skip to main content
10.1145/3387905.3388592acmconferencesArticle/Chapter ViewAbstractPublication PagesicseConference Proceedingsconference-collections
research-article

Security testing of second order permission re-delegation vulnerabilities in Android apps

Published: 07 October 2020 Publication History

Abstract

In Android, inter-app communication is a cornerstone feature where apps exchange special messages called Intents in order to integrate with each other and deliver a rich end-user experience. In particular, in case an app is granted special permission, it can dispatch privileged Intents to request sensitive tasks to system components.
However, a malicious app might hijack a defective privileged app and exploit it as a proxy, to forward attacking Intents to system components. We call this threat "Second Order Permission Re-delegation" vulnerability.
In this paper, we present (i) a detailed description of this novel vulnerability and (ii) our approach based on static analysis and automated test cases generation to detect (and document) instances of this vulnerability. We empirically evaluated our approach on a large set of top Google Play apps. Results suggest that this novel vulnerability is neglected by state of the art, but that it is common even among popular apps. In fact, our approach found 27 real vulnerabilities with fast analysis time, while a state-of-the-art static analysis tool could find none of them.

References

[1]
Kevin Allix, Tegawendé F. Bissyandé, Jacques Klein, and Yves Le Traon. 2016. AndroZoo: Collecting Millions of Android Apps for the Research Community. In Proceedings of the 13th International Conference on Mining Software Repositories (Austin, Texas) (MSR '16). ACM, New York, NY, USA, 468--471.
[2]
D. Amalfitano, A.R. Fasolino, and P. Tramontana. 2011. A GUI Crawling-Based Technique for Android Mobile Application Testing. In Software Testing, Verification and Validation Workshops (ICSTW), 2011 IEEE Fourth International Conference on. 252--261.
[3]
Domenico Amalfitano, Anna Rita Fasolino, Porfirio Tramontana, Salvatore De Carmine, and Atif M. Memon. 2012. Using GUI ripping for automated testing of Android applications. In Proceedings of the 27th IEEE/ACM International Conference on Automated Software Engineering (Essen, Germany) (ASE 2012). ACM, New York, NY, USA, 258--261.
[4]
Steven Arzt, Siegfried Rasthofer, Christian Fritz, Eric Bodden, Alexandre Bartel, Jacques Klein, Yves Le Traon, Damien Octeau, and Patrick McDaniel. 2014. FlowDroid: Precise Context, Flow, Field, Object-sensitive and Lifecycle-aware Taint Analysis for Android Apps. In Proceedings of the 35th ACM SIGPLAN Conference on Programming Language Design and Implementation (Edinburgh, United Kingdom) (PLDI '14). ACM, New York, NY, USA, 259--269.
[5]
Kathy Wain Yee Au, Yi Fan Zhou, Zhen Huang, and David Lie. 2012. Pscout: analyzing the Android permission specification. In Proceedings of the 2012 ACM conference on Computer and communications security. ACM, 217--228.
[6]
Hamid Bagheri, Alireza Sadeghi, Joshua Garcia, and Sam Malek. 2015. Covert: Compositional analysis of android inter-app permission leakage. IEEE Transactions on Software Engineering 9 (2015), 866--886.
[7]
Erika Chin, Adrienne Porter Felt, Kate Greenwood, and David Wagner. 2011. Analyzing inter-application communication in Android. In Proceedings of the 9th international conference on Mobile systems, applications, and services (Bethesda, Maryland, USA) (MobiSys '11). ACM, New York, NY, USA, 239--252.
[8]
Ting Dai, Xiaolei Li, Behnaz Hassanshahi, Roland HC Yap, and Zhenkai Liang. 2017. Roppdroid: Robust permission re-delegation prevention in android inter-component communication. Computers & Security 68 (2017), 98--111.
[9]
Biniam Fisseha Demissie, Mariano Ceccato, and Lwin Khin Shar. 2018. AnFlo: Detecting Anomalous Sensitive Information Flows in Android Apps. In Proceedings of the 5th IEEE/ACM International Conference on Mobile Software Engineering and Systems. ACM.
[10]
Biniam Fisseha Demissie, Davide Ghio, Mariano Ceccato, and Andrea Avancini. 2016. Identifying Android inter app communication vulnerabilities using static and dynamic analysis. In Proceedings of the International Conference on Mobile Software Engineering and Systems. ACM, 255--266.
[11]
Biniam Fisseha Demissie, Davide Ghio, Mariano Ceccato, and Andrea Avancini. 2016. Identifying Android inter app communication vulnerabilities using static and dynamic analysis. In Proceedings of the IEEE/ACM International Conference on Mobile Software Engineering and Systems. ACM, 255--266.
[12]
Karim O Elish, Danfeng Yao, and Barbara G Ryder. 2015. On the need of precise inter-app ICC classification for detecting Android malware collusions. In IEEE mobile security technologies (MoST), in conjunction with the IEEE symposium on security and privacy.
[13]
William Enck, Peter Gilbert, Byung gon Chun, Landon P. Cox, Jaeyeon Jung, Patrick McDaniel, and Anmol N. Sheth. 2010. TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones. In 9th Usenix Symposium on Operating Systems Design and Implementation.
[14]
Adrienne Porter Felt, Helen J. Wang, Alexander Moshchuk, Steve Hanna, and Erika Chin. 2011. Permission Re-Delegation: Attacks and Defenses. In 20th Usenix Security Symposium.
[15]
Roee Hay, Omer Tripp, and Marco Pistoia. 2015. Dynamic Detection of Interapplication Communication Vulnerabilities in Android. In Proceedings of the 2015 International Symposium on Software Testing and Analysis (Baltimore, MD, USA) (ISSTA 2015). ACM, New York, NY, USA, 118--128.
[16]
Cuixiong Hu and Iulian Neamtiu. 2011. Automating GUI testing for Android applications. In Proceedings of the 6th International Workshop on Automation of Software Test (Waikiki, Honolulu, HI, USA) (AST '11). ACM, New York, NY, USA, 77--83.
[17]
William Klieber, Lori Flynn, Amar Bhosale, Limin Jia, and Lujo Bauer. 2014. Android Taint Flow Analysis for App Sets. In Proceedings of the 3rd ACM SIGPLAN International Workshop on the State of the Art in Java Program Analysis (Edinburgh, United Kingdom) (SOAP '14). ACM, New York, NY, USA, 1--6.
[18]
Youn Kyu Lee, Jae young Bang, Gholamreza Safi, Arman Shahbazian, Yixue Zhao, and Nenad Medvidovic. 2017. A SEALANT for Inter-app Security Holes in Android. In Proceedings of the 39th International Conference on Software Engineering (Buenos Aires, Argentina) (ICSE '17). IEEE Press, Piscataway, NJ, USA, 312--323.
[19]
Li Li, Alexandre Bartel, Tegawendé F Bissyandé, Jacques Klein, Yves Le Traon, Steven Arzt, Siegfried Rasthofer, Eric Bodden, Damien Octeau, and Patrick Mcdaniel. 2015. IccTA: Detecting Inter-Component Privacy Leaks in Android Apps. In Proceedings of the 37th International Conference on Software Engineering (ICSE 2015). 280--291.
[20]
Long Lu, Zhichun Li, Zhenyu Wu, Wenke Lee, and Guofei Jiang. 2012. CHEX: Statically Vetting Android Apps for Component Hijacking Vulnerabilities. In Proceedings of the 2012 ACM Conference on Computer and Communications Security (Raleigh, North Carolina, USA) (CCS '12). ACM, New York, NY, USA, 229--240.
[21]
A.K. Maji, F.A. Arshad, S. Bagchi, and J.S. Rellermeyer. 2012. An empirical study of the robustness of Inter-component Communication in Android. In Dependable Systems and Networks (DSN), 2012 42nd Annual IEEE/IFIP International Conference on. 1 --12.
[22]
Christopher Mann and Artem Starostin. 2012. A Framework for Static Detection of Privacy Leaks in Android Applications. In 27th Symposium on Applied Computing (SAC): Computer Security Track. 1457--1462.
[23]
Trend Micro. last accessed January 2020. First Kotlin-Developed Malicious App Signs Users Up for Premium SMS Services, https://blog.trendmicro.com/trendlabs-security-intelligence/first-kotlin-developed-malicious-app-signs-users-premium-sms-services/. https://blog.trendmicro.com/trendlabs-security-intelligence/first-kotlin-developed-malicious-app-signs-users-premium-sms-services/
[24]
Tristan Ravitch, E Rogan Creswick, Aaron Tomb, Adam Foltzer, Trevor Elliott, and Ledah Casburn. 2014. Multi-app security analysis with fuse: Statically detecting android app collusion. In Proceedings of the 4th Program Protection and Reverse Engineering Workshop. ACM, 4.
[25]
Soot. 2018. Soot - A Java optimization framework, https://github.com/Sable/soot. (2018). https://sable.github.io/soot/
[26]
Techspot. last accessed January 2020. New Android malware can steal data, record audio, and send SMS messages to premium services, https://www.techspot.com/news/73481-new-android-malware-can-steal-data-record-audio.html. https://www.techspot.com/news/73481-new-android-malware-can-steal-data-record-audio.html
[27]
Threatpost. last accessed January 2020. Joker Android Malware Snowballs on Google Play, https://threatpost.com/joker-androids-malware-ramps-volume/151785/. https://threatpost.com/joker-androids-malware-ramps-volume/151785/
[28]
Fengguo Wei, Sankardas Roy, Xinming Ou, and Robby. 2014. AmAndroid: A Precise and General Inter-component Data Flow Analysis Framework for Security Vetting of Android Apps. In Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security (Scottsdale, Arizona, USA) (CCS '14). ACM, New York, NY, USA, 1329--1341.
[29]
Mengwei Xu, Yun Ma, Xuanzhe Liu, Felix Xiaozhu Lin, and Yunxin Liu. 2017. Appholmes: Detecting and characterizing app collusion among third-party android markets. In Proceedings of the 26th International Conference on World Wide Web. 143--152.
[30]
Kun Yang, Jianwei Zhuge, Yongke Wang, Lujue Zhou, and Haixin Duan. 2014. IntentFuzzer: detecting capability leaks of android applications. In Proceedings of the 9th ACM symposium on Information, computer and communications security. ACM, 531--536.
[31]
Mu Zhang and Heng Yin. 2014. Appsealer: Automatic generation of vulnerability-specific patches for preventing component hijacking attacks in Android applications.
[32]
J. Zhong, J. Huang, and B. Liang. 2012. Android Permission Re-delegation Detection and Test Case Generation. In 2012 International Conference on Computer Science and Service System. 871--874.

Cited By

View all
  • (2025)A GUI-based Metamorphic Testing Technique for Detecting Authentication Vulnerabilities in Android Mobile AppsJournal of Systems and Software10.1016/j.jss.2025.112364224(112364)Online publication date: Jun-2025
  • (2023)AppChainer: investigating the chainability among payloads in android applicationsCybersecurity10.1186/s42400-023-00151-26:1Online publication date: 2-Aug-2023
  • (2023)IAFDroid: Demystifying Collusion Attacks in Android Ecosystem via Precise Inter-App AnalysisIEEE Transactions on Information Forensics and Security10.1109/TIFS.2023.326766618(2883-2898)Online publication date: 2023
  • Show More Cited By

Recommendations

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences
MOBILESoft '20: Proceedings of the IEEE/ACM 7th International Conference on Mobile Software Engineering and Systems
July 2020
158 pages
ISBN:9781450379595
DOI:10.1145/3387905
  • General Chair:
  • David Lo,
  • Program Chairs:
  • Leonardo Mariani,
  • Ali Mesbah
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

In-Cooperation

  • IEEE CS

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 07 October 2020

Permissions

Request permissions for this article.

Check for updates

Author Tags

  1. fuzzing
  2. security testing
  3. static analysis
  4. vulnerability detection

Qualifiers

  • Research-article

Conference

MOBILESoft '20
Sponsor:

Upcoming Conference

ICSE 2025

Contributors

Other Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

  • Downloads (Last 12 months)10
  • Downloads (Last 6 weeks)3
Reflects downloads up to 25 Feb 2025

Other Metrics

Citations

Cited By

View all
  • (2025)A GUI-based Metamorphic Testing Technique for Detecting Authentication Vulnerabilities in Android Mobile AppsJournal of Systems and Software10.1016/j.jss.2025.112364224(112364)Online publication date: Jun-2025
  • (2023)AppChainer: investigating the chainability among payloads in android applicationsCybersecurity10.1186/s42400-023-00151-26:1Online publication date: 2-Aug-2023
  • (2023)IAFDroid: Demystifying Collusion Attacks in Android Ecosystem via Precise Inter-App AnalysisIEEE Transactions on Information Forensics and Security10.1109/TIFS.2023.326766618(2883-2898)Online publication date: 2023
  • (2021)Assessing the Effectiveness of the Shared Responsibility Model for Cloud Databases: the Case of Google’s Firebase2021 IEEE International Conference on Smart Data Services (SMDS)10.1109/SMDS53860.2021.00026(121-131)Online publication date: Sep-2021
  • (2020)A Taxonomy for Security Flaws in Event-Based SystemsApplied Sciences10.3390/app1020733810:20(7338)Online publication date: 20-Oct-2020

View Options

Login options

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Figures

Tables

Media

Share

Share

Share this Publication link

Share on social media