We are happy to announce that our paper “DroidSearch: A Tool for Scaling Android App Triage to Real-World App Stores” has been accepted for publication at the IEEE Technically Co-Sponsored “Science and Information Conference 2015” (SAI) in London, UK.

While many precise analysis tools for detecting malware and finding vulnerabilities in Android applications exist, they usually do not scale to the large number of applications in today’s real-world markets such as Google Play. We therefore present DroidSearch, a search engine that aids a multi-staged analysis in which fast pre-filtering techniques allow security experts to quickly retrieve candidate applications that should be subjected to further automated and/or manual analysis. DROIDSEARCH is supported by DROIDBASE, a middleware and back-end database which associates apps with metadata and the results of lightweight analyses on bytecode and configuration files that DROIDBASE automatically manages and executes.

Continue reading →

It’s time to get clean again… This year, Anders Møller and Mayur Naik have taken on the heroic task of organizing the 4th ACM SIGPLAN International Workshop on the
State Of the Art in Program Analysis (SOAP 2015). Thanks to both! We are looking for papers related to program analysis, especially interesting challenges with respect to their design and implementation. We encourage you all to submit!

At 31C3 this year, Eric Filiol and Paul Irolla from Laboratoire de Cryptologie et Virologie Opérationnelles presented on (In)security of mobile banking app security. While I appreciate the effort to draw more attention to the insecurity of mobile applications in general, I am afraid that the talk itself was based on quite a few misconceptions, and thus gave a very wrong impression of how app development actually works and about why the code we see is as insecure as it is. Unfortunately, these misconceptions were readily amplified through the mass media (the Zeit, for instance), which is why I think someone with more experience in the field should probably clarify a few things in this respect. Continue reading →

What a nice early Christmas gift! Today we were notified that both our submissions to ICSE’15 got accepted. Both papers are based on our Android infrastructure. In the paper IccTA: Detecting Inter-Component Privacy Leaks in Android Apps, which came out of our long-standing collaboration with the University of Luxembourg and Penn State, we present a precise approach for Android inter-component analysis. In the paper Mining Apps for Abnormal Usage of Sensitive Data, in joint work with the group of Andreas Zeller (Saarbrücken), we present the first large scale study of using information-flow analysis to identify Android malware. Thanks a lot to all our collaborators for their hard work! It’s been a pleasure working with all of you!

BTW, in addition I will also be speaking at the New Faculty Symposium at ICSE.

We have finally completed the move of Soot’s homepage to Github. Soot’s new home makes it easier than ever for everyone to contribute changes not just to the code base but also the website and documentation. Enjoy!

We have just kicked off a new project financed by the BSI which has the goal to perform a security evaluation of the current TrueCrypt code base. Do you have any particular insights about TrueCrypt security? Do you want to discuss with us more about what the advisory on the TrueCrypt homepage really means? Then meet with me at 31C3 or drop me a line. You can find my contact data and PGP key here.

We are currently looking for a research assistant who supports us in modeling cryptographic API’s with the use of Clafer.

So if you are interested in cryptography and are currently looking for a theses topic or a paid HiWi project, have a look to the attached proposal and contact us!

Proposal

For 2015 and 2016, Eric Bodden has been invited to participate, and accepted membership in the Program Committees for the following top conferences:

• ICSE 2016
• OOPSLA 2016
• ECOOP 2015
• ISSTA 2015
• MODULARITY/AOSD 2015
• ONWARD 2015
• PLDI 2015
• RV 2015

On Thursday, SPLlift, our approach for Analyzing Software Product Lines in Minutes instead of Years, was awarded the second price at the German IT-Sicherheitspreis. This was joint work with Mira Mezini (to the right), Claus Brabrand, Marcio Ribeiro, Paulo Borba and Tarsis Toledo. Many thanks for the fruitful collaboration! And Many thanks to Horst Görtz and his Foundation for donating this award!

1st place went to Kastel’s project on Blurry-Box Cryptography, the first provably secure software-protection dongle. Congrats!