ABSTRACT
To improve the execution performance of applications, Android introduced a new optimization technique using app cache. This new feature not only improves the performance of Android applications but exposes a new attack surface to be compromised. Attackers can eventually change the behavior of installed applications by modifying executable bytecode in their app cache files. We call this attack "app cache tampering attack". This attack would be difficult for device owners to recognize its existence because the modification in cache files does not require user's any explicit actions. To mitigate the risks of app cache tampering attack, we present an efficient <u>A</u>pp <u>C</u>ache <u>I</u>ntegrity protection solution on An<u>droid</u> called "ACIDroid", which provides the secure management of hash values of the optimized executable bytecode in app cache files.
To show the feasibility of ACIDroid, we performed app cache tampering attacks on 11 popular Android apps (Paypal, Bank of America, Outlook, lPassword, Dropbox, Azure Authenticator, Blizzard Authenticator, TexasHealthMyChart, Google Authenticator, Booking and Amazon Alexa) and tried to detect the changes in app cache files using ACIDroid. With the modified app cache files, ACIDroid is able to correctly detect all the (intentional) changes in the apps tested while maintaining an acceptable verification time overhead less than 2.69% (48.27ms) and 21.18% (155.54ms) of the launch time of each app on average for AOSP and PIXEL2, respectively, running Android version 8.
- Ittai Anati, Shay Gueron, Simon Johnson, and Vincent Scarlata. 2019. ART and Dalvik. https://source.android.com/devices/tech/dalvik.Google Scholar
- Ittai Anati, Shay Gueron, Simon Johnson, and Vincent Scarlata. 2019. Configuring ART. https://source.android.com/devices/tech/dalvik/configure.Google Scholar
- Ittai Anati, Shay Gueron, Simon Johnson, and Vincent Scarlata. 2019. Dalvik Executable instruction formats. https://source.android.com/devices/tech/dalvik/instruction-formats.Google Scholar
- Ittai Anati, Shay Gueron, Simon Johnson, and Vincent Scarlata. 2019. Git repositories on android. https://android.googlesource.com.Google Scholar
- Ittai Anati, Shay Gueron, Simon Johnson, and Vincent Scarlata. 2019. Protecting Android applications and SDKs against reverse engineering and hacking. https://www.guardsquare.com/en/products/dexguard.Google Scholar
- Ittai Anati, Shay Gueron, Simon Johnson, and Vincent Scarlata. 2013. Innovative Technology for CPU Based Attestation and Sealing. In In Proceedings of the 2nd international workshop on hardware and architectural support for security and privacy (HASP), Vol. 13. ACM.Google Scholar
- ARM. 2009. ARM Security Technology Building a Secure System using TrustZone Technology (white paper). http://infocenter.arm.com/help/topic/com.arm.doc.prd29-genc-009492c/PRD29-GENC-009492C_trustzone_security_whitepaper.pdf.Google Scholar
- Ahmed M Azab, Peng Ning, Jitesh Shah, Quan Chen, Rohan Bhutkar, Guruprasad Ganesh, Jia Ma, and Wenbo Shen. 2014. Hypervision Across Worlds: Real-time Kernel Protection from the ARM TrustZone Secure World. In Proceedings of the ACM SIGSAC Conference on Computer and Communications Security. ACM, 90--102.Google ScholarDigital Library
- Michael Backes, Sven Bugiel, Oliver Schranz, Philipp von Styp-Rekowsky, and Sebastian Weisgerber. 2017. ARTist: The Android Runtime Instrumentation and Security Toolkit. In IEEE European Symposium on Security and Privacy (EuroS&P). IEEE, 481--495.Google Scholar
- Tumbleson Connor. 2019. Apktool. https://ibotpeaches.github.io/Apktool/.Google Scholar
- Valerio Costamagna and Cong Zheng. 2016. ARTDroid: A Virtual-Method Hooking Framework on Android ART Runtime.. In IMPS@ ESSoS. ACM, 20--28.Google Scholar
- Jerry Hildenbrand. 2012. Android A to Z: What is the JIT? https://www.androidcentral.com/android-z-what-jit.Google Scholar
- Matthew Hoekstra, Reshma Lal, Pradeep Pappachan, Vinay Phegade, and Juan Del Cuvillo. 2013. Using Innovative Instructions to Create Trustworthy Software Solutions. In In Proceedings of the 2nd international workshop on hardware and architectural support for security and privacy (HASP), Vol. 11. ACM.Google ScholarDigital Library
- Fran Howarth. 2019. Is Rooting Your Phone Safe? The Security Risks of Rooting Devices. https://goo.gl/axbkX9.Google Scholar
- Taehun Kim, Hyeonmin Ha, Seoyoon Choi, Jaeyeon Jung, and Byung-Gon Chun. 2017. Breaking Ad-hoc Runtime Integrity Protection Mechanisms in Android Financial Apps. In Proceedings of the ACM on Asia Conference on Computer and Communications Security. ACM, 179--192.Google ScholarDigital Library
- Samsung Knox. 2013. White Paper : An Overview of Samsung KNOXâĎć. http://info.mobileiron.com/rs/mobileiron/images/SamsungKNOXWhitepaper.pdf.Google Scholar
- Adrian Ludwig and Mel Mille. 2017. Diverse protections for a diverse ecosystem: Android Security 2016 Year in Review. https://goo.gl/6o4tBf.Google Scholar
- Frank McKeen, Ilya Alexandrovich, Alex Berenzon, Carlos V Rozas, Hisham Shafi, Vedvyas Shanbhogue, and Uday R Savagaonkar. 2013. Innovative Instructions and Software Model for Isolated Execution. In In Proceedings of the 2nd international workshop on hardware and architectural support for security and privacy (HASP), Vol. 10. ACM.Google Scholar
- Yuxue Piao, Jin-Hyuk Jung, and Jeong Hyun Yi. 2016. Server-based code obfuscation scheme for APK tamper detection. Security and Communication Networks 9, 6 (2016), 457--467.Google ScholarDigital Library
- Paul Sabanal. 2015. Hiding behind ART. https://www.blackhat.com/docs/asia-15/materials/asia-15-Sabanal-Hiding-Behind-ART-wp.pdf.Google Scholar
- Mingshen Sun, Tao Wei, and John Lui. 2016. TaintART: A Practical Multi-level Information-Flow Tracking System for Android RunTime. In Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security. ACM, 331--342.Google ScholarDigital Library
- Jia Wan, Mohammad Zulkernine, Phil Eisen, and Clifford Liem. 2017. Defending Application Cache Integrity of Android Runtime. In International Conference on Information Security Practice and Experience. Springer, 727--746.Google Scholar
- Radhakishan Yadav and Robin Singh Bhadoria. 2015. Performance Analysis for Android Runtime Environment. In Fifth International Conference on Communication Systems and Network Technologies. IEEE, 1076--1079.Google Scholar
- Wu Zhou, Zhi Wang, Yajin Zhou, and Xuxian Jiang. 2014. DIVILAR: Diversifying Intermediate Language for Anti-Repackaging on Android Platform. In Proceedings of the 4th ACM conference on Data and application security and privacy. ACM, 199--210.Google ScholarDigital Library
- Yajin Zhou and Xuxian Jiang. 2012. Dissecting Android Malware: Characterization and Evolution. In IEEE Symposium on Security and Privacy (S&P). IEEE, 95--109.Google Scholar
Index Terms
- ACIDroid: a practical app cache integrity protection system on Android Runtime
Recommendations
Poster: Android Whole-System Control Flow Analysis for Accurate Application Behavior Modeling
MobiSys '16 Companion: Proceedings of the 14th Annual International Conference on Mobile Systems, Applications, and Services CompanionAndroid, the modern operating system for smartphones, together with its millions of apps, has become an important part of human life. There are many challenges to analyzing them. It is important to model the mobile systems in order to analyze the ...
Parallel Space Traveling: A Security Analysis of App-Level Virtualization in Android
SACMAT '20: Proceedings of the 25th ACM Symposium on Access Control Models and TechnologiesApp-level virtualization becomes increasingly popular. It allows multiple instances of an application to run simultaneously on the same Android system, without requiring modification of the Android firmware. These virtualization-capable apps are used by ...
Discovering and understanding android sensor usage behaviors with data flow analysis
Today's Android-powered smartphones have various embedded sensors that measure the acceleration, orientation, light and other environmental conditions. Many functions in the third-party applications (apps) need to use these sensors. However, embedded ...
Comments