SurgeScan: Enforcing Security Policies on Untrusted Third-Party Android Libraries

Many Android apps include third-party libraries for advertising, payment, social media, etc. However, since the library code runs with the same privilege as the app code, the app developer has to either trust the library, a potential security risk, or refrain from using untrusted libraries. We designed and implemented SURGESCAN, a framework for specifying and enforcing security policies on untrusted third-party code. We call this third-party code plugins, as SURGESCAN supports both statically and dynamically loaded code. SURGESCAN consists of a static analysis component and code rewriting component. To use SURGESCAN, the app developer selects a security policy that declares security-sensitive methods in the Android API. Then, using static analysis, SURGESCAN finds all the Android API calls in the plugin binary that may reach those security-sensitive methods, and generates AspectJ code for enforcing the security policy on those API calls. Next, SURGESCAN runs AspectJ to weave the policy into the plugin. After that, the app can safely load the plugin. SURGESCAN requires no modification to the OS and incurs negligible runtime overhead. We describe our algorithms for achieving high accuracy in our static analysis. To evaluate SURGESCAN, we designed policies on network and sensor access and applied them to open source apps. We demonstrated various use scenarios for SURGESCAN, including securing distributed network measurement, securing ad libraries, controlling UI and screen estate, and patching applications.