FLEX: A Flexible Code Authentication Framework for Delegating Mobile App Customization Gabriele Costa † , Paolo Gasti ‡ , Alessio Merlo † , and Shung-Hsi Yu ‡ † DIBRIS – University of Genoa (Italy) ‡ New York Institute of Technology (USA) gabriele.costa@unige.it, pgasti@nyit.edu, alessio.merlo@unige.it, syu07@nyit.edu ABSTRACT Mobile code distribution relies on digital signatures to guar- antee code authenticity. Unfortunately, standard signature schemes are not well suited for use in conjunction with pro- gram transformation techniques, such as aspect-oriented pro- gramming. With these techniques, code development is per- formed in sequence by multiple teams of programmers. This is fundamentally different from traditional single-developer/ single-user models, where users can verify end-to-end (i.e., developer-to-user) authenticity of the code using digital sig- natures. To address this limitation, we introduce FLEX, a flexible code authentication framework for mobile applica- tions. FLEX allows semi-trusted intermediaries to modify mobile code without invalidating the developer’s signature, as long as the modification complies with a “contract” issued by the developer. We introduce formal definitions for secure code modification, and show that our instantiation of FLEX is secure under these definitions. Although FLEX can be in- stantiated using any language, we design AMJ—a novel pro- gramming language that supports code annotations—and implement a FLEX prototype based on our new language. 1. INTRODUCTION In recent years, software development has evolved from a centralized to a distributed activity. Modern development techniques and paradigms emphasize multiple code contrib- utors, often working “in series” by adding further functionali- ties, components, and refinements to an application. Promi- nent examples of distributed development paradigms include Aspect Oriented Programming [15] (AOP), Reflection [24], and Contract-driven development [18]. Because of the flex- ibility of these approaches, and because they fit well within the BYOD paradigm, the research community has started to apply distributed development approaches to smartphone software [2]. Smartphones have traditionally relied on closed market- places for code distribution. This model involves three par- ties: (i) one or more developers, who builds smartphone apps Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full cita- tion on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or re- publish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from permissions@acm.org. ASIA CCS ’16, May 30-June 03, 2016, Xi’an, China © 2016 ACM. ISBN 978-1-4503-4233-9/16/05. . . $15.00 DOI: http://dx.doi.org/10.1145/2897845.2897887 in its entirety; (ii) the app marketplace (e.g., the Google Play Store [12], the Apple App Store [1], and the Firefox Market- place [9]), which distributes smartphone apps; and (iii) the user who runs apps downloaded from the app marketplace. As a prominent example of this model, the Google Play Store guarantees app authenticity by requiring that all apps are cryptographically signed by their respective developers [23]. This prevents code modifications, because it allows users to verify end-to-end (i.e., developer-to-user) app authenticity. Unfortunately, this approach to code authentication is not well suited for distributed development processes. By hav- ing multiple independent developers who contribute code at different points in time, each (legal) code modification in- validates all previously issued signatures. Further, the current code authentication approach pre- vents app marketplaces from implementing benign code mod- ifications. For instance, Armando et al. [2] introduced the notion of meta-market —an entity that redistributes mobile apps to a group of federated mobile devices. The meta- market performs security analysis of apps and, if needed, refines the apps’ code to neutralize possible vulnerabilities, and to add code instrumentation. However, by modifying the application’s code, the meta-market invalidates the de- veloper’s signature. Any modification implemented by the meta-market re- quires a new signature, which can be issued by either the developer or the meta-market itself. We argue that neither option is satisfactory. Clearly, requiring the developer to review and sign potentially hundreds of different modifica- tions is not sustainable. On the other hand, replacing the developer’s signature with a new one from the meta-market prevents the user from performing end-to-end app authen- tication, and gives the developer no control on which mod- ifications are performed by the meta-market. In addition to security issues, this approach can potentially raise both legal (e.g., does any modifications violate the developer’s li- cense agreement?) as well as technical concerns (how can modifications be implemented reliably when the app’s source code is not available?). To address these problems, in this paper we introduce FLEX, a flexible code authentication framework. FLEX al- lows: (i) the developer to define constraints on modifications of his mobile apps, (ii) a third party (e.g. the meta-market) to perform targeted modifications and, (iii) the user to ver- ify end-to-end app authenticity. In addition, it lets the user check which modifications have been applied to an app. As a proof of concept, and to provide formal proofs on the framework’s properties, we developed a simple programming 389