I-ARM-Droid: A Rewriting Framework for In-App Reference Monitors for An droid Applications Benjamin Davis, Ben Sanders, Armen Khodaverdian, and Hao Chen Mobile applications are a major force behind the explosive growth of mobile devices. While they greatly extend the functionality of mobile devices, they also raise security and privacy concerns, especially when they have not gone through a rigorous review process. To protect users from untrusted and potentially malicious applications, we design and implement a rewriting framework for embedding In-App Reference Monitors (I-ARM) into Android applications. The framework user identifies a set of security-sensitive API methods and specifies their security policies, which may be tailored to each application. Then, our framework automatically rewrites the Dalvik bytecode of the application, where it interposes on all the invocations of these API methods to implement the desired security policies. We have implemented a prototype of the rewriting framework and evaluated it on compatibility, functionality, and performance in time and size overhead. We showcase example security policies that this rewriting framework supports.