WALA MobileWhy and How to run WALA on your phone

Julian Dolby Workshop on WALA

PLDI/FCRC - June 2015 - Portland

WALA Mobile• Why

• State on the phone

• Security issues

• How

• Powerful Android devices make it practical

• WALA Android projects

State on the Phone

• Phone has specific apps

• no single “app store”

• communication

• vulnerabilities

State on the Phone• Intents configure inter-app communication

• Control communication

• Register understanding

• Choice or default

• Set by user anytime

Security Issues• Static enforcement of policies

• Those requested by app

• No analysis of sufficiency

• No analysis of minimality

• No analysis of satisfiability

Security Issues• Security vulnerabilities within an app

• Security vulnerabilities across apps

WALA Mobile is practical• Android provides full Java support

• Eclipse, Maven support Android builds

WALA Mobile is practical• Analysis may drain battery

• installation already heavy weight on Android 5

• “limited-power mobile devices”

• wrong: 2.3 GHz, 4-core, 64 bit, 4GB is ample(Asus ZenFone 2)

WALA Mobile Status• WALA Mobile inherits all WALA code

• WALA Mobile on github

• parallel https://github.com/wala/WALA-Mobile

• Basic Android support

• a few simple JUnit tests

• a CallGraph builder service

WALA Mobile Future• Evaluate existing analyses

• basic analysis performance

• permissions analysis

• taint analysis

• Mobile extensions

• exploit phone state

Referenceshttps://www.eecs.berkeley.edu/~daw/papers/intents-mobisys11.pdf

http://www.gilith.com/research/talks/hcss2012.pdf