profiledroid
play

PROFILEDROID: MULTI-LAYER PROFILING OF ANDROID APPLICATIONS X U - PowerPoint PPT Presentation

PROFILEDROID: MULTI-LAYER PROFILING OF ANDROID APPLICATIONS X U ETAO WEI LOREN Z O GOM EZ PROFESSOR I U LI AN N EAM T I U PROFESSOR M I CH ALI S FALOU T SOS U N I V ERSI T Y OF CALI FORN I A, RI V ERSI DE WE DEPEND ON SMARTPHONES MORE AND


  1. PROFILEDROID: MULTI-LAYER PROFILING OF ANDROID APPLICATIONS X U ETAO WEI LOREN Z O GOM EZ PROFESSOR I U LI AN N EAM T I U PROFESSOR M I CH ALI S FALOU T SOS U N I V ERSI T Y OF CALI FORN I A, RI V ERSI DE

  2. WE DEPEND ON SMARTPHONES MORE AND MORE source:defenseindustrydaily.com “FDA approves Mobisante’s US Army CSDA initiative smartphone (Connecting Soldiers to Digital Applications) ultrasound app” to replace handheld radio + BLUE FORCE [Feb 2011] tracker + portable GPS + video feed ROVER source:mobilehealthnews.com

  3. ANDROID IS A POPULAR SMARTPHONE PLATFORM Operating system share of smartphone sales (US) 850,000 Android phones activated every day [Google letter to investors, April 2012]

  4. BUT WE DON’T UNDERSTAND APP BEHAVIOR source:washingtonpost.com

  5. THE ANDROID APP MARKET IS A JUNGLE Will this app drain my battery? Will this app leak my photos? Which radio is best for me? Will this app tell my friends that I’m a moron?

  6. FIRST STEP TO MAINTAINING THE JUNGLE Provide a low-cost method to profile the behavior of an app Given a few short executions: • What did the app do? • How does the app use resources? • What entities does it communicate with? • What was the app supposed to do? • Where there conflicts? Why?

  7. BENEFICIAL TO Application developers • Assess performance and security implications • Make better use of resources End users • Enhance user control and improve experience • Push developers to make better use of resources

  8. ANDROID APPS Written in Java, compiled into Dalvik VM bytecode Packaged as name.apk • Signed with developer’s private key • Essentially a .zip file containing: • .dex bytecode file (similar to .class) • “Manifest” file (XML): permissions Permission model • Permissions last FOREVER! • Shown before install • All or nothing Permissions alone aren’t enough to describe app behavior

  9. DYNAMIC ANALYSIS WITH PROFILEDROID Desktop/laptop Android Device Profiling Monitoring Android Debugging Bridge • Goal Multi-level profiling based on static and dynamic application analysis

  10. MONITORING AND ANALYSIS WITH PROFILEDROID

  11. PROFILING FRAMEWORK: MONITORING Trace File Trace Trace File File Capture 3 user traces, 5 minutes per app

  12. PROFILING FRAMEWORK: MONITORING Playback Trace File Logs Playback original trace and collect logs

  13. A QUICK REPLAY DEMO

  14. PROFILING FRAMEWORK: MONITORING Logs Trace File Logs Repeat playback 10 times per user (5 in morning and 5 at night, per app) Total of 30 runs of each app to build profile

  15. PROFILING FRAMEWORK: MULTI-LAYER ANALYSIS Static Application User Application Framework Logs Libraries, Android Runtime OS Linux Kernel Network Android software stack What metrics can be used to capture app behavior?

  16. SELECTED APPS Category App Social Facebook Angry Birds, Angry Birds$$ Games Pandora, Shazam, Shazam$$ Music & Audio Media & Video Youtube Shopping Amazon Travel Gasbuddy Instant Heart Rate, Instant Heart Health & Fitness Rate$$ Communication Dolphin browser Sports ESPN Reference Dictionary.com, Dictionary.com$$ total 27 apps: 19 free , 8 paid Wide range of apps, spanning many categories Popular apps with >1,000,000 installs

  17. STATIC LAYER Source: manifest & bytecode decompilation • Permissions (shown at install) • Internet • Location (GPS or network) Static Application • Phone • … User Application Framework • Intents (not shown at install) • Resource use Libraries, Android Runtime without permission OS via deputy apps Linux Kernel Network

  18. STATIC LAYER ANALYSIS RESULTS App Internet GPS Camera Mic Bluetooth Telephony Facebook p p i* p Dictionary.com p i i Instant Heart Rate p p i i Shazam p p p Total (out of 27) 27 9 6 4 3 5 p = use via permissions i = use via intents (deputy apps) *for version originally tested March 2012

  19. USER LAYER Source: logcat, /dev/input/event • Input devices and events Static • Touchscreen Application • Physical Buttons User Application Framework • Accelerometer • Compass Libraries, Android Runtime • Light proximity sensor OS … Linux Kernel Network

  20. USER LAYER ANALYSIS RESULTS

  21. OPERATING SYSTEM LAYER Source: strace • System call categories Static Application • Network sockets • File system User Application Framework • VM & IPC • Enforces isolation Libraries, Android Runtime • Overhead: scheduling, OS idling, IPC Linux Kernel Network

  22. OPERATING SYSTEM LAYER RESULTS App Intensity Filesystem Network VM & IPC Misc (syscalls/sec) (%) (%) (%) (%) Tiny Flashlight 436 1 1 77 21 Facebook 1,031 4 3 72 21 Amazon 693 1 6 77 16 InstHeartRate 944 8 2 75 15

  23. NETWORK LAYER Source: tcpdump (packets and content) App traffic • Origin (app's website) Static Application • CDN and Cloud • Google User Application Framework • 3 rd party: ads & tracking Libraries, Android Runtime OS Linux Kernel Network

  24. NETWORK LAYER RESULTS 3 rd App Intensity In/out Origin CDN+ Google HTTP/ ratio Cloud party HTTPS (bytes/ (%) (%) (%) (%) split sec) (%) Tiny Flashlight 134 2.49 - - 99 - 100/- AdvTaskKiller 26 0.94 - - 100 - 92/8 AdvTaskKiller$$ - - - - - - - Facebook 4,606 1.45 68 32 - - 23/77 Amazon 7,758 8.17 95 5 - - 99/1 InstHeartRate 575 2.39 - 4 86 10 86/14 InstHeartRate$$ 6 0.31 - 9 90 1 20/80

  25. APPLICATION THUMBNAILS High usage Medium usage Low usage

  26. READING BETWEEN THE LINES Free apps are not as free as we might think • 50—100% higher system call intensity • Dramatically higher network traffic (usually ads&tracking)  Bad for your dataplan, your battery life, and your privacy VM-based isolation comes at a cost • 64—87% of system calls are due to VM and IPC

  27. READING BETWEEN THE LINES Apps talk to many servers spread across many top-level domains • AngryBirds$$: 4 domains, AngryBirds free: 8 domains • Weatherbug: 13 domains, Shazam: 13 domains Most network traffic is not encrypted Google traffic is predominant • Except for Amazon and Facebook which have 0 (zero) Google traffic

  28. FUTURE WORK • Expand study to include more apps • User profiles • Study the variance across users • Fully automate process • Profiler as an app to run on the device • Provide summary of usage on close

  29. QUESTIONS?

More recommend