Roee Hay
Marco Pistoia
ABSTRACT
A main aspect of the Android platform is Inter-Application Communication (IAC), which enables reuse of functionality across apps and app components via message passing. While a powerful feature, IAC also constitutes a serious attack surface. A malicious app can embed a payload into an IAC message, thereby driving the recipient app into a potentially vulnerable behavior if the message is processed without its fields first being sanitized or validated. We present what to our knowledge is the first comprehensive testing algorithm for Android IAC vulnerabilities. Toward this end, we first describe a catalog, stemming from our field experience, of 8 concrete vulnerability types that can potentially arise due to unsafe handling of incoming IAC messages. We then explain the main challenges that automated discovery of Android IAC vulnerabilities entails, including in particular path coverage and custom data fields, and present simple yet surprisingly effective solutions to these challenges. We have realized our testing approach as the IntentDroid system, which is available as a commercial cloud service. IntentDroid utilizes lightweight platform-level instrumentation, implemented via debug breakpoints (to run atop any Android device without any setup or customization), to recover IAC-relevant app-level behaviors. Evaluation of IntentDroid over a set of 80 top-popular apps has revealed a total 150 IAC vulnerabilities — some already fixed by the developers following our report — with a recall rate of 92% w.r.t. a ground truth established via manual auditing by a security expert.
- E. Chin, A. Felt, K. Greenwood, and D. Wagner. Analyzing inter-application communication in android. In Proceedings of the 9th International Conference on Mobile Systems, Applications, and Services, pages 239–252, 2011. Google Scholar
Digital Library
- E. Chin, A. F. Porter, K. Greenwood, and D. Wagner. Analyzing inter-application communication in android. In Proceedings of the 9th International Conference on Mobile Systems, Applications, and Services, pages 239–252, 2011. Google ScholarDigital Library
- A. Cozzette, K. Lingel, S. Matsumoto, O. Ortlieb, J. Alexander, J. Betser, L. Florer, G. Kuenning, J. Nilles, and P. L. Reiher. Improving the security of android inter-component communication. In IM, pages 808–811, 2013.Google Scholar
- W. Enck, P. Gilbert, B. G. Chun, L. P. Cox, J. Jung, P. McDaniel, and A. N. Sheth. Taintdroid: An information-flow tracking system for realtime privacy monitoring on smartphones. In Proceedings of the 9th USENIX Conference on Operating Systems Design and Implementation, pages 1–6, 2010. Google ScholarDigital Library
- W. Enck, M. Ongtang, and P. McDaniel. Understanding android security. IEEE Security and Privacy, 7(1):50–57, 2009. Google ScholarDigital Library
- R. Hay and Y. Amit. Android browser cross-application scripting (cve-2011-2357), August 2011.Google Scholar
- IDC. Smartphone os market share, q1 2015, 2015.Google Scholar
- D. Kantola, E. Chin, W. He, and D. Wagner. Reducing attack surfaces for intra-application communication in android. In SPSM, pages 69–80, 2012. Google ScholarDigital Library
- L. Lu, Z. Li, Z. Wu, W. Lee, and G. Jiang. Chex: Statically vetting android apps for component hijacking vulnerabilities. In Proceedings of the 2012 ACM Conference on Computer and Communications Security, pages 229–240. Google ScholarDigital Library
- T. Luo, H. Hao, W. Du, Y. Wang, and H. Yin. Attacks on webview in the android system. In Proceedings of the 27th Annual Computer Security Applications Conference, pages 343–352, 2011. Google ScholarDigital Library
- A. K. Maji, F. A. Arshad, S. Bagchi, and J. S. Rellermeyer. An empirical study of the robustness of inter-component communication in android. In DSN, pages 1–12, 2012. Google ScholarDigital Library
- R. Naraine. Google android vulnerable to drive-by browser exploit, 2008.Google Scholar
- D. Octeau, P. McDaniel, S. Jha, A. Bartel, E. Bodden, J. Klein, and Y. L. Traon. Effective inter-component communication mapping in android with epicc: An essential step towards holistic security analysis. In Proceedings of the 22Nd USENIX Conference on Security, pages 543–558, 2013. Google ScholarDigital Library
- G. Portokalidis, P. Homburg, K. Anagnostakis, and H. Bos. Paranoid android: Versatile protection for smartphones. In Proceedings of the 26th Annual Computer Security Applications Conference, pages 347–356, 2010. Google ScholarDigital Library
- S. Rasthofer, S. Arzt, E. Lovat, and E. Bodden. Droidforce: Enforcing complex, data-centric, system-wide policies in android. In Proceedings of the 9th International Conference on Availability, Reliability and Security (ARES), 2014. Google ScholarDigital Library
- V. Rastogi, Y. Chen, and W. Enck. Appsplayground: Automatic security analysis of smartphone applications. In Proceedings of the Third ACM Conference on Data and Application Security and Privacy, pages 209–220, 2013. Google ScholarDigital Library
- M. Sagiv, T. Reps, and S. Horwitz. Precise interprocedural dataflow analysis with applications to constant propagation. In Theor. Comput. Sci., pages 131–170, 1996. Google ScholarDigital Library
- R. Sasnauskas and J. Regehr. Intent fuzzer: Crafting intents of death. In Proceedings of the 2014 Joint International Workshop on Dynamic Analysis (WODA) and Software and System Performance Testing, Debugging, and Analytics (PERTEA), pages 1–5, 2014. Google ScholarDigital Library
- O. Shacham, E. Yahav, G. G. Gueta, A. Aiken, N. Bronson, M. Sagiv, and M. Vechev. Verifying atomicity via data independence. In Proceedings of the 2014 International Symposium on Software Testing and Analysis, pages 26–36, 2014. Google ScholarDigital Library
- T. Terada. ˆ a ˘ A¸ S attacking android browsers via intent scheme urls, 2014.Google Scholar
- P. Wolper. Expressing interesting properties of programs in propositional temporal logic. In Proceedings of the 13th ACM SIGACT-SIGPLAN Symposium on Principles of Programming Languages, pages 184–193, 1986. Google ScholarDigital Library
- K. Yang, J. Zhuge, Y. Wang, L. Zhou, and H. Duan. Intentfuzzer: Detecting capability leaks of android applications. In Proceedings of the 9th ACM Symposium on Information, Computer and Communications Security, pages 531–536, 2014. Google ScholarDigital Library
- H. Ye, S. Cheng, L. Zhang, and F. Jiang. Droidfuzzer: Fuzzing the android apps with intent-filter tag. In Proceedings of International Conference on Advances in Mobile Computing & Multimedia, pages 68:68–68:74, 2013. Google ScholarDigital Library
Index Terms
- Dynamic detection of inter-application communication vulnerabilities in Android
Recommendations
Analyzing inter-application communication in Android
MobiSys '11: Proceedings of the 9th international conference on Mobile systems, applications, and servicesModern smartphone operating systems support the development of third-party applications with open system APIs. In addition to an open API, the Android operating system also provides a rich inter-application message passing system. This encourages inter-...
Inter-app communication between Android apps developed in app-inventor and Android studio
MOBILESoft '16: Proceedings of the International Conference on Mobile Software Engineering and SystemsCommunications between mobile apps are an important aspect of mobile platforms. Android is specifically designed with inter-app communication in mind and depends on this to provide different platform specific functionalities. Android Apps can either be ...
Automated detection and mitigation of inter-application security vulnerabilities in Android (invited talk)
DeMobile 2014: Proceedings of the 2nd International Workshop on Software Development Lifecycle for MobileAndroid is the most popular platform for mobile devices. It facilitates sharing data and services between applications by providing a rich inter-application communication system. While such sharing can be controlled by the Android permission system, ...
Comments