Auditing Framework APIs via Inferred App-side Security Specifications


Parjanya Vyas, Asim Waheed, Yousra Aafer, and N. Asokan, University of Waterloo


In this work, we explore auditing access control implementations of Android private framework APIs by leveraging app-side security specifications. The seemingly straightforward auditing task faces significant challenges. It requires extracting unconventional security indicators and understanding their relevance to private framework APIs. More importantly, addressing these challenges requires relying on uncertain hints. We hence, introduce Bluebird, a security auditing platform for Android APIs, that mimics a human expert. Bluebird seamlessly fuses human-like understanding of app-side logic with statically-derived program semantics using probabilistic inference to detect access control gaps in private APIs.

Open Access Media

USENIX is committed to Open Access to the research presented at our events. Papers and proceedings are freely available to everyone once the event begins. Any video, audio, and/or slides that are posted after the event are also free and open to everyone. Support USENIX and our commitment to Open Access.

@inproceedings {291321,
author = {Parjanya Vyas and Asim Waheed and Yousra Aafer and N. Asokan},
title = {Auditing Framework {APIs} via Inferred App-side Security Specifications},
booktitle = {32nd USENIX Security Symposium (USENIX Security 23)},
year = {2023},
isbn = {978-1-939133-37-3},
address = {Anaheim, CA},
pages = {6061--6077},
url = {},
publisher = {USENIX Association},
month = aug

Presentation Video