We have extended the submission deadline for SOAP. You still have until March 31st to submit your paper! We are looking forward to your submission!

Over the past few days, the news has been full of a report of “dormant” malware that infected millions of Android devices. (German article here on Heise.de.) The malware previously went unnoticed by laying dormant for several hours, sometimes multiple days, after installation, in some cases even requiring a reboot of the device to become active. Dynamic-analysis procedures usually only run for minutes and for efficiency reasons do not simulate situations like reboot Contrary to the current perception, though, this problem had long been identified, and in fact today with this article we are revealing Harvester, a new tool to address exactly this problem.

Harvester* uses a unique novel combination of static and dynamic analysis and code transformation to (1) identify and eliminate emulator and timeout checks from apps, and (2) that way allows for the extraction of interesting runtime values such as reflective method calls, target numbers of calls to the SMS APIs, account-data hard-wired in the malware, etc. In addition, Harvester is resilient against virtually all current cases of code obfuscation.

Continue reading →

Read on here for an extensive interview with Steven Arzt in the Süddeutsche Zeitung about the recent malware threat we discovered and about Android malware in general. Spiegel Online also has an article that draws information from the interview.

It’s time to get clean again… This year, Anders Møller and Mayur Naik have taken on the heroic task of organizing the 4th ACM SIGPLAN International Workshop on the
State Of the Art in Program Analysis (SOAP 2015). Thanks to both! We are looking for papers related to program analysis, especially interesting challenges with respect to their design and implementation. We encourage you all to submit!

At 31C3 this year, Eric Filiol and Paul Irolla from Laboratoire de Cryptologie et Virologie Opérationnelles presented on (In)security of mobile banking app security. While I appreciate the effort to draw more attention to the insecurity of mobile applications in general, I am afraid that the talk itself was based on quite a few misconceptions, and thus gave a very wrong impression of how app development actually works and about why the code we see is as insecure as it is. Unfortunately, these misconceptions were readily amplified through the mass media (the Zeit, for instance), which is why I think someone with more experience in the field should probably clarify a few things in this respect. Continue reading →

What a nice early Christmas gift! Today we were notified that both our submissions to ICSE’15 got accepted. Both papers are based on our Android infrastructure. In the paper IccTA: Detecting Inter-Component Privacy Leaks in Android Apps, which came out of our long-standing collaboration with the University of Luxembourg and Penn State, we present a precise approach for Android inter-component analysis. In the paper Mining Apps for Abnormal Usage of Sensitive Data, in joint work with the group of Andreas Zeller (Saarbrücken), we present the first large scale study of using information-flow analysis to identify Android malware. Thanks a lot to all our collaborators for their hard work! It’s been a pleasure working with all of you!

BTW, in addition I will also be speaking at the New Faculty Symposium at ICSE.

We have finally completed the move of Soot’s homepage to Github. Soot’s new home makes it easier than ever for everyone to contribute changes not just to the code base but also the website and documentation. Enjoy!

We have just kicked off a new project financed by the BSI which has the goal to perform a security evaluation of the current TrueCrypt code base. Do you have any particular insights about TrueCrypt security? Do you want to discuss with us more about what the advisory on the TrueCrypt homepage really means? Then meet with me at 31C3 or drop me a line. You can find my contact data and PGP key here.

For 2015 and 2016, Eric Bodden has been invited to participate, and accepted membership in the Program Committees for the following top conferences:

• ICSE 2016
• OOPSLA 2016
• ECOOP 2015
• ISSTA 2015
• MODULARITY/AOSD 2015
• ONWARD 2015
• PLDI 2015
• RV 2015

On Thursday, SPLlift, our approach for Analyzing Software Product Lines in Minutes instead of Years, was awarded the second price at the German IT-Sicherheitspreis. This was joint work with Mira Mezini (to the right), Claus Brabrand, Marcio Ribeiro, Paulo Borba and Tarsis Toledo. Many thanks for the fruitful collaboration! And Many thanks to Horst Görtz and his Foundation for donating this award!

1st place went to Kastel’s project on Blurry-Box Cryptography, the first provably secure software-protection dongle. Congrats!