Skip to main content
SpringerLink
Log in
Book cover

International Symposium on Cyberspace Safety and Security

CSS 2017: Cyberspace Safety and Security pp 16–31Cite as

Static Taint Analysis Method for Intent Injection Vulnerability in Android Applications

  • Conference paper
  • First Online:

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 10581))

Abstract

In the component communication of Android application, the risk that Intent can be constructed by attackers may result in malicious component injection. To solve this problem, we develop IntentSoot, a prototype for detecting Intent injection vulnerability in both public components and private components for Android applications based on static taint analysis. It first builds call graph and control flow graph of Android application, and then tracks the taint propagation within a component, between components and during the reflection call to detect the potential Intent injection vulnerability. Experimental results validate the effectiveness of IntentSoot in various kinds of applications.

This is a preview of subscription content, log in via an institution.

Chapter
USD   29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD   39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD   54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions

References

  1. Chin, E., Felt, A.P., Greenwood, K., Wagner, D.: Analyzing inter-application communication in android. In: International Conference on Mobile Systems, pp. 239–252. ACM (2011)

    Google Scholar 

  2. Enck, W., Octeau, D., McDaniel, P., Chaudhuri, S.: A study of android application security. In: USENIX Security, vol. 2, p. 21 (2011)

    Google Scholar 

  3. Gallingani, D.: Static detection and automatic exploitation of intent message vulnerabilities in android applications (2014)

    Google Scholar 

  4. Li, L., Bartel, A., Bissyandé, T.F., Klein, J., Le Traon, Y., Arzt, S., Rasthofer, S., Bodden, E., Octeau, D., McDaniel, P.: IccTA: detecting inter-component privacy leaks in android apps. In: International Conference on Software Engineering, vol. 1, pp. 280–291. IEEE (2015)

    Google Scholar 

  5. Li, L., Bartel, A., Klein, J., Traon, Y.L., Arzt, S., Rasthofer, S., Bodden, E., Octeau, D., Mcdaniel, P.: I know what leaked in your pocket: uncovering privacy leaks on android apps with static taint analysis. Computer Science (2014)

    Google Scholar 

  6. Lu, L., Li, Z., Wu, Z., Lee, W., Jiang, G.: Chex: statically vetting android apps for component hijacking vulnerabilities. In: ACM Conference on Computer and Communications Security, pp. 229–240. ACM (2012)

    Google Scholar 

  7. Maji, A.K., Arshad, F.A., Bagchi, S., Rellermeyer, J.S.: An empirical study of the robustness of inter-component communication in android. In: The 42nd Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN), pp. 1–12. IEEE (2012)

    Google Scholar 

  8. Octeau, D., McDaniel, P., Jha, S., Bartel, A., Bodden, E., Klein, J., Le Traon, Y.: Effective inter-component communication mapping in android with epicc: an essential step towards holistic security analysis. In: USENIX Security, pp. 543–558 (2013)

    Google Scholar 

  9. Sagiv, M., Reps, T., Horwitz, S.: Precise interprocedural dataflow analysis with applications to constant propagation. Theor. Comput. Sci. 167(1), 131–170 (1996)

    Article  MATH  MathSciNet  Google Scholar 

  10. Sasnauskas, R., Regehr, J.: Intent fuzzer: crafting intents of death. In: Joint International Workshop on Dynamic Analysis, pp. 1–5. ACM (2014)

    Google Scholar 

  11. Singapati, S.: Inter process communication in android (2012). https://dspace.cc.tut.fi/dpub/bitstream/handle/123456789/21105/singapati.pdf

  12. Soot[eb/ol], G.: https://sable.github.io/soot/

  13. Wang, R., Xing, L., Wang, X., Chen, S.: Unauthorized origin crossing on mobile platforms: threats and mitigation. In: ACM SIGSAC Conference on Computer & Communications Security, pp. 635–646. ACM (2013)

    Google Scholar 

  14. Yuqing, Z., Zhejun, F., Kai, W., Zhiqiang, W., Hongzhou, Y., Qixu, L.: Survey of android vulnerability detection. Comput. Res. Dev. 52, 2167–2177 (2015)

    Google Scholar 

  15. Zhauniarovich, Y., Ahmad, M., Gadyatskaya, O., Crispo, B., Massacci, F.: Stadyna: addressing the problem of dynamic code updates in the security analysis of android applications. In: ACM Conference on Data and Application Security and Privacy, pp. 37–48. ACM (2015)

    Google Scholar 

Download references

Acknowledgments

This work was partly supported by NSFC under No. 61772466, the Provincial Key Research and Development Program of Zhejiang, China under No. 2017C01055, the Fundamental Research Funds for the Central Universities, the Alibaba-Zhejiang University Joint Research Institute for Frontier Technologies (A.Z.F.T.) under Program No. XT622017000118, and the CCF-Tencent Open Research Fund under No. AGR20160109.

Author information

Authors and Affiliations

  1. College of Computer Science and Technology, Wuhan University of Technology, Wuhan, China

    Bin Xiong & Guangli Xiang

  2. College of Computer Science and Technology, Zhejiang University, Hangzhou, China

    Tianyu Du & Shouling Ji

  3. Department of Computer Science, Kennesaw State University, Marietta, GA, 30060, USA

    Jing (Selena) He

Authors
  1. Bin Xiong
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Guangli Xiang
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Tianyu Du
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Jing (Selena) He
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Shouling Ji
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Guangli Xiang .

Editor information

Editors and Affiliations

  1. Deakin University , Geelong, China

    Sheng Wen

  2. Fujian Normal University, Fuzhou Shi, China

    Wei Wu

  3. University of Salerno, Fisciano, Italy

    Aniello Castiglione

Rights and permissions

Reprints and permissions

Copyright information

© 2017 Springer International Publishing AG

About this paper

Cite this paper

Xiong, B., Xiang, G., Du, T., He, J.(., Ji, S. (2017). Static Taint Analysis Method for Intent Injection Vulnerability in Android Applications. In: Wen, S., Wu, W., Castiglione, A. (eds) Cyberspace Safety and Security. CSS 2017. Lecture Notes in Computer Science(), vol 10581. Springer, Cham. https://doi.org/10.1007/978-3-319-69471-9_2

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-69471-9_2

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-69470-2

  • Online ISBN: 978-3-319-69471-9

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation