Android mobile VoIP apps: a survey and examination of their security and privacy

Voice over Internet Protocol (VoIP) has become increasingly popular among individuals and business organisations, with millions of users communicating using VoIP applications (apps) on their smart mobile devices. Since Android is one of the most popular mobile platforms, this research focuses on Android devices. In this paper we survey the research that examines the security and privacy of mVoIP published in English from January 2009 to January 2014. We also examine the ten most popular free mVoIP apps for Android devices, and analyse the communications to determine whether the voice and text communications using these mVoIP apps are encrypted. The results indicate that most of the apps encrypt text communications, but voice communications may not have been encrypted in Fring, ICQ, Tango, Viber, Vonage, WeChat and Yahoo. The findings described in this paper contribute to an in-depth understanding of the potential privacy risks inherent in the communications using these apps, a previously understudied app category. Six potential research topics are also outlined.     

Network-based detection of Android malicious apps

Users leverage mobile devices for their daily Internet needs by running various mobile applications (apps) such as social networking, e-mailing, news-reading, and video/audio streaming. Mobile device have become major targets for malicious apps due to their heavy network activity and is a research challenge in the current era. The majority of the research reported in the literature is focused on host-based systems rather than the network-based; unable to detect malicious activities occurring on mobile device through the Internet. This paper presents a detection app model for classification of apps. We investigate the accuracy of various machine learning models, in the context of known and unknown apps, benign and normal apps, with or without encrypted message-based app, and operating system version independence of classification. The best resulted machine learning(ML)-based model is embedded into the detection app for efficient and effective detection. We collect a dataset of network activities of 18 different malware families-based apps and 14 genuine apps and use it to develop ML-based detectors. We show that, it is possible to detect malicious app using network traces with the traditional ML techniques, and results revealed the accuracy (95–99.9 %) in detection of apps in different scenarios. The model proposed is proved efficient and suitable for mobile devices. Due to the widespread penetration of Android OS into the market, it has become the main target for the attackers. Hence, the proposed system is deployed on Android environment.     

Fresh apps: an empirical study of frequently-updated mobile apps in the Google play store

Mobile app stores provide a unique platform for developers to rapidly deploy new updates of their apps. We studied the frequency of updates of 10,713 mobile apps (the top free 400 apps at the start of 2014 in each of the 30 categories in the Google Play store). We find that a small subset of these apps (98 apps representing ?1 % of the studied apps) are updated at a very frequent rate — more than one update per week and 14 % of the studied apps are updated on a bi-weekly basis (or more frequently). We observed that 45 % of the frequently-updated apps do not provide the users with any information about the rationale for the new updates and updates exhibit a median growth in size of 6 %. This paper provides information regarding the update strategies employed by the top mobile apps. The results of our study show that 1) developers should not shy away from updating their apps very frequently, however the frequency varies across store categories. 2) Developers do not need to be too concerned about detailing the content of new updates. It appears that users are not too concerned about such information. 3) Users highly rank frequently-updated apps instead of being annoyed about the high update frequency.     

基于Android移动设备的增强现实技术研究

针对移动设备弱处理能力和低内存等局限性,导致增强现实技术不能在移动设备上普及,提出一种新的增强现实技术方案。采用SURF算法提取视频帧图像的特征点,接着使用FREAK算法进行特征点描述;在汉明距离强制匹配之后,采用改进的RANSAC算法剔除了误匹配点,然后通过计算比较匹配特征点占样本图像特征点的比重,判断是否成功匹配目标物体;最后渲染对应的三维模型完成增强现实三维注册。通过在Android移动设备上的验证,结果表明该技术方案满足移动设备对实时性、准确性和鲁棒性的要求,为移动增强现实的推广奠定了良好的基础。     

A parallelizable chaos-based true random number generator based on mobile device cameras for the Android platform

Multimedia Tools and Applications - True random number generators are used in high security applications such as cryptography where non-determinism is required. However, they are slower than their...     

A static technique for detecting input validation vulnerabilities in Android apps

Input validation vulnerabilities are common in Android apps, especially in inter-component communications. Malicious attacks can exploit this kind of vulnerability to bypass Android security mechanism and compromise the integrity, confidentiality and availability of Android devices. However, so far there is not a sound approach at the source code level for app developers aiming to detect input validation vulnerabilities in Android apps. In this paper, we propose a novel approach for detecting input validation flaws in Android apps and we implement a prototype named EasyIVD, which provides practical static analysis of Java source code. EasyIVD leverages backward program slicing to extract transaction and constraint slices from Java source code. Then EasyIVD validates these slices with predefined security rules to detect vulnerabilities in a known pattern. To detect vulnerabilities in an unknown pattern, EasyIVD extracts implicit security specifications as frequent patterns from the duplicated slices and verifies them. Then EasyIVD semi-automatically confirms the suspicious rule violations and reports the confirmed ones as vulnerabilities. We evaluate EasyIVD on four versions of original Android apps spanning from version 2.2 to 5.0. It detects 58 vulnerabilities including confused deputy attacks and denial of service attacks. Our results prove that EasyIVD can provide a practical defensive solution for app developers.     

An empirical study of emergency updates for top android mobile apps

The mobile app market continues to grow at a tremendous rate. The market provides a convenient and efficient distribution mechanism for updating apps. App developers continuously leverage such mechanism to update their apps at a rapid pace. The mechanism is ideal for publishing emergency updates (i.e., updates that are published soon after the previous update). In this paper, we study such emergency updates in the Google Play Store. Examining more than 44,000 updates of over 10,000 mobile apps in the Google Play Store, we identify 1,000 emergency updates. By studying the characteristics of such emergency updates, we find that the emergency updates often have a long lifetime (i.e., they are rarely followed by another emergency update). Updates preceding emergency updates often receive a higher ratio of negative reviews than the emergency updates. However, the release notes of emergency updates rarely indicate the rationale for such updates. Hence, we manually investigate the binary changes of several of these emergency updates. We find eight patterns of emergency updates. We categorize these eight patterns along two categories “Updates due to deployment issues” and “Updates due to source code changes”. We find that these identified patterns of emergency updates are often associated with simple mistakes, such as using a wrong resource folder (e.g., images or sounds) for an app. We manually examine each pattern and document its causes and impact on the user experience. App developers should carefully avoid these patterns in order to improve the user experience.     

A model-based framework for mobile apps customization through context-dependent rules

Universal Access in the Information Society - The advent of the Internet of Things and mobile applications has made the possible contexts of use more and more varied, and creates new challenges for...     

Media streaming via TFRC: An analytical study of the impact of TFRC on user-perceived media quality

TCP-Friendly Rate Control (TFRC) is being adopted in Internet standards for congestion control of streaming media applications. In this paper, we consider the transmission of prerecorded media from a server to a client by using TFRC, and analytically study the impact of TFRC on user-perceived media quality, which is roughly measured by calculating the rebuffering probability. A rebuffering probability is defined to be the probability that the total duration of all rebuffering events experienced by a user is longer than a certain threshold. Several approaches are presented to help an application determine an appropriate initial buffering delay and media playback rate in order to achieve a certain rebuffering probability under a given network condition. First, we derive a closed-form expression to approximate the average TFRC sending rate, which could be used as the maximum allowed playback rate of a media stream. Second, we develop a queueing model for a TFRC client buffer with the traffic described by a Markov-Renewal-Modulated Deterministic Process (MRMDP), which captures the fundamental behavior of TFRC that predicts the immediate future TCP sending rate based on the history of past loss intervals. We present a closed-form solution and a more accurate iterative method to solve the queueing model and calculate the rebuffering probability.     

Applications of mobile apps in the medical service system

Microsystem Technologies - With the prevalence of the Internet, the application of information technologies in everyday life is becoming increasingly common. Hospitals are no exception. In the...     

基于Android的移动化学计算平台研究

化学发现较多地依赖于研究者的经验与创意。随着信息技术的进步,计算化学作为化学的一个分支也在迅速地发展。移动互联网和云计算的出现使计算突破了时间和空间的制约,为计算化学提供了新的发展空间。本文研究并开发了一个基于Android的化学数据计算移动平台,实现了化学项目管理、数据分析以及数据查询等功能。项目管理包括项目创建、项目修改、项目删除和项目查询。在创建面向实验的项目时,本平台支持对化学方程式的编辑,在确定反应物和生成物的分子式后,系统将自动计算分子量并配平方程式。数据分析是对实验或计算结果进行处理和分析,包括计算化学反应的转化率、产率,对数据进行中心化、对数化等预处理,以及数据拟合与回归等,同时引入了图形化显示技术,可直观反映各种因素之间的关系。数据查询包括元素周期表查询、平台存储化合物查询和在线化合物数据库查询。在平台内部,构建了一张电子元素周期表,能够完成元素查询以及相关计算的自动检索:同时存储了与化学项目相关的化合物信息,并提供了一些常用在线化学数据库链接以扩展平台的功能。测试表明,所研发的移动化学计算平台实现了预期功能,性能稳定。     

Static analysis of Android Auto infotainment and on-board diagnostics II apps

Smartphone and automotive technologies are rapidly converging, letting drivers enjoy communication and infotainment facilities and monitor in-vehicle functionalities, via on-board diagnostics (OBD) technology. Among the various automotive apps available in playstores, Android Auto infotainment and OBD-II apps are widely used and are the most popular choice for smartphone to car interaction. Automotive apps have the potential of turning cars into smartphones on wheels but can be also the gateway of attacks. This paper defines a static analysis that identifies potential security risks in Android infotainment and OBD-II apps. It identifies a set of potential security threats and presents an actual static analyzer for such apps. It has been applied to most of the highly rated infotainment apps available in the Google Play store, as well as on the available open-source OBD-II apps, against a set of possible exposure scenarios. Results show that almost 60% of such apps are potentially vulnerable and that 25% pose security threats related to the execution of JavaScript. The analysis of the OBD-II apps shows possibilities of severe controller area network injections and privacy violations, because of leaks of sensitive information.     

Studying the effect of perceived hedonic mobile device quality on user experience evaluations of mobile applications

When people interact with digital artefacts they perceive their pragmatic and hedonic qualities. In the case of interacting with mobile devices and applications, users seek utility as they try to satisfy certain needs, but at the same time they have certain feelings and emotions when, for example, they feel attached to their personal phone and/or trust its brand. Due to this strong relation between users and mobile devices a significant problem occurs when researchers want to evaluate the user experience of a mobile application in laboratory settings: the selection of an appropriate mobile device. Towards this end, this paper aims to unveil the effect of perceived hedonic quality of a mobile device on the user experience evaluation results of an application. Our results show that the perceived hedonic quality of a mobile device significantly affected the perceived pragmatic quality of the application, but not the hedonic one.     

Modeling user experience: A case study on a mobile device

User experience (UX) consists of all aspects of interactions between a user and a product. Recently, many studies have been conducted to define the UX concept, but few studies have attempted to quantify UX. This paper proposed quantification models that integrate major elements of UX into a single index. A variety of models were proposed and evaluated including compensatory (i.e. simple linear, polynomial and S-shaped value) and non-compensatory (i.e. conjunctive and disjunctive) models. A case study with a commercial tablet PC was conducted in which a total of 26 subjects participated in a laboratory environment. Each participant performed a pretest ensuring the ability to make ratio judgments and then evaluated predefined dimensions with the modified magnitude estimation procedure. A total of 22 hierarchical dimensions were evaluated such as overall UX, its elements (i.e. usability, affect and user value) and sub-elements. Both compensatory and non-compensatory models had high performance in terms of goodness of fit. The results of this study are expected to help product or service designers develop indices representing an overall UX value.Relevance to industryThis study proposed quantification models that aggregate elements of UX. Although the UX index has been controversial, the single value developed by the models can be expected to help decision-makers understand about products or services intuitively.     

DelayDroid: an instrumented approach to reducing tail-time energy of Android apps

Mobile devices with 3G/4G networking often waste energy in the so-called “tail time” during which the radio is kept on even though no communication is occurring. Prior work has proposed policies to reduce this energy waste by batching network requests. However, this work is challenging to apply in practice due to a lack of mechanisms. In response, we have developed DelayDroid, a framework that allows a developer to add the needed policy to existing, unmodified Android applications (apps) with no human effort as well as no SDK/OS changes. This allows such prior work (as well as our own policies) to be readily deployed and evaluated. The DelayDroid compile-time uses static analysis and bytecode refactoring to identify method calls that send network requests and modify such calls to detour them to the DelayDroid run-time. The run-time then applies a policy to batch them, avoiding the tail time energy waste. DelayDroid also includes a cross-app communication mechanism that supports policies that optimize across multiple apps running together, and we propose a policy that does so. We evaluated the correctness and universality of the DelayDroid mechanisms on 14 popular Android apps chosen from the Google App Store. To evaluate our proposed policy, we studied three DelayDroid-enabled apps (weather forecasting, email client, and news client) running together, finding that the DelayDroid mechanisms combined with our policy can reduce 3G/4G tail time energy waste by 36%.     

Field experience with obfuscating million-user iOS apps in large enterprise mobile development

In recent years, mobile apps have become the infrastructure of many popular Internet services. It is now common that a mobile app serves millions of users across the globe. By examining the code of these apps, reverse engineers can learn various knowledge about the design and implementation of the apps. Real-world cases have shown that the disclosed critical information allows malicious parties to abuse or exploit the app-provided services for unrightful profits, leading to significant financial losses. One of the most viable mitigations against malicious reverse engineering is to obfuscate the apps. Despite that security by obscurity is typically considered to be an unsound protection methodology, software obfuscation can indeed increase the cost of reverse engineering, thus delivering practical merits for protecting mobile apps. In this paper, we share our experience of applying obfuscation to multiple commercial iOS apps, each of which has millions of users. We discuss the necessity of adopting obfuscation for protecting modern mobile business, the challenges of software obfuscation on the iOS platform, and our efforts in overcoming these obstacles. We especially focus on factors that are unique to mobile software development that may affect the design and deployment of obfuscation techniques. We report the outcome of our obfuscation with empirical experiments. We additionally elaborate on the follow-up case studies about how our obfuscation affected the app publication process and how we responded to the negative impacts. This experience report can benefit mobile developers, security service providers, and Apple as the administrator of the iOS ecosystem.     

Securing the mobile device

Much of the information available about wireless security revolves around securing the actual wireless communications; insuring the confidentiality, integrity, and availability of the data on a wireless network. However, what often goes overlooked is the wireless device itself. These devices are wireless for a reason; they are mobile and generally designed to be used in any location a user has access to a network. Phones, laptops, and PDA's are all purchased primarily for their mobility, not their stunning good looks.     

From source code to test cases: A comprehensive benchmark for resource leak detection in Android apps

Android apps share resources, such as sensors, cameras, and Global Positioning System, that are subject to specific usage policies whose correct implementation is left to programmers. Failing to satisfy these policies may cause resource leaks, that is, apps may acquire but never release resources. This might have different kinds of consequences, such as apps that are unable to use resources or resources that are unnecessarily active wasting battery. Researchers have proposed several techniques to detect and fix resource leaks. However, the unavailability of public benchmarks of faulty apps makes comparison between techniques difficult, if not impossible, and forces researchers to build their own data set to verify the effectiveness of their techniques (thus, making their work burdensome). The aim of our work is to define a public benchmark of Android apps affected by resource leaks. The resulting benchmark, called AppLeak, is publicly available on GitLab and includes faulty apps, versions with bug fixes (when available), test cases to automatically reproduce the leaks, and additional information that may help researchers in their tasks. Overall, the benchmark includes a body of 40 faults that can be exploited to evaluate and compare both static and dynamic analysis techniques for resource leak detection.