1

Text Analytics for Mobile App Security and Beyond

Tao XieUniversity of Illinois at Urbana-Champaign

taoxie@illinois.edu

Mobile App Markets

Apple App Store Google Play Microsoft Windows Phone

App Store beyond Mobile Apps!

What If Formal Specs Are Written?!

4

APP DEVELOPERS

APP USERS

App Functional Requirements

App Security Requirements

User Functional Requirements

User Security Requirements

informal: app description, etc. permission list, etc.

Informal App Functional Requirements: App Description

5

App Code

App Permissions

App Security Requirements: Permission List

6

What If Formal Specs Are Written?!

7

APP DEVELOPERS

APP USERS

App Functional Requirements

App Security Requirements

User Functional Requirements

User Security Requirements

informal: app description, etc. permission list, etc.

Example Andriod App: Angry Birds

8

What If Formal Specs Are Written?!

9

APP DEVELOPERS

APP USERS

App Functional Requirements

App Security Requirements

User Functional Requirements

User Security Requirements

In reality, few of these requirements are (formally) specified!! Hope?!: Bring human into the loop: user perception + judgment

informal: app description, etc. permission list, etc.

Our Yin-Yang View on Mobile App Security

10

App Description

App Code

App Permissions

User-Perceived Information

App Security Behavior

o Reason about user-perceived info, e.g., WHYPER ( )

o Push app security behavior across the boundary ()

o Check consistency across the boundary ()

o Reduce user judgment effort ( )

App UIs, App categories, App metadata, User forums, …

[functional]

[security]

11

oApple (Market’s Responsibility)o Apple performs manual inspection

oGoogle (User’s Responsibility)o Users approve permissions for security/privacyo Bouncer (static/dynamic malware analysis)

oWindows Phone (Hybrid)o Permissions / manual inspection

Assuring Market Security/Privacy

12

o Previous approaches look at permissions code (runtime behaviors)

o What does the users expect?o GPS Tracker: record and send locationo Phone-Call Recorder: record audio during phone call

Need More Than Program Analysis

App Description

App Code

App Permissions

13

oUser expectationso user perception + user judgment

o Focus on permission app descriptionso permissions (protecting user understandable

resources) should be discussed

Vision“Bridging the gap between

user expectation app behaviors”

App Description Sentence Permission

Linkage

14

WHYPER Overview

Application Market

WHYPER

DEVELOPERS

USERSPandita et al. WHYPER: Towards Automating Risk Assessment of Mobile Applications. USENIX Security 2013http://web.engr.illinois.edu/~taoxie/publications/usenixsec13-whyper.pdf

• Enhance user experience while installing apps• Enforce functionality disclosure on developers• Complement program analysis to ensure justifications

15

Example Sentence in App Desc.• E.g., “Also you can share the yoga

exercise to your friends via Email and SMS.” – Implication of using the contact

permission– Permission sentences

Keyword-based search on application descriptions

16

Problems with Ctrl + F

• Confounding effects:– Certain keywords such as “contact” have a

confounding meaning – E.g., “... displays user contacts, ...” vs “... contact

me at abc@xyz.com”.

• Semantic inference: – Sentences often describe a sensitive operation

without actually referring to keywords – E.g., “share yoga exercises with your friends via

Email and SMS”

Natural Language Processing

• Natural Language Processing (NLP) techniques help computers understand NL artifacts

• In general, NLP is still difficult

• NLP on domain specific sentences with specific styles is feasible– Text2Policy: extraction of security policies from use cases [FSE

12]– APIInfer: inferring contracts from API docs [ICSE 12]– WHYPER: domain knowledge from API docs [USENIX Security 13]

18

Overview of WHYPER

APP Description

APP Permission

SemanticGraphs

PreprocessorIntermediate

RepresentationGenerator

SemanticEngine

NLP Parser

Semantic GraphGeneratorAPI Docs

AnnotatedDescription

FOLRepresentation

WHYPER

Domain Knowledge

19

Preprocessor• Period Handling

– Decimals, ellipsis, shorthand notations (Mr., Dr.)

• Sentence Boundaries– Tabs, bullet points, delimiters (:)– Symbols (*,-) and enumeration sentence

• Named Entity Handling– E.g., “Pandora internet radio”

• Abbreviation Handling– E.g., “Instant Message (IM)”

20

Intermediate-Representation Generator

Alsoyoucanshare yogaexercisetoyourfriendsviaEmailandSMSVBRB PRP MD NNDT NN NNSPRP NNP NNP

the

Alsoyou

can

share

exercise

yourfriends

EmailSMS

yoga

advmodnsubjauxdobj

detnn

prep_topossprep_via

conj_and

the

shareto

youyoga exercise

ownedyouvia

friendsand

EmailSMS

Predicate

Governing

Entity

DependentEntit

y

Semantic Engine

shareto

youyoga exercise

ownedyouvia

friendsand

EmailSMSEmail

share

WordNet Similarity

21

Inferred from API

DocsGoverning

Entity

DependentEntit

y

22

Systematic approach to infer graphso Identify resource associated with the permissions

from the API class nameo ContactsContract.Contacts

o Inspect the member variables and member methods to identify actions and subordinate resourceso ContactsContract.CommonDataKinds.Email

Semantic-Graph Generator

23

Evaluation• Subjects

– Permissions: • READ_CONTACTS • READ_CALENDAR • RECORD_AUDIO

– 581 application descriptions – 9,953 sentences

• Evaluation setup– Manual annotation of the sentences– WHYPER for identifying permission sentences– Comparison to keyword-based searching

24

Evaluation Results

• Precision and recall of WHYPER – Average precision (82.8%) and recall (81.5%)

• Comparison to keyword-based searching – Improving precision (41.6%) and recall (-1.2%)– E.g., microphone-blow into and call-record

Permission KeywordsREAD_CONTACTS contact, data, number,

name, emailREAD_CALENDAR calendar, event, date,

month, day, yearRECORD_AUDIO record, audio, voice,

capture, microphone

Access Control Policies (ACP) in Requirements Document

• Access control is often governed by security policies called Access Control Policies (ACP)– Includes rules to control which principals have access to

which resources

• A policy rule includes four elements– Subject – HCP – Action – edit– Resource - patient's account– Effect - deny

“The Health Care Personnel (HCP) does not have the ability to edit the patient's account.”

ex.

Overview of Text2Policy

A HCP should not change patient’s account.

An [subject: HCP] should not [action: change] [resource: patient’s account].

ACP Rule

EffectSubject Action Resource

HCP UPDATE - change

patient’s account

deny

Linguistic Analysis

Model-Instance Construction

TransformationXiao et al. Automated Extraction of Security Policies from Natural-Language Software Documents. FSE 2012. http://web.engr.illinois.edu/~taoxie/publications/fse12-nlp.pdf

Example Technical Challenges in ACP Extraction

• Semantic Structure Variance– different ways to specify the same rule

• Negative Meaning Implicitness– verb could have negative meaning

ACP 1: An HCP cannot change patient’s account.ACP2: An HCP is disallowed to change patient’s account.

Road Ahead: Yin-Yang View

28

App Description

App Code

App Permissions

User-Perceived Information

App Security Behavior

o Reason about user-perceived info, e.g., WHYPER ( )

o Push app security behavior across the boundary ()

o Check consistency across the boundary ()

o Reduce user judgment effort ( )

App UIs, App categories, App metadata, User forums, …

[functional]

[security]

Text Analytics for Mobile App Security and Beyond

29

App Description

App Code

App Permissions

taoxie@illinois.edu

App UIs, App categories, App metadata, User forums, …

Acknowledgments: Supported in part by NSA Science of Security (SoS) Lablet, NSF SaTC, NSF SHF, NSF CAREER

30

31

Problems with Ctrl + F

o Confounding effects:

o Certain keywords such as “contact” have a confounding meaning. o For instance, “... displays user contacts, ...” vs “... contact me at abc@xyz.com”.

o Semantic Inference:

o Sentences often describe a sensitive operation such as reading contacts without actually referring to keyword “contact”.

o For instance, “share yoga exercises with your friends via email, sms”.

32

• NLP techniques help computers understand NL artifacts

• NLP is still difficult

• NLP on domain specific sentences with specific styles is feasible

Natural Language Processing (NLP)

33

RQ1 Results: Effectiveness of WHYPER

• Low FPs and FNs• out of 9,061 sentences, only 129 are flagged as FPs• among 581 applications, 109 applications (18.8%) contain at least one FP• among 581 applications, 86 applications (14.8%) contain at least one FN

Permission SI TP FP FN TN Prec. Recall F-Score Acc

READ_CONTACTS 204 186 18 49 2,930 91.2 79.2 84.8 97.9

READ_CALENDAR 288 241 47 42 2,422 83.7 85.2 84.5 96.8

RECORD_AUDIO 259 195 64 50 3,470 75.3 79.6 77.4 97.0

TOTAL 751 622 129 141 9,061 82.8 81.5 82.2 97.3

34

• Incorrect parsing• “MyLink Advanced provides full

synchronization of all Microsoft Outlook emails (inbox, sent, outbox and drafts), contacts, calendar, tasks and notes with all Android phones via USB”

• Synonym analysis• “You can now turn recordings into

ringtones.”

Result Analysis (False Positives)

35

• Incorrect parsing• Incorrect identification of sentence boundaries and limitations of

underlying NLP infrastructure

• Limitations of Semantic Graphs• Manual Augmentation

• microphone-blow into and call-record• significant improvement of Delta Recalls: -6.6% to 0.6%

• Automatic mining from user comments and forums

Result Analysis (False Negatives)

Overview of Text2Policy

A HCP should not change patient’s account.

An [subject: HCP] should not [action: change] [resource: patient’s account].

ACP Rule

EffectSubject Action Resource

HCP UPDATE - change

patient’s account

deny

Linguistic Analysis

Model-Instance Construction

Transformation

Linguistic Analysis

• Incorporate syntactic and semantic analysis– syntactic structure -> noun group, verb group, etc.– semantic meaning -> subject, action, resource, negative

meaning, etc.

• Provide New techniques for model extraction– Identify ACP and AS sentences– Infer semantic meaning

Common Techniques

• Shallow parsing• Domain dictionary• Anaphora resolution

An HCP can view patient’s account.He is disallowed to change the patient’s account.

Subject Main Verb Group

Object

NP PNP

UPDATEHCP

VG

Technical Challenges (TC) in ACP Extraction

• TC1: Semantic Structure Variance– different ways to specify the same rule

• TC2: Negative Meaning Implicitness– verb could have negative meaning

ACP 1: An HCP cannot change patient’s account.ACP2: An HCP is disallowed to change patient’s account.

Semantic-Pattern Matching

• Address TC1 Semantic Structure Variance

• Compose pattern based on grammatical function

An HCP is disallowed to change the patient’s account.ex.

passive voice to-infinitive phrasefollowed by

Negative-Expression Identification

• Address TC2 Negative Meaning Implicitness

• Negative expression– “not” in subject:

– “not” in verb group:

• Negative meaning words in main verb group

No HCP can edit patient’s account.ex.

HCP can not edit patient’s account.HCP can never edit patient’s account.

ex.

ex. An HCP is disallowed to change the patient’s account.

AS: Syntactic-Pattern Matching

• Syntactic elements– Subject , Main verb, Object

• Subject and Object Checking– subject is a not a user or object is not a resource

• Filtering negative-meaning sentences– Negative sentences tend not to describe ASs

The prescription list should include medication, the name of the doctor. . .

ex.

Overview of Text2Policy

A HCP should not change patient’s account.

An [subject: HCP] should not [action: change] [resource: patient’s account].

ACP Rule

EffectSubject Action Resource

HCP UPDATE - change

patient’s account

deny

Linguistic Analysis

Model-Instance Construction

Transformation

ACP Model-Instance Construction

• Identify subject, action, and resource:– Subject: HCP– Action: change– Resource: patient’s account

• Infer effect:– Negative Expression: none– Negative Verb: disallow– Inferred Effect: deny

An HCP is disallowed to change the patient’s account.

ex.

ACP Rule

EffectSubject Action Resource

HCP UPDATE - change

patient’s account

deny

AS Model-Instance Construction

• Use case patterns– industry use cases [DSN’09]– public use cases

• Model-Instance ConstructionThe patient views access log.ex.

Action Step

Actor Action Resource

patient OUTPUT – view

access log

Technical Challenges in Action-Step Extraction

• TC4: Transitive Subject

• TC5: Perspective Variance

AS 1:He edits the account.AS 2: The system updates the account.AS 3: The system displays the updated account.

HCPHCP views the updated account.

Subject Flow Tracking

• Address TC4 Transitive Subject• Apply data flow to track non-system subject:

AS 1: The HCP edits the account.AS 2: The system updates the account.

Tracking Only system as subject

replaced with HCP as subject

Perspective Conversion

• Address TC5 Perspective Variance• Apply data flow to track non-system subject:

AS 1: The HCP edits the account.AS 2: The system shows the updated account.

Tracking Only system as subject andaction is output

Converting to “HCP views the updated account”

Evaluation – RQs

• RQ1: How effectively does Text2Policy identify ACP sentences in NL documents?

• RQ2: How effectively does Text2Policy extract ACP rules from ACP sentences?

• RQ3: How effectively does Text2Policy extract action steps from action-step sentences?

Evaluation – Subject

• iTrust open source project– http://agile.csc.ncsu.edu/iTrust/wiki/– 448 use-case sentences (37 use cases)– preprocessed use cases

• Collected ACP sentences– 100 ACP sentences – From 17 sources (published papers and websites)

• A module of an IBMApp (financial domain)– 25 use cases

RQ1 ACP Sentence Identification

• Apply Text2Policy to identify ACP sentences in iTrust use cases and IBMApp use cases

• Text2Policy effectively identifies ACP sentences with precision and recall more than 88%

• Precision on IBMApp use cases is better– proprietary use cases are often of higher quality compared to open-source

use cases

Evaluation –RQ2 Accuracy of Policy Extraction

• Apply Text2Policy to extract ACP rules from ACP sentences

• Text2Policy effectively extracts ACP model instances with accuracy above 86%

Evaluation –RQ3 Accuracy of Action-Step Extraction

• Apply Text2Policy to extract action steps from iTrust and IBMApp use cases

• Text2Policy effectively extracts AS model instances with accuracy above 81%

• Limitations: – Subordinate conjunction or else and long phrases

Detected Inconsistencies

• No violation between ASs against the extracted ACPs

• Inconsistent names used for referring to the same entity (e.g., user) across different use cases

editor used in UC 4 of iTrust use cases actually refers to HCP, admin, and all usersin UCs 1, 2, and 4

ex.

Summary

• Natural Language Processing (NLP) for domain-specific purposes is feasible– Challenging for general documents– Feasible for domain-specific sentences with specific

styles

• New techniques are required – Addressing unique challenges in software engineering

http://research.csc.ncsu.edu/ase/projects/text2policy/