multi-layer profiling of android applicationsjxie1/mobicom12/slides/gomez.pdf · multi-layer...
TRANSCRIPT
XUETAO WEI LORENZO GOMEZ PROFESSOR IULIAN NEAMTIU PROFESSOR MICHALIS FALOUTSOS
UNIVERSITY OF CALIFORNIA, RIVERSIDE
PROFILEDROID: MULTI-LAYER PROFILING
OF ANDROID APPLICATIONS
WE DEPEND ON SMARTPHONES MORE AND MORE
US Army CSDA initiative (Connecting Soldiers to Digital Applications) to replace handheld radio + BLUE FORCE tracker + portable GPS + video feed ROVER
source:defenseindustrydaily.com
“FDA approves Mobisante’s smartphone ultrasound app” [Feb 2011] source:mobilehealthnews.com
ANDROID IS A POPULAR SMARTPHONE PLATFORM
Operating system share of smartphone sales (US)
850,000 Android phones activated every day [Google letter to investors, April 2012]
BUT WE DON’T UNDERSTAND APP BEHAVIOR
source:washingtonpost.com
Will this app leak my photos?
Will this app drain my battery?
Will this app tell my friends that I’m a
moron?
THE ANDROID APP MARKET IS A JUNGLE
Which radio is best for me?
FIRST STEP TO MAINTAINING THE JUNGLE
Provide a low-cost method to profile the behavior of an app Given a few short executions:
• What did the app do? • How does the app use resources? • What entities does it communicate with?
• What was the app supposed to do? • Where there conflicts? Why?
BENEFICIAL TO Application developers
• Assess performance and security implications • Make better use of resources
End users
• Enhance user control and improve experience • Push developers to make better use of resources
ANDROID APPS Written in Java, compiled into Dalvik VM bytecode Packaged as name.apk
• Signed with developer’s private key • Essentially a .zip file containing:
• .dex bytecode file (similar to .class) • “Manifest” file (XML): permissions
Permission model • Permissions last FOREVER! • Shown before install • All or nothing
Permissions alone aren’t enough to describe app behavior
DYNAMIC ANALYSIS WITH PROFILEDROID
Android Device
Mon
itorin
g
Android Debugging Bridge
Prof
iling
Desktop/laptop
• Goal Multi-level profiling based on static and
dynamic application analysis
MONITORING AND ANALYSIS WITH PROFILEDROID
PROFILING FRAMEWORK: MONITORING
Capture 3 user traces, 5 minutes per app
Trace File
Trace File
Trace File
Playback original trace and collect logs
Logs
Trace File Playback
PROFILING FRAMEWORK: MONITORING
A QUICK REPLAY DEMO
PROFILING FRAMEWORK: MONITORING
Repeat playback 10 times per user
Logs Trace File
Logs
Total of 30 runs of each app to build profile (5 in morning and 5 at night, per app)
PROFILING FRAMEWORK: MULTI-LAYER ANALYSIS
Android software stack
Linux Kernel
Libraries, Android Runtime
Application Framework
Application Static
User
OS
Network
Logs
What metrics can be used to capture app behavior?
SELECTED APPS Category App Social Facebook Games Angry Birds, Angry Birds$$ Music & Audio Pandora, Shazam, Shazam$$ Media & Video Youtube Shopping Amazon Travel Gasbuddy Health & Fitness Instant Heart Rate, Instant Heart
Rate$$ Communication Dolphin browser Sports ESPN Reference Dictionary.com, Dictionary.com$$
total 27 apps: 19 free , 8 paid
Wide range of apps, spanning many categories Popular apps with >1,000,000 installs
STATIC LAYER Source: manifest & bytecode decompilation
• Permissions (shown at install) • Internet • Location (GPS or network) • Phone • …
• Intents (not shown at install) • Resource use
without permission via deputy apps Linux Kernel
Libraries, Android Runtime
Application Framework
Application Static
User
OS
Network
STATIC LAYER ANALYSIS RESULTS
App Internet GPS Camera Mic Bluetooth Telephony Facebook p p i* p Dictionary.com p i i Instant Heart Rate p p i i Shazam p p p Total (out of 27) 27 9 6 4 3 5
p = use via permissions i = use via intents (deputy apps)
*for version originally tested March 2012
USER LAYER Source: logcat, /dev/input/event
• Input devices and events • Touchscreen • Physical Buttons • Accelerometer • Compass • Light proximity sensor
… Linux Kernel
Libraries, Android Runtime
Application Framework
Application Static
User
OS
Network
USER LAYER ANALYSIS RESULTS
OPERATING SYSTEM LAYER Source: strace
• System call categories • Network sockets • File system • VM & IPC
• Enforces isolation • Overhead: scheduling,
idling, IPC
Linux Kernel
Libraries, Android Runtime
Application Framework
Application Static
User
OS
Network
OPERATING SYSTEM LAYER RESULTS
App Intensity (syscalls/sec)
Filesystem (%)
Network (%)
VM & IPC (%)
Misc (%)
Tiny Flashlight 436 1 1 77 21 Facebook 1,031 4 3 72 21 Amazon 693 1 6 77 16 InstHeartRate 944 8 2 75 15
NETWORK LAYER Source: tcpdump (packets and content) App traffic
• Origin (app's website) • CDN and Cloud • Google • 3rd party: ads & tracking
Linux Kernel
Libraries, Android Runtime
Application Framework
Application Static
User
OS
Network
NETWORK LAYER RESULTS
App Intensity
(bytes/ sec)
In/out ratio
Origin
(%)
CDN+ Cloud
(%)
(%)
3rd party (%)
HTTP/ HTTPS
split (%)
Tiny Flashlight 134 2.49 - - 99 - 100/- AdvTaskKiller 26 0.94 - - 100 - 92/8 AdvTaskKiller$$ - - - - - - - Facebook 4,606 1.45 68 32 - - 23/77 Amazon 7,758 8.17 95 5 - - 99/1 InstHeartRate 575 2.39 - 4 86 10 86/14 InstHeartRate$$ 6 0.31 - 9 90 1 20/80
APPLICATION THUMBNAILS
High usage Medium usage Low usage
READING BETWEEN THE LINES Free apps are not as free as we might think
• 50—100% higher system call intensity • Dramatically higher network traffic (usually ads&tracking)
Bad for your dataplan, your battery life, and your privacy
VM-based isolation comes at a cost • 64—87% of system calls are due to VM and IPC
READING BETWEEN THE LINES Apps talk to many servers spread across many top-level domains
• AngryBirds$$: 4 domains, AngryBirds free: 8 domains • Weatherbug: 13 domains, Shazam: 13 domains
Most network traffic is not encrypted Google traffic is predominant
• Except for Amazon and Facebook which have 0 (zero) Google traffic
FUTURE WORK • Expand study to include more apps • User profiles
• Study the variance across users • Fully automate process • Profiler as an app to run on the device
• Provide summary of usage on close
QUESTIONS?