Publications

Theses

Dissertation
Improving Mobile-Malware Investigations with Static and Dynamic Code Analysis Techniques
TU Darmstadt, 2016
[PDF]

Master Thesis
Model Checking of Android Applications to Derive Strongest Preconditions for Secure Data Flows
University of Passau, 2012

Bachelor Thesis
Reconstruction of user traces in computer forensic investigations
University of Applied Sciences Landshut, 2010
(joined work with Siemens CERT Munich)

Publications

2017

The Soot-based Toolchain For Analyzing Android Apps
Steven Arzt, Siegfried Rasthofer, Eric Bodden
In: Proceedings of the 39th International Conference on Software Engineering (ICSE) MOBILESoft’17 Workshop, May 2017 (invited paper)
[pdf][bib]

Making Malory Behave Maliciously: Targeted Fuzzing of Android Execution Environments
Siegfried Rasthofer, Steven Arzt, Stefan Triller, Michael Pradel
In: Proceedings of the 39th International Conference on Software Engineering (ICSE), May 2017. 16%
[pdf] [bib][implementation][slides], (to appear)

2016

Harvester: Vollautomatische Extraktion von Laufzeitwerten aus obfuskierten Android-Applikationen
Siegfried Rasthofer, Steven Arzt, Marc Miltenberger, Eric Bodden
In: In Datenschutz und Datensicherheit – DuD, Nov. 2016
[pdf][bib]

(In-) Security of Smartphone AntiVirus and Security Apps
Stephan Huber, Siegfried Rasthofer, Steven Arzt
In: VirusBulletin 2016, October 2016
[pdf][bib][slides]

How to do it Wrong: Smartphone Antivirus and Security Applications Under Fire
Stephan Huber, Siegfried Rasthofer, Steven Arzt
In: DEF CON 24, August 2016
[slides][video]

Reverse Engineering Android Apps With CodeInspect
Siegfried Rasthofer, Steven Arzt, Marc Miltenberger, Eric Bodden
In: Innovations in Mobile Privacy and Security, April 2016. (invited paper)
[pdf][bib]

Harvesting Runtime Values in Android Applications That Feature Anti-Analysis Techniques
Siegfried Rasthofer, Steven Arzt, Marc Miltenberger, Eric Bodden
In: 23rd Annual Network & Distributed System Security Symposium (NDSS), February 2016. (15,4%).
[pdf][bib][slides]

Investigating Users’ Reaction to Fine-Grained Data Requests: A Market Experiment
Nicole Eling, Siegfried Rasthofer, Max Kolhagen, Eric Bodden and Peter Buxmann
In: Hawaii International Conference on System Sciences (HICSS), January 2016.
[pdf][bib]

2015

We know what you did this Summer: Android Banking Trojan Exposing its Sins in the Cloud
Siegfried Rasthofer, Carlos Castillo, Eric Bodden, Alex Hichliffe
In: 18th Association of Anti-virus Asia Researchers International Conference (AVAR) 2015, December 2015.
[pdf][slides]

(In-)Security of Backend-As-A-Service Solutions
Siegfried Rasthofer and Steven Arzt
In: Black Hat Europe 2015, November 2015.
[pdf][bib][slides]

How Current Android Malware Seeks to Evade Automated Code Analysis
Siegfried Rasthofer, Irfan Asrar, Stephan Huber and Eric Bodden
In: 9th International Conference on Information Security Theory and Practice (WISTP'2015), August 2015.
[pdf][bib]

Using Targeted Symbolic Execution for Reducing False-Positives in Dataflow Analysis
Steven Arzt, Siegfried Rasthofer, Robert Hahn and Eric Bodden
In: 4th ACM SIGPLAN International Workshop on the State Of the Art in Program Analysis (SOAP 2015), June 2015.
[pdf][bib]

DroidSearch: A Tool for Scaling Android App Triage to Real-World App Stores
Siegfried Rasthofer, Steven Arzt, Stephan Huber, Max Kohlhagen, Brian Pfretschner, Eric Bodden, Philipp Richter
In: Proceedings of the IEEE Technically Co-Sponsored Science and Information Conference 2015 (SAI), July 2015.
[pdf][bib]

Mining Apps for Abnormal Usage of Sensitive Data
Vitalii Avdiienko, Konstantin Kuznetsov, Alessandra Gorla, Andreas Zeller, Steven Arzt, Siegfried Rasthofer, Eric Bodden
In: Proceedings of the 37th International Conference on Software Engineering (ICSE), May 2015. (18,5%)
[pdf][bib][website]

IccTA: Detecting Inter-Component Privacy Leaks in Android Apps
Li Li, Alexandre Bartel, Tegawendé Bissyande, Jacques, Yves Klein, Steven Arzt, Siegfried Rasthofer, Eric Bodden, Damien Octeau and Patrick McDaniel
In: Proceedings of the 37th International Conference on Software Engineering (ICSE), May 2015. (18,5%)
[pdf][bib]

2014

Denial-of-App Attack: Inhibiting the Installation of Android Apps on Stock Phones
Steven Arzt, Stephan Huber, Siegfried Rasthofer, Eric Bodden
In: Proceedings of the Fourth ACM Workshop on Security and Privacy in Smartphones, November 2014.
[pdf][bib][implementation]

DroidForce: Enforcing Complex, Data-Centric, System-Wide Policies in Android
DroidForce: Enforcing Complex, Data-Centric, System-Wide Policies in Android Siegfried Rasthofer, Steven Arzt, Enrico Lovat, Eric Bodden
In: Proceedings of the 9th International Conference on Availability, Reliability and Security (ARES), September 2014. (16%)
[pdf][bib]

FlowDroid: Precise Context, Flow, Field, Object-sensitive and Lifecycle-aware Taint Analysis for Android Apps
Steven Arzt, Siegfried Rasthofer, Christian Fritz, Eric Bodden, Alexandre Bartel, Jacques Klein, Yves Le Traon, Damien Octeau and Patrick McDaniel
In: Proceedings of the 35th ACM SIGPLAN conference on Programming language design and implementation (PLDI), June 2014
[pdf][bib][implementation]
Artifact Evaluation Award

A Machine-learning Approach for Classifying and Categorizing Android Sources and Sinks
Siegfried Rasthofer, Steven Arzt, Eric Bodden
In: 21th Annual Network & Distributed System Security Symposium (NDSS), February 2014. (18,6%)
[pdf][bib][slides][implementation]

2013

Schutzmaßnahmen gegen datenschutzunfreundliche Smartphone-Apps – Technische Möglichkeiten und rechtliche Zulässigkeit des Selbstdatenschutzes bei Apps
Eric Bodden, Siegfried Rasthofer, Philipp Richter, Alexander Roßnagel
In: In Datenschutz und Datensicherheit – DuD, Nov. 2013
pdf][bib]

Instrumenting Android and Java Applications as Easy as abc
Steven Arzt, Siegfried Rasthofer, Eric Bodden
In: Runtime Verification 2013 (RV'13), 2013
[pdf][bib]

How useful are existing monitoring languages for securing Android apps?
Steven Arzt, Kevin Falzon, Andreas Follner, Siegfried Rasthofer, Eric Bodden, Voker Stolz
In: 6. Arbeitstagung Programmiersprachen (ATPS 2013). In: GI Lecture Notes in Informatics . Gesellschaft für Informatik, 2013
[pdf][bib]

2012

Challenges in defining a programming language for provably correct dynamic analyses
Eric Bodden, Andreas Follner, Siegfried Rasthofer
In: 5th International Symposium On Leveraging Applications of Formal Methods, Verification and Validation, ISOLA 2012
[pdf][bib]

Technical Reports

2016

Static Analysis of Android Apps: A Systematic Literature Review
Li Li, Tegawendé François D Assise Bissyande, Mike Papadakis, Siegfried Rasthofer, Alexandre Bartel, Damien Octeau, Jacques Klein, Yves Le Traon
Technical Report, April 2016
[pdf][bib]

2015

An Investigation of the Android/BadAccents Malware which Exploits a new Android Tapjacking Attack
Siegfried Rasthofer, Irfan Asrar, Stephan Huber, Eric Bodden
Technical Report, April 2015.
[pdf][bib]

Harvesting Runtime Data in Android Applications for Identifying Malware and Enhancing Code Analysis
Siegfried Rasthofer, Steven Arzt, Marc Miltenberger, Eric Bodden
Technical Report, February 2015.
[pdf][bib]

2014

I know what leaked in your pocket: uncovering privacy leaks on Android Apps with Static Taint Analysis
Li Li, Alexandre Bartel, Jacques Klein, Yves Le Traon, Steven Arzt, Siegfried Rasthofer, Eric Bodden, Damien Octeau, Patrick McDaniel
Technical Report, May 2014
[pdf][bib]

2013

Highly Precise Taint Analysis for Android Applications
Christian Fritz, Steven Arzt, Siegfried Rasthofer, Eric Bodden, Alexandre Bartel, Jacques Klein, Yves le Traon, Damien Octeau, Patrick McDaniel
Technical Report, May 2013
[pdf][bib]

Susi: A Tool for the Fully Automated Classification and Categorization of Android Sources and Sinks
Steven Arzt, Siegfried Rasthofer, Eric Bodden
Technical Report, May 2013
[pdf][bib]

Poster

2016

Software Security for Mobile Devices
Steven Arzt, Alexandre Bartel, Richard Gay, Steffen Lortz, Enrico Lovat, Heiko Mantel, Martin Mohr, Benedikt Nordhoff, Matthias Perner, Siegfried Rasthofer, David Schneider, Gregor Snelting, Artem Starostin and Alexandra Weber
Poster at USENIX Security 2016, August 2016.
[pdf]