Securing Modern Appified Platform Through Systematic Program Analysis and Design

Appified platform where software application (app) development is open to third-party developers has drastically changed the way software is produced and consumed and how users interact with smart devices over the last decade. In an appified ecosystem, there is an app specialized for almost everything, and the market entrance is low, attracting many third-party developers to contribute. However, the open nature of the appified platform also raises security risks by allowing untrusted third-party code, which can potentially be vulnerable or malicious, to control user's device. Moreover, as the Internet-of-Things (IoT) technology is gaining vast adoptions by a wide range of industries, and is penetrating people's everyday life, safety risks brought by the appification of emerging IoT platform (e.g., smart home) could bring more severe threat to the well-being of customers than what security vulnerabilities in mobile apps have done to a cellphone user.

To address this challenge posed on the application security, my dissertation focuses on the flaws, vulnerabilities and malice in the apps on several modern appified platforms. Specifically, we demonstrate that systematic program analysis of apps lead to: (1) an understanding of design and implementation flaws across different platforms that can be leveraged in miscellaneous attacks; (2) the development of security mechanisms that limit the potential for these attacks. We contribute static and dynamic app analysis support for three modern appified platforms — smartphone, smart home, and autonomous vehicle. Our app analysis reveals various different vulnerabilities and design flaws across several platforms, and we propose (1) static analysis tool to automates the discovery of problems by searching for vulnerable code patterns; (2) dynamic testing tool to efficiently produce and capture domain specific issues that are previously unknown; and (3) propose new access control mechanism to strengthen the platform's immunity to app vulnerability and malice.