Explore the hidden behaviors in mobile apps through an analysis of input validation techniques. Learn how to uncover undisclosed functionalities like backdoors and blacklists using INPUTSCOPE, an automated tool designed to detect execution contexts and content involved in user input validation. Discover the findings from a comprehensive study of over 150,000 mobile apps, including popular and pre-installed applications, revealing thousands of apps with hidden backdoor secrets and blacklist content. Gain insights into the detailed design of INPUTSCOPE, including input validation detection, content resolution, context recovery, and secret uncovering. Examine experiment results across various secret types such as access keys, master passwords, secret commands, and blacklists. Discuss the implications of these findings and related work in the field of mobile app security.
Automatic Uncovering of Hidden Behaviors from Input Validation in Mobile Apps
Overview
Syllabus
Introduction
Motivating Example (1): Blacklist
Motivating Example (): Master Password
Motivating Example (ill): Access Key
Introducing InputScope
Detailed Design: Input Validation Detection
Detailed Design: Compared Content Resolution
Detailed Design: Comparison Context Recovery
Detailed Design: Secret Uncovering
Experiment Results: Overall
Experiment Results: Access Key
Experiment Results: Master Password
Experiment Results: Secret Command
Experiment Results: Blacklist
Discussion
Related Work
Summary
Taught by
IEEE Symposium on Security and Privacy
