skip to main content
10.1145/2897073.2897082acmconferencesArticle/Chapter ViewAbstractPublication PagesicseConference Proceedingsconference-collections
research-article

Identifying Android inter app communication vulnerabilities using static and dynamic analysis

Published: 14 May 2016 Publication History

Abstract

The Android platform is designed to facilitate inter-app integration and communication, so that apps can reuse functionalities implemented by other apps by resorting to delegation. Though this feature is usually mentioned to be the main reason for the popularity of Android, it also poses security risks to the end user. Malicious unprivileged apps can exploit the delegation model to access privileged tasks that are exposed by vulnerable apps.
In this paper, we present a particularly dangerous case of delegation, that we call the Android Wicked Delegation (AWiDe). Moreover, we compare two distinct approaches to automatically detect inadequate message validation, respectively based on static analysis and on dynamic analysis. We empirically validate our approaches on more than three hundred popular apps. Vulnerabilities detected by us lead to the implementation of successful proof-of-concept attacks, and the app developers have confirmed one of them.

References

[1]
D. Amalfitano, A. Fasolino, and P. Tramontana. A GUI crawling-based technique for Android mobile application testing. In Software Testing, Verification and Validation Workshops (ICSTW), 2011 IEEE Fourth International Conference on, pages 252--261, march 2011.
[2]
D. Amalfitano, A. R. Fasolino, P. Tramontana, S. De Carmine, and A. M. Memon. Using GUI ripping for automated testing of Android applications. In Proceedings of the 27th IEEE/ACM International Conference on Automated Software Engineering, ASE 2012, pages 258--261, New York, NY, USA, 2012. ACM.
[3]
S. Arzt, S. Rasthofer, C. Fritz, E. Bodden, A. Bartel, J. Klein, Y. Le Traon, D. Octeau, and P. McDaniel. Flowdroid: Precise context, flow, field, object-sensitive and lifecycle-aware taint analysis for Android apps. In Proceedings of the 35th ACM SIGPLAN Conference on Programming Language Design and Implementation, PLDI '14, pages 259--269, New York, NY, USA, 2014. ACM.
[4]
K. W. Y. Au, Y. F. Zhou, Z. Huang, and D. Lie. Pscout: analyzing the Android permission specification. In Proceedings of the 2012 ACM conference on Computer and communications security, pages 217--228. ACM, 2012.
[5]
A. Avancini and M. Ceccato. Security testing of the communication among Android applications. In Proceedings of the 8th International Workshop on Automation of Software Test, pages 57--63. IEEE Press, 2013.
[6]
R. Borgaonkar. Dirty use of USSD codes in cellular networks. In Ekoparty Security Conference, 2012.
[7]
R. Borgaonkar. Demo: Dirty use of USSD codes, https://www.youtube.com/watch?v=q2-0b04hphs. last accessed August 2015.
[8]
E. Chin, A. P. Felt, K. Greenwood, and D. Wagner. Analyzing inter-application communication in Android. In Proceedings of the 9th international conference on Mobile systems, applications, and services, MobiSys '11, pages 239--252, New York, NY, USA, 2011. ACM.
[9]
J. Clause, W. Li, and A. Orso. Dytan: A generic dynamic taint analysis framework. In Proceedings of the 2007 International Symposium on Software Testing and Analysis, ISSTA '07, pages 196--206, New York, NY, USA, 2007. ACM.
[10]
W. Enck, P. Gilbert, B. gon Chun, L. P. Cox, J. Jung, P. McDaniel, and A. N. Sheth. Taintdroid: An information-flow tracking system for realtime privacy monitoring on smartphones. In 9th Usenix Symposium on Operating Systems Design and Implementation, 2010.
[11]
W. Enck, D. Octeau, P. McDaniel, and S. Chaudhuri. A study of Android application security. In Proceedings of the 20th USENIX Conference on Security, SEC'11, pages 21--21, Berkeley, CA, USA, 2011. USENIX Association.
[12]
A. P. Felt, H. J. Wang, A. Moshchuk, S. Hanna, and E. Chin. Permission re-delegation: Attacks and defenses. In 20th Usenix Security Symposium, 2011.
[13]
Gartner. Smartphone sales in 2014, http://www.gartner.com/newsroom/id/2996817, last accessed August 2015.
[14]
M. C. Grace, Y. Zhou, Z. Wang, and X. Jiang. Systematic detection of capability leaks in stock Android smartphones. In NDSS. The Internet Society, 2012.
[15]
L. Hattersley. Samsung Galaxy S III secret USSD reset code discovered, http://www.macworld.co.uk/news/apple/samsung-galaxy-s-iii-secret-ussd-reset-code-discovered-3400408/, 2012.
[16]
C. Hu and I. Neamtiu. Automating GUI testing for Android applications. In Proceedings of the 6th International Workshop on Automation of Software Test, AST '11, pages 77--83, New York, NY, USA, 2011. ACM.
[17]
W. Klieber, L. Flynn, A. Bhosale, L. Jia, and L. Bauer. Android taint flow analysis for app sets. In Proceedings of the 3rd ACM SIGPLAN International Workshop on the State of the Art in Java Program Analysis, SOAP '14, pages 1--6, New York, NY, USA, 2014. ACM.
[18]
L. Li, A. Bartel, T. F. Bissyandé, J. Klein, Y. Le Traon, S. Arzt, S. Rasthofer, E. Bodden, D. Octeau, and P. Mcdaniel. IccTA: Detecting inter-component privacy leaks in Android apps. In Proceedings of the 37th International Conference on Software Engineering (ICSE 2015), pages 280--291, 2015.
[19]
L. Lu, Z. Li, Z. Wu, W. Lee, and G. Jiang. Chex: Statically vetting Android apps for component hijacking vulnerabilities. In Proceedings of the 2012 ACM Conference on Computer and Communications Security, CCS '12, pages 229--240, New York, NY, USA, 2012. ACM.
[20]
R. Mahmood, N. Esfahani, T. Kacem, N. Mirzaei, S. Malek, and A. Stavrou. A whitebox approach for automated security testing of Android applications on the cloud. In Proceedings of the 7th International Workshop on Automation of Software Test (AST), pages 22--28, 2012.
[21]
A. Maji, F. Arshad, S. Bagchi, and J. Rellermeyer. An empirical study of the robustness of inter-component communication in Android. In Dependable Systems and Networks (DSN), 2012 42nd Annual IEEE/IFIP International Conference on, pages 1--12, june 2012.
[22]
C. Mann and A. Starostin. A framework for static detection of privacy leaks in Android applications. In 27th Symposium on Applied Computing (SAC): Computer Security Track, pages 1457--1462, 2012.
[23]
M. Sharir and A. Pnueli. Program Flow Analysis: Theory and Applications, chapter Two approaches to interprocedural data flow analysis, pages 189--233. Prentice Hall, 1981.
[24]
O. Tripp, M. Pistoia, S. J. Fink, M. Sridharan, and O. Weisman. Taj: Effective taint analysis of web applications. In Proceedings of the 30th ACM SIGPLAN Conference on Programming Language Design and Implementation, PLDI '09, pages 87--97, New York, NY, USA, 2009. ACM.
[25]
F. Wei, S. Roy, X. Ou, and Robby. AmAndroid: A precise and general inter-component data flow analysis framework for security vetting of Android apps. In Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security, CCS '14, pages 1329--1341, New York, NY, USA, 2014. ACM.
[26]
M. Zhang and H. Yin. Appsealer: Automatic generation of vulnerability-specific patches for preventing component hijacking attacks in Android applications. 2014.

Cited By

View all
  • (2024)Component Security Ten Years Later: An Empirical Study of Cross-Layer Threats in Real-World Mobile ApplicationsProceedings of the ACM on Software Engineering10.1145/36437301:FSE(70-91)Online publication date: 12-Jul-2024
  • (2023)IAFDroid: Demystifying Collusion Attacks in Android Ecosystem via Precise Inter-App AnalysisIEEE Transactions on Information Forensics and Security10.1109/TIFS.2023.326766618(2883-2898)Online publication date: 2023
  • (2023)SEBASTiAn: A static and extensible black-box application security testing tool for iOS and Android applicationsSoftwareX10.1016/j.softx.2023.10144823(101448)Online publication date: Jul-2023
  • Show More Cited By

Recommendations

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences
MOBILESoft '16: Proceedings of the International Conference on Mobile Software Engineering and Systems
May 2016
326 pages
ISBN:9781450341783
DOI:10.1145/2897073
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 14 May 2016

Permissions

Request permissions for this article.

Check for updates

Qualifiers

  • Research-article

Conference

ICSE '16
Sponsor:

Upcoming Conference

ICSE 2025

Contributors

Other Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

  • Downloads (Last 12 months)21
  • Downloads (Last 6 weeks)1
Reflects downloads up to 25 Feb 2025

Other Metrics

Citations

Cited By

View all
  • (2024)Component Security Ten Years Later: An Empirical Study of Cross-Layer Threats in Real-World Mobile ApplicationsProceedings of the ACM on Software Engineering10.1145/36437301:FSE(70-91)Online publication date: 12-Jul-2024
  • (2023)IAFDroid: Demystifying Collusion Attacks in Android Ecosystem via Precise Inter-App AnalysisIEEE Transactions on Information Forensics and Security10.1109/TIFS.2023.326766618(2883-2898)Online publication date: 2023
  • (2023)SEBASTiAn: A static and extensible black-box application security testing tool for iOS and Android applicationsSoftwareX10.1016/j.softx.2023.10144823(101448)Online publication date: Jul-2023
  • (2022)Survey on Reverse-Engineering Tools for Android Mobile DevicesMathematical Problems in Engineering10.1155/2022/49081342022(1-7)Online publication date: 13-Jan-2022
  • (2021)Software engineering techniques for statically analyzing mobile apps: research trends, characteristics, and potential for industrial adoptionJournal of Internet Services and Applications10.1186/s13174-021-00134-x12:1Online publication date: 23-Jul-2021
  • (2021)Assessing the Effectiveness of the Shared Responsibility Model for Cloud Databases: the Case of Google’s Firebase2021 IEEE International Conference on Smart Data Services (SMDS)10.1109/SMDS53860.2021.00026(121-131)Online publication date: Sep-2021
  • (2020)Security testing of second order permission re-delegation vulnerabilities in Android appsProceedings of the IEEE/ACM 7th International Conference on Mobile Software Engineering and Systems10.1145/3387905.3388592(1-11)Online publication date: 13-Jul-2020
  • (2020)Security analysis of permission re-delegation vulnerabilities in Android appsEmpirical Software Engineering10.1007/s10664-020-09879-8Online publication date: 15-Sep-2020
  • (2019)Vulnerability Evaluation Method through Correlation Analysis of Android ApplicationsSustainability10.3390/su1123663711:23(6637)Online publication date: 24-Nov-2019
  • (2019)Capability Leakage Detection between Android Applications Based on Dynamic Feedback2019 IEEE 25th International Conference on Parallel and Distributed Systems (ICPADS)10.1109/ICPADS47876.2019.00141(943-948)Online publication date: Dec-2019
  • Show More Cited By

View Options

Login options

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Figures

Tables

Media

Share

Share

Share this Publication link

Share on social media