research-article

DroidChecker: analyzing android applications for capability leak

Authors:
Patrick P.F. Chan

The University of Hong Kong, Pokfulam, Hong Kong

The University of Hong Kong, Pokfulam, Hong Kong
View Profile

,
Lucas C.K. Hui

The University of Hong Kong, Pokfulam, Hong Kong

The University of Hong Kong, Pokfulam, Hong Kong
View Profile

,
S. M. Yiu

The University of Hong Kong, Pokfulam, Hong Kong

The University of Hong Kong, Pokfulam, Hong Kong
View Profile

WISEC '12: Proceedings of the fifth ACM conference on Security and Privacy in Wireless and Mobile NetworksApril 2012Pages 125–136https://doi.org/10.1145/2185448.2185466

Published:16 April 2012Publication History

WISEC '12: Proceedings of the fifth ACM conference on Security and Privacy in Wireless and Mobile Networks

Pages 125–136

ABSTRACT

While Apple has checked every app available on the App Store, Google takes another approach that allows anyone to publish apps on the Android Market. The openness of the Android Market attracts both benign and malicious developers. The security of the Android platform relies mainly on sandboxing applications and restricting their capabilities such that no application, by default, can perform any operations that would adversely impact other applications, the operating system, or the user. However, a recent research reported that a genuine but vulnerable application may leak its capabilities to other applications. When being leveraged, other applications can gain extra capabilities which they are not granted originally. We present DroidChecker, an Android application analyzing tool which searches for the aforementioned vulnerability in Android applications. DroidChecker uses interprocedural control flow graph searching and static taint checking to detect exploitable data paths in an Android application. We analyzed more than 1100 Android applications using DroidChecker and found 6 previously unknown vulnerable applications including the re-nowned Adobe Photoshop Express application. We have also developed a malicious application that exploits the previously unknown vulnerability found in the Adobe Photoshop Express application. We show that the malicious application, which is not granted any permissions, can access contacts on the phone with just a few lines of code.

References

J. S. F. Adam P. Fuchs, Avik Chaudhuri. Scandroid: Automated security certification of android applications. Technical report, University of Maryland, College Park, 2009.Google Scholar
Android Open Source project. Security and permissions. http://developer.android.com/guide/topics/security/security.html, April 2011.Google Scholar
S. Bugiel, L. Davi, A. Dmitrienko, T. Fischer, and A.-R. Sadeghi. Xmandroid: A new android evolution to mitigate privilege escalation attacks. Technical Report TR-2011-04, Technische Universität Darmstadt, Apr 2011.Google Scholar
P. P. Chan, L. C. Hui, and S. Yiu. A privilege escalation vulnerability checking system for android applications. In 13th IEEE International Conference on Communication Techonologies (ICCT), 2011.Google ScholarCross Ref
S. T.-H. Chang and T. Yeh. Sikuli. http://sikuli.org/.Google Scholar
E. Chin, A. P. Felt, K. Greenwood, and D. Wagner. Analyzing inter-application communication in android. In Proceedings of the 9th international conference on Mobile systems, applications, and services, MobiSys '11, pages 239--252, New York, NY, USA, 2011. ACM. Google ScholarDigital Library
L. Davi, A. Dmitrienko, A.-R. Sadeghi, and M. Winandy. Privilege escalation attacks on android. In Proceedings of the 13th international conference on Information security, ISC'10, pages 346--360, Berlin, Heidelberg, 2011. Springer-Verlag. Google ScholarDigital Library
S. K. Debray and T. A. Proebsting. Interprocedural control flow analysis of first-order programs with tail-call optimization. ACM Trans. Program. Lang. Syst., 19:568--585, July 1997. Google ScholarDigital Library
M. Dietz, S. Shekhar, Y. Pisetsky, A. Shu, and D. S. Wallach. Quire: lightweight provenance for smart phone operating systems. In Proceedings of the 20th USENIX conference on Security, SEC'11, pages 23--23, Berkeley, CA, USA, 2011. USENIX Association. Google ScholarDigital Library
E. Dupuy. Java decompiler. http://java.decompiler.free.fr/, Aug 2010.Google Scholar
W. Enck, P. Gilbert, B.-G. Chun, L. P. Cox, J. Jung, P. McDaniel, and A. N. Sheth. Taintdroid: an information-flow tracking system for realtime privacy monitoring on smartphones. In Proceedings of the 9th USENIX conference on Operating systems design and implementation, OSDI'10, pages 1--6, Berkeley, CA, USA, 2010. USENIX Association. Google ScholarDigital Library
W. Enck, D. Octeau, P. McDaniel, and S. Chaudhuri. A study of android application security. In Proceedings of the 20th USENIX conference on Security, SEC'11, pages 21--21, Berkeley, CA, USA, 2011. USENIX Association. Google ScholarDigital Library
W. Enck, M. Ongtang, and P. McDaniel. On lightweight mobile phone application certification. In Proceedings of the 16th ACM conference on Computer and communications security, CCS '09, pages 235--245, New York, NY, USA, 2009. ACM. Google ScholarDigital Library
W. Enck, M. Ongtang, and P. McDaniel. Understanding android security. Security Privacy, IEEE, 7(1):50--57, jan.-feb. 2009. Google ScholarDigital Library
D. Evans and D. Larochelle. Improving security using extensible lightweight static analysis. IEEE Software, 19:2002, 2002. Google ScholarDigital Library
A. P. Felt, H. J. Wang, A. Moshchuk, S. Hanna, and E. Chin. Permission re-delegation: attacks and defenses. In Proceedings of the 20th USENIX conference on Security, SEC'11, pages 22--22, Berkeley, CA, USA, 2011. USENIX Association. Google ScholarDigital Library
Gartner. Gartner says worldwide mobile device sales to end users reached 1.6 billion units in 2010; smartphone sales grew 72 percent in 2010. http://www.gartner.com/it/page.jsp?id=1543014, February 2011.Google Scholar
Google. Axmlprinter2. http://code.google.com/p/android4me/, October 2008.Google Scholar
Google. Android adk. http://developer.android.com/guide/topics/usb/adk.html, December 2011.Google Scholar
Google. dex2jar. http://code.google.com/p/dex2jar/, June 2011.Google Scholar
Y.-W. Huang, F. Yu, C. Hang, C.-H. Tsai, D.-T. Lee, and S.-Y. Kuo. Securing web application code by static analysis and runtime protection. In Proceedings of the 13th international conference on World Wide Web, WWW '04, pages 40--52, New York, NY, USA, 2004. ACM. Google ScholarDigital Library
M. Jakobsson and K.-A. Johansson. Retroactive detection of malware with applications to mobile platforms. In Proceedings of the 5th USENIX conference on Hot topics in security, HotSec'10, pages 1--13, Berkeley, CA, USA, 2010. USENIX Association. Google ScholarDigital Library
T. Jensen, D. Le Metayer, and T. Thorn. Verification of control flow based security properties. In Security and Privacy, 1999. Proceedings of the 1999 IEEE Symposium on, pages 89--103, 1999.Google ScholarCross Ref
V. B. Livshits and M. S. Lam. Finding security vulnerabilities in java applications with static analysis. In Proceedings of the 14th conference on USENIX Security Symposium - Volume 14, pages 18--18, Berkeley, CA, USA, 2005. USENIX Association. Google ScholarDigital Library
Lookout. App genome report. https://www.mylookout.com/appgenome, February 2011.Google Scholar
Lookout. Security alert: Android trojan ggtracker charges premium rate sms messages. http://blog.mylookout.com/2011/06/security-alert-android-trojan-ggtracker-charges-victims-premium-rate-sms-messages/, June 2011.Google Scholar
J. Midtgaard and T. P. Jensen. Control-flow analysis of function calls and returns by abstract interpretation. In Proceedings of the 14th ACM SIGPLAN international conference on Functional programming, ICFP '09, pages 287--298, New York, NY, USA, 2009. ACM. Google ScholarDigital Library
M. Nauman, S. Khan, and X. Zhang. Apex: extending android permission model and enforcement with user-defined runtime constraints. In Proceedings of the 5th ACM Symposium on Information, Computer and Communications Security, ASIACCS '10, pages 328--332, New York, NY, USA, 2010. ACM. Google ScholarDigital Library
A. Nguyen-tuong, S. Guarnieri, D. Greene, J. Shirley, and D. Evans. Automatically hardening web applications using precise tainting. In In 20th IFIP International Information Security Conference, pages 372--382, 2005.Google Scholar
Nielsen. Who is winning the u.s. smartphone battle? http://blog.nielsen.com/nielsenwire/online_mobile/who-is-winning-the-u-s-smartphone-battle/, March 2011.Google Scholar
M. Ongtang, S. Mclaughlin, W. Enck, and P. Mcdaniel. Semantically rich application-centric security in android. In In ACSAC '09: Annual Computer Security Applications Conference, 2009. Google ScholarDigital Library
G. Paller. Dedexer. http://dedexer.sourceforge.net/, August 2009.Google Scholar
T. Parr. Antlr. http://www.antlr.org/.Google Scholar
M. Pistoia, R. Flynn, L. Koved, and V. C. Sreedhar. Interprocedural analysis for privileged code placement and tainted variable detection. In In Proceedings of the 19th European Conference on Object-Oriented Programming, pages 362--386. SpringerVerlag, 2005. Google ScholarDigital Library
A.-D. Schmidt, H.-G. Schmidt, L. Batyuk, J. Clausen, S. Camtepe, S. Albayrak, and C. Yildizli. Smartphone malware evolution revisited: Android next target? In Malicious and Unwanted Software (MALWARE), 2009 4th International Conference on, pages 1--7, oct. 2009.Google ScholarCross Ref
A. Shabtai, Y. Fledel, and Y. Elovici. Securing android-powered mobile devices using selinux. Security Privacy, IEEE, 8(3):36--44, may-june 2010. Google ScholarDigital Library
U. Shankar, K. Talwar, J. S. Foster, and D. Wagner. Detecting format string vulnerabilities with type qualifiers. In Proceedings of the 10th conference on USENIX Security Symposium - Volume 10, pages 16--16, Berkeley, CA, USA, 2001. USENIX Association. Google ScholarDigital Library
Symantec. Android.ggtracker. http://www.symantec.com/security_response/writeup.jsp?docid=2011-062208--5013--99, June 2011.Google Scholar
G. Tan and J. Croft. An empirical security study of the native code in the jdk. In Proceedings of the 17th conference on Security symposium, pages 365--377, Berkeley, CA, USA, 2008. USENIX Association. Google ScholarDigital Library
thinkmobile with Google. The mobile movement study. http://www.gstatic.com/ads/research/en/2011_TheMobileMovement.pdf, April 2011.Google Scholar
D. Venkatesan. A trojan spying on your conversations. http://totaldefense.com/securityblog/2011/08/26/A-Trojan-spying-on-your-conversations.aspx, August 2011.Google Scholar
B. Zeng, G. Tan, and G. Morrisett. Combining control-flow integrity and static analysis for efficient and validated data sandboxing. In Proceedings of the 18th ACM conference on Computer and communications security, CCS '11, pages 29--40, New York, NY, USA, 2011. ACM. Google ScholarDigital Library

Index Terms

DroidChecker: analyzing android applications for capability leak
1. General and reference
  1. Cross-computing tools and techniques
    1. Verification
2. Security and privacy
  1. Systems security
    1. Operating systems security

Recommendations

DroidAlarm: an all-sided static analysis tool for Android privilege-escalation malware
ASIA CCS '13: Proceedings of the 8th ACM SIGSAC symposium on Information, computer and communications security

Since smartphones have stored diverse sensitive privacy information, including credit card and so on, a great deal of malware are desired to tamper them. As one of the most prevalent platforms, Android contains sensitive resources that can only be ...
Read More
Taming transitive permission attack via bytecode rewriting on Android application

Google Android is popular for mobile devices in recent years. The openness and popularity of Android make it a primary target for malware. Even though Android's security mechanisms could defend most malware, its permission model is vulnerable to ...
Read More
An Explorative Study of the Mobile App Ecosystem from App Developers' Perspective
WWW '17: Proceedings of the 26th International Conference on World Wide Web

With the prevalence of smartphones, app markets such as Apple App Store and Google Play has become the center stage in the mobile app ecosystem, with millions of apps developed by tens of thousands of app developers in each major market. This paper ...
Read More

Comments

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Published in
WISEC '12: Proceedings of the fifth ACM conference on Security and Privacy in Wireless and Mobile Networks
April 2012
216 pages
ISBN:9781450312653
DOI:10.1145/2185448
General Chairs:
Marwan Krunz
University of Arizona, USA
,
Loukas Lazos
University of Arizona, USA
,
Program Chairs:
Roberto Di Pietro
Università di Roma Tre, Italy
,
Wade Trappe
Rutgers University, USA
Copyright © 2012 ACM
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]
Sponsors
In-Cooperation
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
- Published: 16 April 2012
Permissions
Request permissions about this article.
Request Permissions

Check for updates
Author Tags
android
capability leaks
control flow checking
privilege escalation attack
taint checking
Qualifiers
- research-article
Conference

Acceptance Rates
Overall Acceptance Rate98of338submissions,29%
Upcoming Conference
WiSec '24

Sponsor:

sigsac

17th ACM Conference on Security and Privacy in Wireless and Mobile Networks

May 27 - 30, 2024

Seoul , Republic of Korea
Funding Sources
Other Metrics
View Article Metrics

Article Metrics
- 86
  Total Citations
  View Citations
- 2,000
  Total Downloads
- Downloads (Last 12 months)22
- Downloads (Last 6 weeks)1
Other Metrics
View Author Metrics
Cited By
View all

PDF Format

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

DroidChecker: analyzing android applications for capability leak

WISEC '12: Proceedings of the fifth ACM conference on Security and Privacy in Wireless and Mobile Networks

ABSTRACT

References

Cited By

Index Terms

Recommendations

DroidAlarm: an all-sided static analysis tool for Android privilege-escalation malware

Taming transitive permission attack via bytecode rewriting on Android application

An Explorative Study of the Mobile App Ecosystem from App Developers' Perspective