Skip to main content
SpringerLink
Log in

IntentAuth: Securing Android’s Intent-based inter-process communication

  • regular contribution
  • Published:
International Journal of Information Security Aims and scope Submit manuscript

Abstract

Android Intent redirection, malicious activity launch and intent hijacking attacks can highly impact users’ data confidentiality and integrity. More specifically, malicious applications launch this type of attacks in order to manipulate the provided services and gain access to sensitive data. Though such attacks are not yet common, we argue that they require high attention as they can easily enable malevolent entities to access sensitive data. In this work, we introduce a novel, but also practical, operating system level service, namely IntentAuth that supports secure inter-process communication between applications, and allows the users to define their own policies for controlling applications’ interactions. Thus, a secure inter-process communication mechanism that provides encrypted transmission of intent data, based on user-defined policies, is proposed. We demonstrate that the proposed mechanism does not affect users’ experience whenever the execution flow switches, through implicit intents, among different applications.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4

Similar content being viewed by others

Notes

  1. https://gitlab.ds.unipi.gr/systems-security-laboratory/intentauth.

  2. https://android.googlesource.com/platform/system/core/+/refs/tags/android-11.0.0_r3/libcutils/include/private/android_filesystem_config.h.

  3. https://android.googlesource.com/platform/system/security/+/refs/tags/android-11.0.0_r3/keystore/permissions.cpp.

  4. https://cwe.mitre.org/data/definitions/926.html.

  5. https://android.googlesource.com/platform/system/core/+/refs/tags/android-11.0.0_r3/libcutils/include/private/android_filesystem_config.h.

  6. https://github.com/mobile-security/Morbs.

  7. https://github.com/intentio-ex-machina/Intentio-Ex-Machina/wiki/My-First-User-Firewall.

  8. https://github.com/intentio-ex-machina/Intentio-Ex-Machina/blob/master/IntentFirewall.java.

References

  1. Statista, Mobile operating systems’ market share worldwide from January 2012 to October 2020, cited December 23rd 2020. https://www.statista.com/statistics/272698/global-market-share-held-by-mobile-operating-systems-since-2009/ (2020)

  2. Tang, J., Cui, X., Zhao, Z., Guo, S., Xu, X., Hu, C., Ban, T., Mao, B.: Nivanalyzer: a tool for automatically detecting and verifying next-intent vulnerabilities in android apps. In: 2017 IEEE International Conference on Software Testing, Verification and Validation (ICST). IEEE, pp. 492–499 (2017)

  3. El-Zawawy, M.A., Losiouk, E., Conti, M.: Do not let next-intent vulnerability be your next nightmare: type system-based approach to detect it in android apps. Int. J. Inf. Secur. 1–20 (2020)

  4. Wang, R., Xing, L., Wang, X., Chen, S.: Unauthorized origin crossing on mobile platforms: threats and mitigation. In: Proceedings of the 2013 ACM SIGSAC Conference on Computer & Communications Security, pp. 635–646 (2013)

  5. Chin, E., Felt, A.P., Greenwood, K., Wagner, D.: Analyzing inter-application communication in android. In: Proceedings of the 9th International Conference on Mobile Systems, Applications, and Services, pp. 239–252 (2011)

  6. Yagemann, C., Du, W.: Intentio ex machina: Android intent access control via an extensible application hook. In: European Symposium on Research in Computer Security. Springer, pp. 383–400 (2016)

  7. Android Open Source Project, Application Fundamentals. Technical report, cited March 22nd 2020. https://developer.android.com/guide/components/fundamentals (2019)

  8. Singh, R.: An overview of android operating system and its security. J. Eng. Res. Appl. 4, 519–521 (2014)

    Google Scholar 

  9. Android Open Source Project, Security-Enhanced Linux in Android. Technical report, cited October 30 2020. https://source.android.com/security/selinux (2020)

  10. Kalysch, A., Deutel, M., Müller, T.: Template-based android inter process communication fuzzing. In: Proceedings of the 15th International Conference on Availability, Reliability and Security, pp. 1–6 (2020)

  11. Soares, P.G.: On remote procedure call. In: Proceedings of the 1992 Conference of the Centre for Advanced Studies on Collaborative Research—Volume 2, CASCON’92. IBM Press, pp. 215–267 (1992)

  12. Birrell, A.D., Nelson, B.J.: Implementing remote procedure calls. ACM Trans. Comput. Syst. 2(1), 39–59 (1984). https://doi.org/10.1145/2080.357392

    Article  Google Scholar 

  13. Android Open Source Project, Android Architecture. Technical report, cited March 24nd 2020. https://source.android.com/devices/architecture (2020)

  14. Tang, X., Song, T., Wang, K., Liang, A.: Fine-grained access control on android through behavior monitoring. In: Advances in Computer Communication and Computational Sciences. Springer, pp. 525–532 (2019)

  15. Android Open Source Project, Intents and Intent Filters. Technical report, cited March 22nd 2020. https://developer.android.com/guide/components/intents-filters (2019)

  16. Octeau, D., McDaniel, P., Jha, S., Bartel, A., Bodden, E., Klein, J., Le Traon, Y.: Effective inter-component communication mapping in android: an essential step towards holistic security analysis. In: Presented as Part of the 22nd USENIX Security Symposium (USENIX Security 13), pp. 543–558 (2013)

  17. Android Open Source Project, Android Keystore System. Technical report, cited October 30 2020. https://developer.android.com/training/articles/keystore (2020)

  18. Android Open Source Project, Trusty TEE. Technical report, cited September 23rd 2020. https://source.android.com/security/trusty (2020)

  19. Jha, A.K., Lee, S., Lee, W.J.: Developer mistakes in writing android manifests: an empirical study of configuration errors. In: 2017 IEEE/ACM 14th International Conference on Mining Software Repositories (MSR), pp. 25–36 (2017). https://doi.org/10.1109/MSR.2017.41

  20. Wu, J., Cui, T., Ban, T., Guo, S., Cui, L.: Paddyfrog: systematically detecting confused deputy vulnerability in android applications. Secur. Commun. Netw. 8(13), 2338–2349 (2015)

    Article  Google Scholar 

  21. Lu, L., Li, Z., Wu, Z., Lee, W., Jiang, G.: Chex: statically vetting android apps for component hijacking vulnerabilities. In: Proceedings of the 2012 ACM Conference on Computer and Communications Security, pp. 229–240 (2012)

  22. Chan, P.P., Hui, L.C., Yiu, S.-M.: Droidchecker: analyzing android applications for capability leak. In: Proceedings of the fifth ACM Conference on Security and Privacy in Wireless and Mobile Networks, pp. 125–136 (2012)

  23. Maqsood, H.M.A., Qureshi, K.N., Bashir, F., Islam, N.U.: Privacy leakage through exploitation of vulnerable inter-app communication on android. In: 2019 13th International Conference on Open Source Systems and Technologies (ICOSST). IEEE, pp. 1–6 (2019)

  24. Yang, K., Zhuge, J., Wang, Y., Zhou, L., Duan, H.: Intentfuzzer: detecting capability leaks of android applications. In: Proceedings of the 9th ACM Symposium on Information, Computer and Communications Security, pp. 531–536 (2014)

  25. Garcia, J., Hammad, M., Ghorbani, N., Malek, S.: Automatic generation of inter-component communication exploits for android applications. In: Proceedings of the 2017 11th Joint Meeting on Foundations of Software Engineering, pp. 661–671 (2017)

  26. Felt, A.P., Wang, H.J., Moshchuk, A., Hanna, S., Chin, E.: Permission re-delegation: attacks and defenses. In: USENIX Security Symposium, vol. 30, 2011, p. 88

  27. Kaladharan, Y., Mateti, P., Jevitha, K.: An encryption technique to thwart android binder exploits. In: Intelligent Systems Technologies and Applications. Springer, pp. 13–21 (2016)

  28. Ren, X., Sun, J., Xing, Z., Xia, X., Sun, J.: Demystify official api usage directives with crowdsourced api misuse scenarios, erroneous code examples and patches. In: Proceedings of the ACM/IEEE 42nd International Conference on Software Engineering, pp. 925–936 (2020)

  29. Egele, M., Brumley, D., Fratantonio, Y., Kruegel, C.: An empirical study of cryptographic misuse in android applications. In: Proceedings of the 2013 ACM SIGSAC Conference on Computer & Communications Security, pp. 73–84 (2013)

  30. Geneiatakis, D., Fovino, I.N., Kounelis, I., Stirparo, P.: A permission verification approach for android mobile applications. Comput. Secur. 49, 192–205 (2015)

    Article  Google Scholar 

  31. Google Help, Remediation for Intent Redirection Vulnerability. Technical report, cited September 15nd 2020. https://support.google.com/faqs/answer/9267555?hl=en (2020)

  32. Nauman, M., Khan, S., Zhang, X.: Apex: extending android permission model and enforcement with user-defined runtime constraints. In: Proceedings of the 5th ACM Symposium on Information, Computer and Communications Security, ASIACCS’10, Association for Computing Machinery, New York, NY, USA, pp. 328–332 (2010). https://doi.org/10.1145/1755688.1755732. https://doi.org/10.1145/1755688.1755732

  33. Xu, R., Saïdi, H., Anderson, R.: Aurasium: practical policy enforcement for android applications. In: 21st USENIX Security Symposium (USENIX Security 12), USENIX Association, Bellevue, WA, pp. 539–552 (2012). https://www.usenix.org/conference/usenixsecurity12/technical-sessions/presentation/xu_rubin

  34. Schreckling, D., Köstler, J., Schaff, M.: Kynoid: real-time enforcement of fine-grained, user-defined, and data-centric security policies for android. Inf. Secur. Tech. Rep. 17(3), 71–80 (2013). https://doi.org/10.1016/j.istr.2012.10.006

    Article  Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Department of Digital Systems, University of Piraeus, Piraeus, Greece

    Christos Lyvas & Costas Lambrinoudakis

  2. Directorate-General for Informatics, European Commission, Brussels, Belgium

    Dimitris Geneiatakis

Authors
  1. Christos Lyvas
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Costas Lambrinoudakis
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Dimitris Geneiatakis
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Christos Lyvas.

Ethics declarations

Conflict of interest

The authors declare that they have no competing interests.

Ethical approval

This article does not contain any studies with human participants or animals performed by any of the authors.

Additional information

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Disclaimer The information and views set out in this article are those of the author (Dimitris Geneiatakis) and do not necessarily reflect the official opinion of the European Commission.

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Lyvas, C., Lambrinoudakis, C. & Geneiatakis, D. IntentAuth: Securing Android’s Intent-based inter-process communication. Int. J. Inf. Secur. 21, 973–982 (2022). https://doi.org/10.1007/s10207-022-00592-9

Download citation

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s10207-022-00592-9

Keywords

Search

Navigation