Program analysis for mobile: How and why to run WALA on your phone

Abstract

As mobile devices become ubiquitous, security of such devices has become a serious concern. Attacks on the devices themselves are a danger, as is theft of data they contain. Static analysis of the devices' software is one approach to verifying the absence of security, and several tools have been created to analyze apps for potential attacks and vulnerabilities. Many tools focus on single apps, but there are starting to be tools that look for possible vulnerabilities or attacks due to multiple apps on a single device that can communicate. Such analysis depends on having access to the relevant apps, and hence has been proposed to be performed on app stores. One challenge in the Android environment is that apps are often installed from multiple sources, such as development builds of apps installed from developer sites, e.g. Mozilla Aurora pre-released of Firefox. Ultimately, sometimes the device itself is the only place with the full set of apps used on that device. This suggests that running analysis on the device itself is attractive, at least in terms of having all the relevant code. Furthermore, app communication can be configured on the device itself, raising the possibility of analyzing communication risk when it is configured. However, this approach has a variety of challenges: 1) analysis tools are not typically mobile apps themselves, yet they somehow need to be built for and deployed on mobile devices. 2) Analysis tools are often resources intensive, and mobile devices need the resources to perform analysis. 3) Analysis can also be a major drain on battery life, so care must be taken not to heedlessly drain power. We describe our preliminary work toward running program analysis on mobile devices, focusing on running the WALA framework on Android devices. We describe how WALA can be built and deployed for Android; since WALA is Java code, it is actually straightforward to do this, both using Eclipse and Maven-based command-line tools. We also provide some evidence that performance is reasonable.