IEEE Access (Jan 2020)

Is Your Android App Insecure? Patching Security Functions With Dynamic Policy Based on a Java Reflection Technique

  • Sung-Hoon Lee,
  • Seung-Hyun Kim,
  • Jung Yeon Hwang,
  • Soohyung Kim,
  • Seung-Hun Jin

DOI
https://doi.org/10.1109/ACCESS.2020.2987059
Journal volume & issue
Vol. 8
pp. 83248 – 83264

Abstract

Read online

With the popularization of smart devices, companies are adopting bring-your-own-device or mobile office policies that utilize personal smart devices for work. However, as work data are stored on individual smart devices, critical security threats are emerging, such as the leakage of confidential documents. Enterprises want to address this issue by adapting enterprise mobility management (EMM) solutions. Appwrapping is among the core technologies in EMM solutions, enabling security function insertion or misused code patching without the original application (app) source code. Studies on permission control, misused code patching, security function insertion based on static policies, etc., have been conducted, but there are limitations such as poor user convenience and overhead. In this paper, we propose an AppWrapper toolkit to support dynamic polices. Basically it can insert security function execution code into apps by using appwrapping technology without the original source code. This code uses Java reflection to invoke security functions dynamically based on preset policies. Accordingly, after the initial appwrapping, the policy can be changed easily. In addition, even when multiple security functions are required, Java reflection can invoke multiple security functions dynamically and simultaneously without conflicting with the existing code. The AppWrapper toolkit also provides a log function to check in real time where the security function is needed. Hence, the policy-setting administrator can check the log in real time and implement the security function where needed. Our experimental results show that this technique improves significantly the efficiency, effectiveness, and convenience of adding security function execution code.

Keywords