依托单位: Case Western Reserve University
• 依托单位国家: 美国
• 项目类别: Standard Grant
• 财政年份: 2018
• 资助国家: 美国
• 起止时间: 2018-08-01 至 2022-07-31
• 项目状态: 已结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=1755772&HistoricalAwards=false
• 关键词: CRII; SaTC; Enhancing; Mobile; App

Mobile applications (i.e., apps) are becoming critical parts in our daily life. While these apps provide better customized services using users' personal data, certain behavior of the apps is less than desirable or harmful. For example, if an app's user interface (UI) has no texts or images to indicate that it will access users' personal data (e.g., GPS data), but the app discloses users' personal data when an action is performed (e.g., pressing a button), then red flags should be raised. Thus, it is crucial to understand the intents of the app to determine whether the app will perform within the user's expectation. Various research efforts have been dedicated to understand apps' intents via analyzing the semantics of texts in UI. However, images, especially icons, remain unexplored. In apps' UIs, icons are often used in interactive widgets (e.g., buttons) to express the intents to use sensitive data. It is often difficult to analyze the semantics of icons due to the varieties in image styles and the lack of descriptive texts.The proposed research will build a knowledge base of icons' semantics via collecting icons from apps in major smartphone markets, and develop a framework to infer the semantics of icons based on the collected icons. More specifically, the PI proposes to adapt computer vision techniques to develop icon recognition techniques that identify similar icons based on the collected icons, and leverage program analysis techniques to check the compatibility between the icons and the program behaviors. Furthermore, this research will combine the semantics of both texts and icons to better detect undesired behavior in apps. The proposed research in understanding apps' intents improves mobile app security, which will have tremendous economical impact on society due to our increasing reliance on mobile apps. The proposed techniques will also benefit the security analysis of other event-driven GUI software applications, such as desktop applications, wearable apps, and web apps.This award reflects NSF's statutory mission and has been deemed worthy of support through evaluation using the Foundation's intellectual merit and broader impacts review criteria.

移动应用程序(即应用程序)正在成为我们日常生活中的重要组成部分。虽然这些应用程序使用用户的个人数据提供了更好的定制服务，但这些应用程序的某些行为并不令人满意或有害。例如，如果应用程序的用户界面(UI)没有文本或图像表明它将访问用户的个人数据(例如，GPS数据)，但当执行某个操作(例如，按下按钮)时，该应用程序会泄露用户的个人数据，则应该发出危险信号。因此，了解应用程序的意图以确定应用程序是否会在用户预期的范围内运行是至关重要的。各种研究都致力于通过分析用户界面中文本的语义来理解应用程序的意图。然而，图像，特别是图标，仍然没有被探索过。在应用程序的用户界面中，图标通常用于交互小工具(例如按钮)，以表达使用敏感数据的意图。由于图像风格多种多样，缺乏描述性文字，分析图标的语义往往比较困难，本研究将通过从主要智能手机市场的应用程序中收集图标来建立图标语义知识库，并开发一个基于收集的图标来推断图标语义的框架。更具体地说，PI建议采用计算机视觉技术来开发基于收集的图标来识别相似图标的图标识别技术，并利用程序分析技术来检查图标和程序行为之间的兼容性。此外，这项研究将结合文本和图标的语义，以更好地检测应用程序中的不良行为。拟议中的了解应用意图的研究提高了移动应用的安全性，由于我们越来越依赖移动应用，这将对社会产生巨大的经济影响。建议的技术还将有利于其他事件驱动的图形用户界面软件应用程序的安全分析，如桌面应用程序、可穿戴应用程序和Web应用程序。该奖项反映了NSF的法定使命，并通过使用基金会的智力优势和更广泛的影响审查标准进行评估，被认为值得支持。

项目成果

WebEvo: taming web application evolution via detecting semantic structure changes

• DOI: 10.1145/3460319.3464800
• 发表时间: 2021-07
• 期刊: Proceedings of the 30th ACM SIGSOFT International Symposium on Software Testing and Analysis
• 作者: Fei Shao;Ruiwen Xu;W. Haque;Jingwei Xu;Ying Zhang;Wei Yang;Yanfang Ye;Xusheng Xiao

DroidMutator: An Effective Mutation Analysis Tool for Android Applications

DroidMutator：一款有效的 Android 应用变异分析工具

• 发表时间: 2020
• 期刊: Demo Track
• 作者: Liu, Jian;Xiao, Xusheng;Xu, Lihua;Dou, Liang;Podgurski, Andy
• 通讯作者: Podgurski, Andy

Characterizing Android App Signing Issues

• DOI: 10.1109/ase.2019.00035
• 发表时间: 2019-11
• 期刊: 2019 34th IEEE/ACM International Conference on Automated Software Engineering (ASE)
• 作者: Haoyu Wang;Hongxuan Liu;Xusheng Xiao;Guozhu Meng;Yao Guo

DescribeCtx: Context-Aware Description Synthesis for Sensitive Behaviors in Mobile Apps

• DOI: 10.1145/3510003.3510058
• 发表时间: 2022-05
• 期刊: 2022 IEEE/ACM 44th International Conference on Software Engineering (ICSE)
• 作者: Shao Yang;Yuehan Wang;Y. Yao;Haoyu Wang;Yanfang Ye;Xusheng Xiao

IconIntent: Automatic Identification of Sensitive UI Widgets Based on Icon Classification for Android Apps

• DOI: 10.1109/icse.2019.00041
• 发表时间: 2019-05
• 期刊: 2019 IEEE/ACM 41st International Conference on Software Engineering (ICSE)
• 作者: Xusheng Xiao;Xiaoyin Wang;Zhihao Cao;Hanlin Wang;Peng Gao