Abstract
In the component communication of Android application, the risk that Intent can be constructed by attackers may result in malicious component injection. To solve this problem, we develop IntentSoot, a prototype for detecting Intent injection vulnerability in both public components and private components for Android applications based on static taint analysis. It first builds call graph and control flow graph of Android application, and then tracks the taint propagation within a component, between components and during the reflection call to detect the potential Intent injection vulnerability. Experimental results validate the effectiveness of IntentSoot in various kinds of applications.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsReferences
Chin, E., Felt, A.P., Greenwood, K., Wagner, D.: Analyzing inter-application communication in android. In: International Conference on Mobile Systems, pp. 239–252. ACM (2011)
Enck, W., Octeau, D., McDaniel, P., Chaudhuri, S.: A study of android application security. In: USENIX Security, vol. 2, p. 21 (2011)
Gallingani, D.: Static detection and automatic exploitation of intent message vulnerabilities in android applications (2014)
Li, L., Bartel, A., Bissyandé, T.F., Klein, J., Le Traon, Y., Arzt, S., Rasthofer, S., Bodden, E., Octeau, D., McDaniel, P.: IccTA: detecting inter-component privacy leaks in android apps. In: International Conference on Software Engineering, vol. 1, pp. 280–291. IEEE (2015)
Li, L., Bartel, A., Klein, J., Traon, Y.L., Arzt, S., Rasthofer, S., Bodden, E., Octeau, D., Mcdaniel, P.: I know what leaked in your pocket: uncovering privacy leaks on android apps with static taint analysis. Computer Science (2014)
Lu, L., Li, Z., Wu, Z., Lee, W., Jiang, G.: Chex: statically vetting android apps for component hijacking vulnerabilities. In: ACM Conference on Computer and Communications Security, pp. 229–240. ACM (2012)
Maji, A.K., Arshad, F.A., Bagchi, S., Rellermeyer, J.S.: An empirical study of the robustness of inter-component communication in android. In: The 42nd Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN), pp. 1–12. IEEE (2012)
Octeau, D., McDaniel, P., Jha, S., Bartel, A., Bodden, E., Klein, J., Le Traon, Y.: Effective inter-component communication mapping in android with epicc: an essential step towards holistic security analysis. In: USENIX Security, pp. 543–558 (2013)
Sagiv, M., Reps, T., Horwitz, S.: Precise interprocedural dataflow analysis with applications to constant propagation. Theor. Comput. Sci. 167(1), 131–170 (1996)
Sasnauskas, R., Regehr, J.: Intent fuzzer: crafting intents of death. In: Joint International Workshop on Dynamic Analysis, pp. 1–5. ACM (2014)
Singapati, S.: Inter process communication in android (2012). https://dspace.cc.tut.fi/dpub/bitstream/handle/123456789/21105/singapati.pdf
Soot[eb/ol], G.: https://sable.github.io/soot/
Wang, R., Xing, L., Wang, X., Chen, S.: Unauthorized origin crossing on mobile platforms: threats and mitigation. In: ACM SIGSAC Conference on Computer & Communications Security, pp. 635–646. ACM (2013)
Yuqing, Z., Zhejun, F., Kai, W., Zhiqiang, W., Hongzhou, Y., Qixu, L.: Survey of android vulnerability detection. Comput. Res. Dev. 52, 2167–2177 (2015)
Zhauniarovich, Y., Ahmad, M., Gadyatskaya, O., Crispo, B., Massacci, F.: Stadyna: addressing the problem of dynamic code updates in the security analysis of android applications. In: ACM Conference on Data and Application Security and Privacy, pp. 37–48. ACM (2015)
Acknowledgments
This work was partly supported by NSFC under No. 61772466, the Provincial Key Research and Development Program of Zhejiang, China under No. 2017C01055, the Fundamental Research Funds for the Central Universities, the Alibaba-Zhejiang University Joint Research Institute for Frontier Technologies (A.Z.F.T.) under Program No. XT622017000118, and the CCF-Tencent Open Research Fund under No. AGR20160109.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2017 Springer International Publishing AG
About this paper
Cite this paper
Xiong, B., Xiang, G., Du, T., He, J.(., Ji, S. (2017). Static Taint Analysis Method for Intent Injection Vulnerability in Android Applications. In: Wen, S., Wu, W., Castiglione, A. (eds) Cyberspace Safety and Security. CSS 2017. Lecture Notes in Computer Science(), vol 10581. Springer, Cham. https://doi.org/10.1007/978-3-319-69471-9_2
Download citation
DOI: https://doi.org/10.1007/978-3-319-69471-9_2
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-69470-2
Online ISBN: 978-3-319-69471-9
eBook Packages: Computer ScienceComputer Science (R0)