Helping Developers Construct Secure Mobile Applications

Mobile phones are no longer static devices that simply make phone calls and send SMS messages. Modern smartphones are now closer to general purpose computers. They allow users to customize their phones by installing third-party applications that let them browse the web, check social networking sites, and do online banking. Platform manufacturers, such as Android, introduce new APIs to facilitate the creation of rich applications that interact with other applications, system resources, and external resources (such as web applications). Given the level of trust users put in their phones and the number of sensitive tasks they perform, it is important to understand and improve the security of mobile applications.Android provides tools to enable rich interaction, but if developers do not know how to use them correctly, they will not use them securely. In this dissertation, we examine how mobile applications interact with each other and their environment. We uncover threats to application security due to developer confusion and general misuse of the features provided by the mobile platform. Specifically, we perform an in-depth analysis of how Android applications interact with each other through inter-process communication mechanisms, how they interact with system resources through Android permissions, and how they interact with web content through WebViews. We build static analysis tools to identify vulnerable applications and measure the prevalence of the vulnerabilities. Through automated and manual analysis, we identify patterns that illustrate how developers misuse these features and make their application vulnerable to attack. We further provide platform-level, API-level, and design-level solutions to help developers and platform designers build secure applications and systems.