research-article

Security testing of second order permission re-delegation vulnerabilities in Android apps

Authors:

Biniam Fisseha Demissie,

Mariano CeccatoAuthors Info & Claims

MOBILESoft '20: Proceedings of the IEEE/ACM 7th International Conference on Mobile Software Engineering and Systems

Pages 1 - 11

https://doi.org/10.1145/3387905.3388592

Published: 07 October 2020 Publication History

Abstract

In Android, inter-app communication is a cornerstone feature where apps exchange special messages called Intents in order to integrate with each other and deliver a rich end-user experience. In particular, in case an app is granted special permission, it can dispatch privileged Intents to request sensitive tasks to system components.

However, a malicious app might hijack a defective privileged app and exploit it as a proxy, to forward attacking Intents to system components. We call this threat "Second Order Permission Re-delegation" vulnerability.

In this paper, we present (i) a detailed description of this novel vulnerability and (ii) our approach based on static analysis and automated test cases generation to detect (and document) instances of this vulnerability. We empirically evaluated our approach on a large set of top Google Play apps. Results suggest that this novel vulnerability is neglected by state of the art, but that it is common even among popular apps. In fact, our approach found 27 real vulnerabilities with fast analysis time, while a state-of-the-art static analysis tool could find none of them.

References

[1]

Kevin Allix, Tegawendé F. Bissyandé, Jacques Klein, and Yves Le Traon. 2016. AndroZoo: Collecting Millions of Android Apps for the Research Community. In Proceedings of the 13th International Conference on Mining Software Repositories (Austin, Texas) (MSR '16). ACM, New York, NY, USA, 468--471.

Digital Library

[2]

D. Amalfitano, A.R. Fasolino, and P. Tramontana. 2011. A GUI Crawling-Based Technique for Android Mobile Application Testing. In Software Testing, Verification and Validation Workshops (ICSTW), 2011 IEEE Fourth International Conference on. 252--261.

Digital Library

[3]

Domenico Amalfitano, Anna Rita Fasolino, Porfirio Tramontana, Salvatore De Carmine, and Atif M. Memon. 2012. Using GUI ripping for automated testing of Android applications. In Proceedings of the 27th IEEE/ACM International Conference on Automated Software Engineering (Essen, Germany) (ASE 2012). ACM, New York, NY, USA, 258--261.

Digital Library

[4]

Steven Arzt, Siegfried Rasthofer, Christian Fritz, Eric Bodden, Alexandre Bartel, Jacques Klein, Yves Le Traon, Damien Octeau, and Patrick McDaniel. 2014. FlowDroid: Precise Context, Flow, Field, Object-sensitive and Lifecycle-aware Taint Analysis for Android Apps. In Proceedings of the 35th ACM SIGPLAN Conference on Programming Language Design and Implementation (Edinburgh, United Kingdom) (PLDI '14). ACM, New York, NY, USA, 259--269.

Digital Library

[5]

Kathy Wain Yee Au, Yi Fan Zhou, Zhen Huang, and David Lie. 2012. Pscout: analyzing the Android permission specification. In Proceedings of the 2012 ACM conference on Computer and communications security. ACM, 217--228.

Digital Library

[6]

Hamid Bagheri, Alireza Sadeghi, Joshua Garcia, and Sam Malek. 2015. Covert: Compositional analysis of android inter-app permission leakage. IEEE Transactions on Software Engineering 9 (2015), 866--886.

[7]

Erika Chin, Adrienne Porter Felt, Kate Greenwood, and David Wagner. 2011. Analyzing inter-application communication in Android. In Proceedings of the 9th international conference on Mobile systems, applications, and services (Bethesda, Maryland, USA) (MobiSys '11). ACM, New York, NY, USA, 239--252.

Digital Library

[8]

Ting Dai, Xiaolei Li, Behnaz Hassanshahi, Roland HC Yap, and Zhenkai Liang. 2017. Roppdroid: Robust permission re-delegation prevention in android inter-component communication. Computers & Security 68 (2017), 98--111.

Digital Library

[9]

Biniam Fisseha Demissie, Mariano Ceccato, and Lwin Khin Shar. 2018. AnFlo: Detecting Anomalous Sensitive Information Flows in Android Apps. In Proceedings of the 5th IEEE/ACM International Conference on Mobile Software Engineering and Systems. ACM.

Digital Library

[10]

Biniam Fisseha Demissie, Davide Ghio, Mariano Ceccato, and Andrea Avancini. 2016. Identifying Android inter app communication vulnerabilities using static and dynamic analysis. In Proceedings of the International Conference on Mobile Software Engineering and Systems. ACM, 255--266.

Digital Library

[11]

Biniam Fisseha Demissie, Davide Ghio, Mariano Ceccato, and Andrea Avancini. 2016. Identifying Android inter app communication vulnerabilities using static and dynamic analysis. In Proceedings of the IEEE/ACM International Conference on Mobile Software Engineering and Systems. ACM, 255--266.

Digital Library

[12]

Karim O Elish, Danfeng Yao, and Barbara G Ryder. 2015. On the need of precise inter-app ICC classification for detecting Android malware collusions. In IEEE mobile security technologies (MoST), in conjunction with the IEEE symposium on security and privacy.

[13]

William Enck, Peter Gilbert, Byung gon Chun, Landon P. Cox, Jaeyeon Jung, Patrick McDaniel, and Anmol N. Sheth. 2010. TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones. In 9th Usenix Symposium on Operating Systems Design and Implementation.

[14]

Adrienne Porter Felt, Helen J. Wang, Alexander Moshchuk, Steve Hanna, and Erika Chin. 2011. Permission Re-Delegation: Attacks and Defenses. In 20th Usenix Security Symposium.

Digital Library

[15]

Roee Hay, Omer Tripp, and Marco Pistoia. 2015. Dynamic Detection of Interapplication Communication Vulnerabilities in Android. In Proceedings of the 2015 International Symposium on Software Testing and Analysis (Baltimore, MD, USA) (ISSTA 2015). ACM, New York, NY, USA, 118--128.

Digital Library

[16]

Cuixiong Hu and Iulian Neamtiu. 2011. Automating GUI testing for Android applications. In Proceedings of the 6th International Workshop on Automation of Software Test (Waikiki, Honolulu, HI, USA) (AST '11). ACM, New York, NY, USA, 77--83.

Digital Library

[17]

William Klieber, Lori Flynn, Amar Bhosale, Limin Jia, and Lujo Bauer. 2014. Android Taint Flow Analysis for App Sets. In Proceedings of the 3rd ACM SIGPLAN International Workshop on the State of the Art in Java Program Analysis (Edinburgh, United Kingdom) (SOAP '14). ACM, New York, NY, USA, 1--6.

Digital Library

[18]

Youn Kyu Lee, Jae young Bang, Gholamreza Safi, Arman Shahbazian, Yixue Zhao, and Nenad Medvidovic. 2017. A SEALANT for Inter-app Security Holes in Android. In Proceedings of the 39th International Conference on Software Engineering (Buenos Aires, Argentina) (ICSE '17). IEEE Press, Piscataway, NJ, USA, 312--323.

Digital Library

[19]

Li Li, Alexandre Bartel, Tegawendé F Bissyandé, Jacques Klein, Yves Le Traon, Steven Arzt, Siegfried Rasthofer, Eric Bodden, Damien Octeau, and Patrick Mcdaniel. 2015. IccTA: Detecting Inter-Component Privacy Leaks in Android Apps. In Proceedings of the 37th International Conference on Software Engineering (ICSE 2015). 280--291.

Digital Library

[20]

Long Lu, Zhichun Li, Zhenyu Wu, Wenke Lee, and Guofei Jiang. 2012. CHEX: Statically Vetting Android Apps for Component Hijacking Vulnerabilities. In Proceedings of the 2012 ACM Conference on Computer and Communications Security (Raleigh, North Carolina, USA) (CCS '12). ACM, New York, NY, USA, 229--240.

Digital Library

[21]

A.K. Maji, F.A. Arshad, S. Bagchi, and J.S. Rellermeyer. 2012. An empirical study of the robustness of Inter-component Communication in Android. In Dependable Systems and Networks (DSN), 2012 42nd Annual IEEE/IFIP International Conference on. 1 --12.

[22]

Christopher Mann and Artem Starostin. 2012. A Framework for Static Detection of Privacy Leaks in Android Applications. In 27th Symposium on Applied Computing (SAC): Computer Security Track. 1457--1462.

Digital Library

[23]

Trend Micro. last accessed January 2020. First Kotlin-Developed Malicious App Signs Users Up for Premium SMS Services, https://blog.trendmicro.com/trendlabs-security-intelligence/first-kotlin-developed-malicious-app-signs-users-premium-sms-services/. https://blog.trendmicro.com/trendlabs-security-intelligence/first-kotlin-developed-malicious-app-signs-users-premium-sms-services/

[24]

Tristan Ravitch, E Rogan Creswick, Aaron Tomb, Adam Foltzer, Trevor Elliott, and Ledah Casburn. 2014. Multi-app security analysis with fuse: Statically detecting android app collusion. In Proceedings of the 4th Program Protection and Reverse Engineering Workshop. ACM, 4.

Digital Library

[25]

Soot. 2018. Soot - A Java optimization framework, https://github.com/Sable/soot. (2018). https://sable.github.io/soot/

[26]

Techspot. last accessed January 2020. New Android malware can steal data, record audio, and send SMS messages to premium services, https://www.techspot.com/news/73481-new-android-malware-can-steal-data-record-audio.html. https://www.techspot.com/news/73481-new-android-malware-can-steal-data-record-audio.html

[27]

Threatpost. last accessed January 2020. Joker Android Malware Snowballs on Google Play, https://threatpost.com/joker-androids-malware-ramps-volume/151785/. https://threatpost.com/joker-androids-malware-ramps-volume/151785/

[28]

Fengguo Wei, Sankardas Roy, Xinming Ou, and Robby. 2014. AmAndroid: A Precise and General Inter-component Data Flow Analysis Framework for Security Vetting of Android Apps. In Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security (Scottsdale, Arizona, USA) (CCS '14). ACM, New York, NY, USA, 1329--1341.

Digital Library

[29]

Mengwei Xu, Yun Ma, Xuanzhe Liu, Felix Xiaozhu Lin, and Yunxin Liu. 2017. Appholmes: Detecting and characterizing app collusion among third-party android markets. In Proceedings of the 26th International Conference on World Wide Web. 143--152.

Digital Library

[30]

Kun Yang, Jianwei Zhuge, Yongke Wang, Lujue Zhou, and Haixin Duan. 2014. IntentFuzzer: detecting capability leaks of android applications. In Proceedings of the 9th ACM symposium on Information, computer and communications security. ACM, 531--536.

Digital Library

[31]

Mu Zhang and Heng Yin. 2014. Appsealer: Automatic generation of vulnerability-specific patches for preventing component hijacking attacks in Android applications.

[32]

J. Zhong, J. Huang, and B. Liang. 2012. Android Permission Re-delegation Detection and Test Case Generation. In 2012 International Conference on Computer Science and Service System. 871--874.

Cited By

Amalfitano DJúnior MFasolino ADelamaro M(2025)A GUI-based Metamorphic Testing Technique for Detecting Authentication Vulnerabilities in Android Mobile AppsJournal of Systems and Software10.1016/j.jss.2025.112364224(112364)Online publication date: Jun-2025
https://doi.org/10.1016/j.jss.2025.112364
Xiang XJiang YGuo QZhang XGong XLiu B(2023)AppChainer: investigating the chainability among payloads in android applicationsCybersecurity10.1186/s42400-023-00151-26:1Online publication date: 2-Aug-2023
https://doi.org/10.1186/s42400-023-00151-2
Wang BYang CMa J(2023)IAFDroid: Demystifying Collusion Attacks in Android Ecosystem via Precise Inter-App AnalysisIEEE Transactions on Information Forensics and Security10.1109/TIFS.2023.326766618(2883-2898)Online publication date: 2023
https://doi.org/10.1109/TIFS.2023.3267666
Show More Cited By

Index Terms

Security testing of second order permission re-delegation vulnerabilities in Android apps
1. Security and privacy
  1. Network security
    1. Mobile and wireless security
  2. Software and application security
    1. Software security engineering
2. Software and its engineering
  1. Software creation and management
    1. Software verification and validation
      1. Software defect analysis
        Software testing and debugging

Recommendations

Security analysis of permission re-delegation vulnerabilities in Android apps
Abstract
The Android platform facilitates reuse of app functionalities by allowing an app to request an action from another app through inter-process communication mechanism. This feature is one of the reasons for the popularity of Android, but it also ...
COVERT: Compositional Analysis of Android Inter-App Permission Leakage
Android is the most popular platform for mobile devices. It facilitates sharing of data and services among applications using a rich inter-app communication system. While access to resources can be controlled by the Android permission system, enforcing ...
Vetting undesirable behaviors in android apps with permission use analysis
CCS '13: Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security

Android platform adopts permissions to protect sensitive resources from untrusted apps. However, after permissions are granted by users at install time, apps could use these permissions (sensitive resources) with no further restrictions. Thus, recent ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

MOBILESoft '20: Proceedings of the IEEE/ACM 7th International Conference on Mobile Software Engineering and Systems

July 2020

158 pages

ISBN:9781450379595

DOI:10.1145/3387905

General Chair:
David Lo
Singapore Management University, Singapore
,
Program Chairs:
Leonardo Mariani
University of Milano Bicocca, Italy
,
Ali Mesbah
University of British Columbia, Canada

Copyright © 2020 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGSOFT: ACM Special Interest Group on Software Engineering

In-Cooperation

IEEE CS

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 07 October 2020

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

MOBILESoft '20

Sponsor:

SIGSOFT

MOBILESoft '20: IEEE/ACM 7th International Conference on Mobile Software Engineering and Systems

July 13 - 15, 2020

Seoul, Republic of Korea

Upcoming Conference

ICSE 2025

2025 IEEE/ACM 46th International Conference on Software Engineering

April 26 - May 3, 2025

Ottawa , ON , Canada

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

5
Total Citations
View Citations
213
Total Downloads

Downloads (Last 12 months)10
Downloads (Last 6 weeks)3

Reflects downloads up to 25 Feb 2025

Other Metrics

View Author Metrics

Citations

Cited By

Amalfitano DJúnior MFasolino ADelamaro M(2025)A GUI-based Metamorphic Testing Technique for Detecting Authentication Vulnerabilities in Android Mobile AppsJournal of Systems and Software10.1016/j.jss.2025.112364224(112364)Online publication date: Jun-2025
https://doi.org/10.1016/j.jss.2025.112364
Xiang XJiang YGuo QZhang XGong XLiu B(2023)AppChainer: investigating the chainability among payloads in android applicationsCybersecurity10.1186/s42400-023-00151-26:1Online publication date: 2-Aug-2023
https://doi.org/10.1186/s42400-023-00151-2
Wang BYang CMa J(2023)IAFDroid: Demystifying Collusion Attacks in Android Ecosystem via Precise Inter-App AnalysisIEEE Transactions on Information Forensics and Security10.1109/TIFS.2023.326766618(2883-2898)Online publication date: 2023
https://doi.org/10.1109/TIFS.2023.3267666
Demissie BRanise S(2021)Assessing the Effectiveness of the Shared Responsibility Model for Cloud Databases: the Case of Google’s Firebase2021 IEEE International Conference on Smart Data Services (SMDS)10.1109/SMDS53860.2021.00026(121-131)Online publication date: Sep-2021
https://doi.org/10.1109/SMDS53860.2021.00026
Lee YKim D(2020)A Taxonomy for Security Flaws in Event-Based SystemsApplied Sciences10.3390/app1020733810:20(7338)Online publication date: 20-Oct-2020
https://doi.org/10.3390/app10207338

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Figures

Tables

Media

View Table of Conten