A rooting detection system and risk assessment for android mobile devices / Wael Farouk Mohamed Elsersy

Wael Farouk , Mohamed Elsersy (2022) A rooting detection system and risk assessment for android mobile devices / Wael Farouk Mohamed Elsersy. PhD thesis, Universiti Malaya.

	PDF (The Candidate's Agreement) Restricted to Repository staff only Download (183Kb)
	PDF (Thesis PhD) Restricted to Repository staff only until 31 December 2024. Download (2226Kb)

Abstract

With the proliferation of mobile banking and e-commerce applications with online payment capability, it has become a lucrative target for attackers to make revenue by gaining root access to mobile devices. For Android devices, root access is accessible via a special application such as the rooting application which are publicly downloadable from third-party stores and websites. There are many solutions proposed by previous studies, such as rule-based detection and machine learning to overcome the security problem and the installation from the third-party store. Rules-based simply checks the ability to execute Android superuser command and the presence of root applications. At the same time, machine learning builds a root detection model by training and testing a set of rooting applications, aims to identify similar characteristics and features. However, the detection accuracy of such approaches is less effective and ignores the device risk assessment. Meanwhile, the lack of risk assessment affects the support for deciding the security and threat level of the device. Therefore, this thesis work aims to propose an assessment framework for the Android devices, named AndRoRAS, and it works to detect and evaluate the rooting level of an Android device. The assessment framework contains two modules: a) rooting detection (Rootector) and b) risk assessment (ARAS). The rooting detection module introduced a data crawler (RootCrawler) that extracts static analysis group features. The second module, the risk assessment model, adopts a risk scoring system to determine the risk level of Android devices based on three risk criteria. To demonstrate the assessment framework, this thesis work undertakes four evaluation phases: a) the testing of the detection performance using thirteen thousand physical and virtual Android devices, b) investigating the impact of different feature extraction techniques, c) cross-validation with varying techniques of sampling, and d) benchmarking with the results of previous root detection studies outcomes. In contrast, this thesis work demonstrates the risk levels assessment by applying the proposed scoring model to the rooted devices dataset. The results show that the rooting detection module improves the root detection accuracy to 98 % total accuracy compared to moderate 90% in other previous studies. In addition, the risk assessment module introduced four risk levels: low, medium, and high risk levels.

Actions (For repository staff only : Login required)