SoProtector: safeguard privacy for native SO files in evolving mobile IoT applications

Android Apps have become the most important mobile applications in the evolving mobile IoT systems, whose security and privacy are confronted with ever more challenges, since such mobile devices as smartphones involve too much personal privacy information. Meanwhile, the developers prefer to put core functions (e.g., encryption function and T9 search function) of Android applications in the native layer for execution efficiency. However, there are no automated security analysis tools to protect the security and privacy of the Android native layer, especially for those dynamically loaded third-party SO libraries. In order to solve the previous problem, which is confusing, we propose a novel and scalable system, called SoProtector, to prevent privacy from leaking via the analysis of data flow between the Java and native layers. For detection of the malicious function implanted in the SO libraries, SoProtector realizes a real-time engine. We derive the malware features via three steps: 1) present binary files in native family as a grayscale image; 2) with use of the ARM instructions set reversely obtain the code of the SO file and using Python to obtain the opcode sequence; and 3) each file is transformed as the form of assembly language by IDA Pro, which includes a gdl file as an accompaniment. Our experiment, which involved 3400 applications, demonstrates that SoProtector is able to detect more sinks, sources, and smudges. It effectively inspects and blocks at least 82% of the applications that are loading malicious third-party SO dynamically, and it has relatively low overhead in the meantime, compared to most of the existing static analysis tools (e.g., FlowDroid and AndroidLeaks).