DCS Accademic Paper by Poste Italiane, University of Genova, Bruno Kessler Foundation from DIBRIS, University of Genova (Alessandro Armando, Gabriele Costa, Alessio Merlo), Security & Trust Unity, Fondazione Bruno Kessler (Alessandro Armando), Poste Italiane (Gianluca Bocci, Giantonio Chiarelli, Rocco Mammoliti).
The success of the mobile application model is mostly due to the ease with which new applications are uploaded by developers, distributed through the application markets (e.g. Google Play), and installed by users. Yet, the very same model is cause of serious security concerns, since users have no or little means to ascertain the trustworthiness of the applications they install on their devices. Such concerns grow up when dealing with professional scenarios like the use of mobile devices within organisations.
To protect their customers, Poste Italiane has defined the Mobile Application Verification Cluster (MAVeriC), a process for the systematic security analysis of third-party mobile apps leveraging their online services (e.g. home banking, parcel tracking). MAVeriC is an ongoing project that will be completed in the next few years. At the core of the MAVeriC project lies the Static Analysis Module (SAM), a toolkit that supports automatic static analysis of mobile applications by automating a number of operations including reverse engineering, privilege analysis and automatic verification of security properties.
In this paper we present the SAM that has been fully developed and tested. We introduce the functionalities of SAM through a demonstration of the platform applied to real Android applications.