ABSTRACT
While Apple has checked every app available on the App Store, Google takes another approach that allows anyone to publish apps on the Android Market. The openness of the Android Market attracts both benign and malicious developers. The security of the Android platform relies mainly on sandboxing applications and restricting their capabilities such that no application, by default, can perform any operations that would adversely impact other applications, the operating system, or the user. However, a recent research reported that a genuine but vulnerable application may leak its capabilities to other applications. When being leveraged, other applications can gain extra capabilities which they are not granted originally. We present DroidChecker, an Android application analyzing tool which searches for the aforementioned vulnerability in Android applications. DroidChecker uses interprocedural control flow graph searching and static taint checking to detect exploitable data paths in an Android application. We analyzed more than 1100 Android applications using DroidChecker and found 6 previously unknown vulnerable applications including the re-nowned Adobe Photoshop Express application. We have also developed a malicious application that exploits the previously unknown vulnerability found in the Adobe Photoshop Express application. We show that the malicious application, which is not granted any permissions, can access contacts on the phone with just a few lines of code.
- J. S. F. Adam P. Fuchs, Avik Chaudhuri. Scandroid: Automated security certification of android applications. Technical report, University of Maryland, College Park, 2009.Google Scholar
- Android Open Source project. Security and permissions. http://developer.android.com/guide/topics/security/security.html, April 2011.Google Scholar
- S. Bugiel, L. Davi, A. Dmitrienko, T. Fischer, and A.-R. Sadeghi. Xmandroid: A new android evolution to mitigate privilege escalation attacks. Technical Report TR-2011-04, Technische Universität Darmstadt, Apr 2011.Google Scholar
- P. P. Chan, L. C. Hui, and S. Yiu. A privilege escalation vulnerability checking system for android applications. In 13th IEEE International Conference on Communication Techonologies (ICCT), 2011.Google ScholarCross Ref
- S. T.-H. Chang and T. Yeh. Sikuli. http://sikuli.org/.Google Scholar
- E. Chin, A. P. Felt, K. Greenwood, and D. Wagner. Analyzing inter-application communication in android. In Proceedings of the 9th international conference on Mobile systems, applications, and services, MobiSys '11, pages 239--252, New York, NY, USA, 2011. ACM. Google ScholarDigital Library
- L. Davi, A. Dmitrienko, A.-R. Sadeghi, and M. Winandy. Privilege escalation attacks on android. In Proceedings of the 13th international conference on Information security, ISC'10, pages 346--360, Berlin, Heidelberg, 2011. Springer-Verlag. Google ScholarDigital Library
- S. K. Debray and T. A. Proebsting. Interprocedural control flow analysis of first-order programs with tail-call optimization. ACM Trans. Program. Lang. Syst., 19:568--585, July 1997. Google ScholarDigital Library
- M. Dietz, S. Shekhar, Y. Pisetsky, A. Shu, and D. S. Wallach. Quire: lightweight provenance for smart phone operating systems. In Proceedings of the 20th USENIX conference on Security, SEC'11, pages 23--23, Berkeley, CA, USA, 2011. USENIX Association. Google ScholarDigital Library
- E. Dupuy. Java decompiler. http://java.decompiler.free.fr/, Aug 2010.Google Scholar
- W. Enck, P. Gilbert, B.-G. Chun, L. P. Cox, J. Jung, P. McDaniel, and A. N. Sheth. Taintdroid: an information-flow tracking system for realtime privacy monitoring on smartphones. In Proceedings of the 9th USENIX conference on Operating systems design and implementation, OSDI'10, pages 1--6, Berkeley, CA, USA, 2010. USENIX Association. Google ScholarDigital Library
- W. Enck, D. Octeau, P. McDaniel, and S. Chaudhuri. A study of android application security. In Proceedings of the 20th USENIX conference on Security, SEC'11, pages 21--21, Berkeley, CA, USA, 2011. USENIX Association. Google ScholarDigital Library
- W. Enck, M. Ongtang, and P. McDaniel. On lightweight mobile phone application certification. In Proceedings of the 16th ACM conference on Computer and communications security, CCS '09, pages 235--245, New York, NY, USA, 2009. ACM. Google ScholarDigital Library
- W. Enck, M. Ongtang, and P. McDaniel. Understanding android security. Security Privacy, IEEE, 7(1):50--57, jan.-feb. 2009. Google ScholarDigital Library
- D. Evans and D. Larochelle. Improving security using extensible lightweight static analysis. IEEE Software, 19:2002, 2002. Google ScholarDigital Library
- A. P. Felt, H. J. Wang, A. Moshchuk, S. Hanna, and E. Chin. Permission re-delegation: attacks and defenses. In Proceedings of the 20th USENIX conference on Security, SEC'11, pages 22--22, Berkeley, CA, USA, 2011. USENIX Association. Google ScholarDigital Library
- Gartner. Gartner says worldwide mobile device sales to end users reached 1.6 billion units in 2010; smartphone sales grew 72 percent in 2010. http://www.gartner.com/it/page.jsp?id=1543014, February 2011.Google Scholar
- Google. Axmlprinter2. http://code.google.com/p/android4me/, October 2008.Google Scholar
- Google. Android adk. http://developer.android.com/guide/topics/usb/adk.html, December 2011.Google Scholar
- Google. dex2jar. http://code.google.com/p/dex2jar/, June 2011.Google Scholar
- Y.-W. Huang, F. Yu, C. Hang, C.-H. Tsai, D.-T. Lee, and S.-Y. Kuo. Securing web application code by static analysis and runtime protection. In Proceedings of the 13th international conference on World Wide Web, WWW '04, pages 40--52, New York, NY, USA, 2004. ACM. Google ScholarDigital Library
- M. Jakobsson and K.-A. Johansson. Retroactive detection of malware with applications to mobile platforms. In Proceedings of the 5th USENIX conference on Hot topics in security, HotSec'10, pages 1--13, Berkeley, CA, USA, 2010. USENIX Association. Google ScholarDigital Library
- T. Jensen, D. Le Metayer, and T. Thorn. Verification of control flow based security properties. In Security and Privacy, 1999. Proceedings of the 1999 IEEE Symposium on, pages 89--103, 1999.Google ScholarCross Ref
- V. B. Livshits and M. S. Lam. Finding security vulnerabilities in java applications with static analysis. In Proceedings of the 14th conference on USENIX Security Symposium - Volume 14, pages 18--18, Berkeley, CA, USA, 2005. USENIX Association. Google ScholarDigital Library
- Lookout. App genome report. https://www.mylookout.com/appgenome, February 2011.Google Scholar
- Lookout. Security alert: Android trojan ggtracker charges premium rate sms messages. http://blog.mylookout.com/2011/06/security-alert-android-trojan-ggtracker-charges-victims-premium-rate-sms-messages/, June 2011.Google Scholar
- J. Midtgaard and T. P. Jensen. Control-flow analysis of function calls and returns by abstract interpretation. In Proceedings of the 14th ACM SIGPLAN international conference on Functional programming, ICFP '09, pages 287--298, New York, NY, USA, 2009. ACM. Google ScholarDigital Library
- M. Nauman, S. Khan, and X. Zhang. Apex: extending android permission model and enforcement with user-defined runtime constraints. In Proceedings of the 5th ACM Symposium on Information, Computer and Communications Security, ASIACCS '10, pages 328--332, New York, NY, USA, 2010. ACM. Google ScholarDigital Library
- A. Nguyen-tuong, S. Guarnieri, D. Greene, J. Shirley, and D. Evans. Automatically hardening web applications using precise tainting. In In 20th IFIP International Information Security Conference, pages 372--382, 2005.Google Scholar
- Nielsen. Who is winning the u.s. smartphone battle? http://blog.nielsen.com/nielsenwire/online_mobile/who-is-winning-the-u-s-smartphone-battle/, March 2011.Google Scholar
- M. Ongtang, S. Mclaughlin, W. Enck, and P. Mcdaniel. Semantically rich application-centric security in android. In In ACSAC '09: Annual Computer Security Applications Conference, 2009. Google ScholarDigital Library
- G. Paller. Dedexer. http://dedexer.sourceforge.net/, August 2009.Google Scholar
- T. Parr. Antlr. http://www.antlr.org/.Google Scholar
- M. Pistoia, R. Flynn, L. Koved, and V. C. Sreedhar. Interprocedural analysis for privileged code placement and tainted variable detection. In In Proceedings of the 19th European Conference on Object-Oriented Programming, pages 362--386. SpringerVerlag, 2005. Google ScholarDigital Library
- A.-D. Schmidt, H.-G. Schmidt, L. Batyuk, J. Clausen, S. Camtepe, S. Albayrak, and C. Yildizli. Smartphone malware evolution revisited: Android next target? In Malicious and Unwanted Software (MALWARE), 2009 4th International Conference on, pages 1--7, oct. 2009.Google ScholarCross Ref
- A. Shabtai, Y. Fledel, and Y. Elovici. Securing android-powered mobile devices using selinux. Security Privacy, IEEE, 8(3):36--44, may-june 2010. Google ScholarDigital Library
- U. Shankar, K. Talwar, J. S. Foster, and D. Wagner. Detecting format string vulnerabilities with type qualifiers. In Proceedings of the 10th conference on USENIX Security Symposium - Volume 10, pages 16--16, Berkeley, CA, USA, 2001. USENIX Association. Google ScholarDigital Library
- Symantec. Android.ggtracker. http://www.symantec.com/security_response/writeup.jsp?docid=2011-062208--5013--99, June 2011.Google Scholar
- G. Tan and J. Croft. An empirical security study of the native code in the jdk. In Proceedings of the 17th conference on Security symposium, pages 365--377, Berkeley, CA, USA, 2008. USENIX Association. Google ScholarDigital Library
- thinkmobile with Google. The mobile movement study. http://www.gstatic.com/ads/research/en/2011_TheMobileMovement.pdf, April 2011.Google Scholar
- D. Venkatesan. A trojan spying on your conversations. http://totaldefense.com/securityblog/2011/08/26/A-Trojan-spying-on-your-conversations.aspx, August 2011.Google Scholar
- B. Zeng, G. Tan, and G. Morrisett. Combining control-flow integrity and static analysis for efficient and validated data sandboxing. In Proceedings of the 18th ACM conference on Computer and communications security, CCS '11, pages 29--40, New York, NY, USA, 2011. ACM. Google ScholarDigital Library
Index Terms
- DroidChecker: analyzing android applications for capability leak
Recommendations
DroidAlarm: an all-sided static analysis tool for Android privilege-escalation malware
ASIA CCS '13: Proceedings of the 8th ACM SIGSAC symposium on Information, computer and communications securitySince smartphones have stored diverse sensitive privacy information, including credit card and so on, a great deal of malware are desired to tamper them. As one of the most prevalent platforms, Android contains sensitive resources that can only be ...
Taming transitive permission attack via bytecode rewriting on Android application
Google Android is popular for mobile devices in recent years. The openness and popularity of Android make it a primary target for malware. Even though Android's security mechanisms could defend most malware, its permission model is vulnerable to ...
An Explorative Study of the Mobile App Ecosystem from App Developers' Perspective
WWW '17: Proceedings of the 26th International Conference on World Wide WebWith the prevalence of smartphones, app markets such as Apple App Store and Google Play has become the center stage in the mobile app ecosystem, with millions of apps developed by tens of thousands of app developers in each major market. This paper ...
Comments