research-article

Identifying Android inter app communication vulnerabilities using static and dynamic analysis

Authors:

Biniam Fisseha Demissie,

Mariano Ceccato,

Andrea AvanciniAuthors Info & Claims

MOBILESoft '16: Proceedings of the International Conference on Mobile Software Engineering and Systems

Pages 255 - 266

https://doi.org/10.1145/2897073.2897082

Published: 14 May 2016 Publication History

Abstract

The Android platform is designed to facilitate inter-app integration and communication, so that apps can reuse functionalities implemented by other apps by resorting to delegation. Though this feature is usually mentioned to be the main reason for the popularity of Android, it also poses security risks to the end user. Malicious unprivileged apps can exploit the delegation model to access privileged tasks that are exposed by vulnerable apps.

In this paper, we present a particularly dangerous case of delegation, that we call the Android Wicked Delegation (AWiDe). Moreover, we compare two distinct approaches to automatically detect inadequate message validation, respectively based on static analysis and on dynamic analysis. We empirically validate our approaches on more than three hundred popular apps. Vulnerabilities detected by us lead to the implementation of successful proof-of-concept attacks, and the app developers have confirmed one of them.

References

[1]

D. Amalfitano, A. Fasolino, and P. Tramontana. A GUI crawling-based technique for Android mobile application testing. In Software Testing, Verification and Validation Workshops (ICSTW), 2011 IEEE Fourth International Conference on, pages 252--261, march 2011.

Digital Library

[2]

D. Amalfitano, A. R. Fasolino, P. Tramontana, S. De Carmine, and A. M. Memon. Using GUI ripping for automated testing of Android applications. In Proceedings of the 27th IEEE/ACM International Conference on Automated Software Engineering, ASE 2012, pages 258--261, New York, NY, USA, 2012. ACM.

Digital Library

[3]

S. Arzt, S. Rasthofer, C. Fritz, E. Bodden, A. Bartel, J. Klein, Y. Le Traon, D. Octeau, and P. McDaniel. Flowdroid: Precise context, flow, field, object-sensitive and lifecycle-aware taint analysis for Android apps. In Proceedings of the 35th ACM SIGPLAN Conference on Programming Language Design and Implementation, PLDI '14, pages 259--269, New York, NY, USA, 2014. ACM.

Digital Library

[4]

K. W. Y. Au, Y. F. Zhou, Z. Huang, and D. Lie. Pscout: analyzing the Android permission specification. In Proceedings of the 2012 ACM conference on Computer and communications security, pages 217--228. ACM, 2012.

Digital Library

[5]

A. Avancini and M. Ceccato. Security testing of the communication among Android applications. In Proceedings of the 8th International Workshop on Automation of Software Test, pages 57--63. IEEE Press, 2013.

Digital Library

[6]

R. Borgaonkar. Dirty use of USSD codes in cellular networks. In Ekoparty Security Conference, 2012.

[7]

R. Borgaonkar. Demo: Dirty use of USSD codes, https://www.youtube.com/watch?v=q2-0b04hphs. last accessed August 2015.

[8]

E. Chin, A. P. Felt, K. Greenwood, and D. Wagner. Analyzing inter-application communication in Android. In Proceedings of the 9th international conference on Mobile systems, applications, and services, MobiSys '11, pages 239--252, New York, NY, USA, 2011. ACM.

Digital Library

[9]

J. Clause, W. Li, and A. Orso. Dytan: A generic dynamic taint analysis framework. In Proceedings of the 2007 International Symposium on Software Testing and Analysis, ISSTA '07, pages 196--206, New York, NY, USA, 2007. ACM.

Digital Library

[10]

W. Enck, P. Gilbert, B. gon Chun, L. P. Cox, J. Jung, P. McDaniel, and A. N. Sheth. Taintdroid: An information-flow tracking system for realtime privacy monitoring on smartphones. In 9th Usenix Symposium on Operating Systems Design and Implementation, 2010.

Digital Library

[11]

W. Enck, D. Octeau, P. McDaniel, and S. Chaudhuri. A study of Android application security. In Proceedings of the 20th USENIX Conference on Security, SEC'11, pages 21--21, Berkeley, CA, USA, 2011. USENIX Association.

Digital Library

[12]

A. P. Felt, H. J. Wang, A. Moshchuk, S. Hanna, and E. Chin. Permission re-delegation: Attacks and defenses. In 20th Usenix Security Symposium, 2011.

Digital Library

[13]

Gartner. Smartphone sales in 2014, http://www.gartner.com/newsroom/id/2996817, last accessed August 2015.

[14]

M. C. Grace, Y. Zhou, Z. Wang, and X. Jiang. Systematic detection of capability leaks in stock Android smartphones. In NDSS. The Internet Society, 2012.

[15]

L. Hattersley. Samsung Galaxy S III secret USSD reset code discovered, http://www.macworld.co.uk/news/apple/samsung-galaxy-s-iii-secret-ussd-reset-code-discovered-3400408/, 2012.

[16]

C. Hu and I. Neamtiu. Automating GUI testing for Android applications. In Proceedings of the 6th International Workshop on Automation of Software Test, AST '11, pages 77--83, New York, NY, USA, 2011. ACM.

Digital Library

[17]

W. Klieber, L. Flynn, A. Bhosale, L. Jia, and L. Bauer. Android taint flow analysis for app sets. In Proceedings of the 3rd ACM SIGPLAN International Workshop on the State of the Art in Java Program Analysis, SOAP '14, pages 1--6, New York, NY, USA, 2014. ACM.

Digital Library

[18]

L. Li, A. Bartel, T. F. Bissyandé, J. Klein, Y. Le Traon, S. Arzt, S. Rasthofer, E. Bodden, D. Octeau, and P. Mcdaniel. IccTA: Detecting inter-component privacy leaks in Android apps. In Proceedings of the 37th International Conference on Software Engineering (ICSE 2015), pages 280--291, 2015.

Digital Library

[19]

L. Lu, Z. Li, Z. Wu, W. Lee, and G. Jiang. Chex: Statically vetting Android apps for component hijacking vulnerabilities. In Proceedings of the 2012 ACM Conference on Computer and Communications Security, CCS '12, pages 229--240, New York, NY, USA, 2012. ACM.

Digital Library

[20]

R. Mahmood, N. Esfahani, T. Kacem, N. Mirzaei, S. Malek, and A. Stavrou. A whitebox approach for automated security testing of Android applications on the cloud. In Proceedings of the 7th International Workshop on Automation of Software Test (AST), pages 22--28, 2012.

Digital Library

[21]

A. Maji, F. Arshad, S. Bagchi, and J. Rellermeyer. An empirical study of the robustness of inter-component communication in Android. In Dependable Systems and Networks (DSN), 2012 42nd Annual IEEE/IFIP International Conference on, pages 1--12, june 2012.

Digital Library

[22]

C. Mann and A. Starostin. A framework for static detection of privacy leaks in Android applications. In 27th Symposium on Applied Computing (SAC): Computer Security Track, pages 1457--1462, 2012.

Digital Library

[23]

M. Sharir and A. Pnueli. Program Flow Analysis: Theory and Applications, chapter Two approaches to interprocedural data flow analysis, pages 189--233. Prentice Hall, 1981.

[24]

O. Tripp, M. Pistoia, S. J. Fink, M. Sridharan, and O. Weisman. Taj: Effective taint analysis of web applications. In Proceedings of the 30th ACM SIGPLAN Conference on Programming Language Design and Implementation, PLDI '09, pages 87--97, New York, NY, USA, 2009. ACM.

Digital Library

[25]

F. Wei, S. Roy, X. Ou, and Robby. AmAndroid: A precise and general inter-component data flow analysis framework for security vetting of Android apps. In Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security, CCS '14, pages 1329--1341, New York, NY, USA, 2014. ACM.

Digital Library

[26]

M. Zhang and H. Yin. Appsealer: Automatic generation of vulnerability-specific patches for preventing component hijacking attacks in Android applications. 2014.

Cited By

Lian KZhang LYang GMao SWang XZhang YYang M(2024)Component Security Ten Years Later: An Empirical Study of Cross-Layer Threats in Real-World Mobile ApplicationsProceedings of the ACM on Software Engineering10.1145/36437301:FSE(70-91)Online publication date: 12-Jul-2024
https://dl.acm.org/doi/10.1145/3643730
Wang BYang CMa J(2023)IAFDroid: Demystifying Collusion Attacks in Android Ecosystem via Precise Inter-App AnalysisIEEE Transactions on Information Forensics and Security10.1109/TIFS.2023.326766618(2883-2898)Online publication date: 2023
https://doi.org/10.1109/TIFS.2023.3267666
Pagano FRomdhana ACaputo DVerderame LMerlo A(2023)SEBASTiAn: A static and extensible black-box application security testing tool for iOS and Android applicationsSoftwareX10.1016/j.softx.2023.10144823(101448)Online publication date: Jul-2023
https://doi.org/10.1016/j.softx.2023.101448
Show More Cited By

Recommendations

Dynamic detection of inter-application communication vulnerabilities in Android
ISSTA 2015: Proceedings of the 2015 International Symposium on Software Testing and Analysis

A main aspect of the Android platform is Inter-Application Communication (IAC), which enables reuse of functionality across apps and app components via message passing. While a powerful feature, IAC also constitutes a serious attack surface. A ...
Inter-app communication between Android apps developed in app-inventor and Android studio
MOBILESoft '16: Proceedings of the International Conference on Mobile Software Engineering and Systems

Communications between mobile apps are an important aspect of mobile platforms. Android is specifically designed with inter-app communication in mind and depends on this to provide different platform specific functionalities. Android Apps can either be ...
Analysis of android inter-app security vulnerabilities using COVERT
ICSE '15: Proceedings of the 37th International Conference on Software Engineering - Volume 2

The state-of-the-art in securing mobile software systems are substantially intended to detect and mitigate vulnerabilities in a single app, but fail to identify vulnerabilities that arise due to the interaction of multiple apps, such as collusion ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

MOBILESoft '16: Proceedings of the International Conference on Mobile Software Engineering and Systems

May 2016

326 pages

ISBN:9781450341783

DOI:10.1145/2897073

Copyright © 2016 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

ACM: Association for Computing Machinery
SIGSOFT: ACM Special Interest Group on Software Engineering
IEEE-CS\DATC: IEEE Computer Society
TCSE: IEEE Computer Society's Tech. Council on Software Engin.

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 14 May 2016

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Qualifiers

Research-article

Conference

ICSE '16

Sponsor:

ACM
SIGSOFT
IEEE-CS\DATC
TCSE

ICSE '16: 38th International Conference on Software Engineering

May 14 - 22, 2016

Texas, Austin

Upcoming Conference

ICSE 2025

2025 IEEE/ACM 46th International Conference on Software Engineering

April 26 - May 3, 2025

Ottawa , ON , Canada

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

13
Total Citations
View Citations
278
Total Downloads

Downloads (Last 12 months)21
Downloads (Last 6 weeks)1

Reflects downloads up to 25 Feb 2025

Other Metrics

View Author Metrics

Citations

Cited By

Lian KZhang LYang GMao SWang XZhang YYang M(2024)Component Security Ten Years Later: An Empirical Study of Cross-Layer Threats in Real-World Mobile ApplicationsProceedings of the ACM on Software Engineering10.1145/36437301:FSE(70-91)Online publication date: 12-Jul-2024
https://dl.acm.org/doi/10.1145/3643730
Wang BYang CMa J(2023)IAFDroid: Demystifying Collusion Attacks in Android Ecosystem via Precise Inter-App AnalysisIEEE Transactions on Information Forensics and Security10.1109/TIFS.2023.326766618(2883-2898)Online publication date: 2023
https://doi.org/10.1109/TIFS.2023.3267666
Pagano FRomdhana ACaputo DVerderame LMerlo A(2023)SEBASTiAn: A static and extensible black-box application security testing tool for iOS and Android applicationsSoftwareX10.1016/j.softx.2023.10144823(101448)Online publication date: Jul-2023
https://doi.org/10.1016/j.softx.2023.101448
Albakri AFatima HMohammed MAhmed AAli AAli AElzein N(2022)Survey on Reverse-Engineering Tools for Android Mobile DevicesMathematical Problems in Engineering10.1155/2022/49081342022(1-7)Online publication date: 13-Jan-2022
https://doi.org/10.1155/2022/4908134
Autili MMalavolta IPerucci AScoccia GVerdecchia R(2021)Software engineering techniques for statically analyzing mobile apps: research trends, characteristics, and potential for industrial adoptionJournal of Internet Services and Applications10.1186/s13174-021-00134-x12:1Online publication date: 23-Jul-2021
https://doi.org/10.1186/s13174-021-00134-x
Demissie BRanise S(2021)Assessing the Effectiveness of the Shared Responsibility Model for Cloud Databases: the Case of Google’s Firebase2021 IEEE International Conference on Smart Data Services (SMDS)10.1109/SMDS53860.2021.00026(121-131)Online publication date: Sep-2021
https://doi.org/10.1109/SMDS53860.2021.00026
Demissie BCeccato MLo DMariani LMesbah A(2020)Security testing of second order permission re-delegation vulnerabilities in Android appsProceedings of the IEEE/ACM 7th International Conference on Mobile Software Engineering and Systems10.1145/3387905.3388592(1-11)Online publication date: 13-Jul-2020
https://dl.acm.org/doi/10.1145/3387905.3388592
Demissie BCeccato MShar L(2020)Security analysis of permission re-delegation vulnerabilities in Android appsEmpirical Software Engineering10.1007/s10664-020-09879-8Online publication date: 15-Sep-2020
https://doi.org/10.1007/s10664-020-09879-8
Yeom CWon Y(2019)Vulnerability Evaluation Method through Correlation Analysis of Android ApplicationsSustainability10.3390/su1123663711:23(6637)Online publication date: 24-Nov-2019
https://doi.org/10.3390/su11236637
Zhou MZeng FChen Z(2019)Capability Leakage Detection between Android Applications Based on Dynamic Feedback2019 IEEE 25th International Conference on Parallel and Distributed Systems (ICPADS)10.1109/ICPADS47876.2019.00141(943-948)Online publication date: Dec-2019
https://doi.org/10.1109/ICPADS47876.2019.00141
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Figures

Tables

Media

View Table of Conten