Abstract
Input validation vulnerabilities are common in Android apps, especially in inter-component communications. Malicious attacks can exploit this kind of vulnerability to bypass Android security mechanism and compromise the integrity, confidentiality and availability of Android devices. However, so far there is not a sound approach at the source code level for app developers aiming to detect input validation vulnerabilities in Android apps. In this paper, we propose a novel approach for detecting input validation flaws in Android apps and we implement a prototype named EasyIVD, which provides practical static analysis of Java source code. EasyIVD leverages backward program slicing to extract transaction and constraint slices from Java source code. Then EasyIVD validates these slices with predefined security rules to detect vulnerabilities in a known pattern. To detect vulnerabilities in an unknown pattern, EasyIVD extracts implicit security specifications as frequent patterns from the duplicated slices and verifies them. Then EasyIVD semi-automatically confirms the suspicious rule violations and reports the confirmed ones as vulnerabilities. We evaluate EasyIVD on four versions of original Android apps spanning from version 2.2 to 5.0. It detects 58 vulnerabilities including confused deputy attacks and denial of service attacks. Our results prove that EasyIVD can provide a practical defensive solution for app developers.
创新点
为了检测在Android应用软件中较为普遍的输入验证漏洞, 本文提出了一种基于静态分析的挖掘方法并实现了一个原型系统EasyIVD。本文首先利用后向程序切片技术从Java源码中提取事务切片和约束切片, 再利用预定义的安全规则检测已知模式的输入验证漏洞。对于未知模式的输入验证漏洞, 本文从相似切片中提取频繁模式, 将之作为隐式安全规范来挖掘漏洞。本文将该系统应用在四个版本的Android系统原生应用上, 共挖掘出58个输入验证漏洞。
Similar content being viewed by others
References
Category: input validation on owasp. https://www.owasp.org/index.php/Category:Input Validation
Grace M, Zhou Y J, Wang Z, et al. Systematic detection of capability leaks in stock Android smartphones. In: Proceedings of the 19th Annual Symposium on Network and Distributed System Security (NDSS’12), San Diego, 2012
Felt A P, Wang H J, Moshchuk A, et al. Permission re-delegation: attacks and defenses. In: Proceedings of the 20th USENIX Conference on Security (Sec’11), San Francisco, 2011. 22–38
Zhou Y J, Jiang X X. Detecting passive content leaks and pollution in Android applications. In: Proceedings of the 20th Network and Distributed System Security Symposium (NDSS’13), San Diego, 2013
Lu L, Li Z C, Wu Z Y, et al. Chex: statically vetting android apps for component hijacking vulnerabilities. In: Proceedings of the 2012 ACM Conference on Computer and Communications Security (CCS’12), Raleigh, 2012. 229–240
Zhang M, Yin H. AppSealer: automatic generation of vulnerability-specific patches for preventing component hijacking attacks in Android applications. In: Proceedings of the 21th Annual Network and Distributed System Security Symposium (NDSS’14), San Diego, 2014
Yang K, Zhuge JW, Wang Y K, et al. IntentFuzzer: detecting capability leaks of Android applications. In: Proceedings of the 9th ACM Symposium on Information, Computer and Communications Security (ASIA CCS 2014), Kyoto, 2014. 531–536
Fuchs A P, Chaudhuri A, Foster J S. SCanDroid: automated security certification of Android applications. Technical Report CS-TR-4991. 2009
Mustafa T, Sohr K. Understanding the implemented access control policy of Android system services with slicing and extended static checking. Int J Inf Secur, 2012, 14: 347–366
Enck W, Ongtang M, McDaniel P. On lightweight mobile phone application certification. In: Proceedings of the 16th ACM Conference on Computer and Communications Security (CCS’09), Chicago, 2009. 235–245
Jiang X X. Smishing vulnerability in multiple Android platforms (including Gingerbread, Ice Cream Sandwich, and Jelly Bean). http://www.csc.ncsu.edu/faculty/jiang/smishing.html, 2012
Thomascannon. Android sms spoofer. https://github.com/thomascannon/android-sms-spoof, 2012
Fang Z J, Zhang Y Q, Kong Y, et al. Static detection of logic vulnerabilities in Java web applications. Secur Commun Netw, 2014, 7: 519–531
Enck W, Ongtang M, Mc Daniel P. Understanding Android security. IEEE Secur Priv, 2009, 7: 50–57
Au K W Y, Zhou Y F, Huang Z, et al. Pscout: analyzing the Android permission specification. In: Proceedings of the 2012 ACM Conference on Computer and Communications Security (CCS’12), Raleigh, 2012. 217–228
Enck W, Octeau D, McDaniel P, et al. A study of Android application security. In: Proceedings of the 20th USENIX Conference on Security (SEC’11), San Francisco, 2011. 21–37
Felt A P, Chin E, Hanna S, et al. Android permissions demystified. In: Proceedings of the 18th ACM Conference on Computer and Communications Security (CCS’11), Chicago, 2011. 627–638
Enck W, Ongtang M, Mc Daniel P. On lightweight mobile phone application certification. In: Proceedings of the 16th ACM Conference on Computer and Communications Security (CCS’09), Chicago, 2009. 235–245
Berger B J, Sohr K, Koschke R. Extracting and analyzing the implemented security architecture of business applications. In: Proceedings of 17th European Conference on Software Maintenance and Reengineering (CSMR’13), Genova, 2013. 285–294
Zhang Y Q, Liu Q X, Luo Q H, et al. XAS: Cross-API scripting attacks in social ecosystems. Sci China Inf Sci, 2014, 58: 012101
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
About this article
Cite this article
Fang, Z., Liu, Q., Zhang, Y. et al. A static technique for detecting input validation vulnerabilities in Android apps. Sci. China Inf. Sci. 60, 052111 (2017). https://doi.org/10.1007/s11432-015-5422-7
Received:
Accepted:
Published:
DOI: https://doi.org/10.1007/s11432-015-5422-7