skip to main content
10.1145/3459012.3459013acmotherconferencesArticle/Chapter ViewAbstractPublication PagesicmssConference Proceedingsconference-collections
research-article

Precise Command Injection Analysis in Android Applications

Published: 24 July 2021 Publication History

Abstract

Android mobile applications are vulnerable to code injection attacks. We use taint analysis to approximate the parameters of a sensitive instruction that may originate from user input. We combine it with a string analysis based on automatons to over-approximate the values of the string variables in the program. Using information derived from these two analyses, we detect when untrusted input may be used to inject malicious code into the program, and when the attack patterns were removed using a sanitizer operation. The proposed approach was implemented on top of FlowDroid. Experimental results show that the resulting analyzer, is very efficient at detecting command injection vulnerabilities.

References

[1]
[n.d.]. Open Web Application Security Project.Available at https://www.owasp.org.
[2]
[n.d.]. SecuriBench Micro Benchmark Suite.Available at https://suif.stanford.edu/~livshits/work/securibench-micro/.
[3]
[n.d.]. VirusShare Benchmark Suite.Available at https://virusshare.com/.
[4]
2020. Command Injection in Android With Automatons.Available at https://drive.google.com/_file/d/1rRAtpmif8zsK2b6JaT8GhjXY8K8jNsee/view?usp=sharing.
[5]
Steven Arzt, Siegfried Rasthofer, Christian Fritz, Eric Bodden, Alexandre Bartel, Jacques Klein, Yves Le Traon, Damien Octeau, and Patrick McDaniel. 2014. FlowDroid: Precise Context, Flow, Field, Object-sensitive and Lifecycle-aware Taint Analysis for Android Apps. SIGPLAN Not. 49, 6 (June 2014), 259–269. https://doi.org/10.1145/2666356.2594299
[6]
Christian Fritz, Steven Arzt, Siegfried Rasthofer, Eric Bodden, Alexandre Bartel, Jacques Klein, Yves Le Traon, Damien Octeau, and Patrick McDaniel. 2013. Highly precise taint analysis for android applications. (2013).
[7]
Xing Jin, Xuchao Hu, Kailiang Ying, Wenliang Du, Heng Yin, and Gautam Nagesh Peri. 2014. Code injection attacks on html5-based mobile apps: Characterization, detection and mitigation. In Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security. 66–77.
[8]
Assad Maalouf, Lunjin Lu, and James Lynott. 2020. Automata-Based String Analysis for Detecting Malware in Android Programs. International Journal of Information and Communication Engineering 14, 12(2020), 500 – 507. https://publications.waset.org/vol/168
[9]
Lunjin Lu Nabil Almashfi. 2020. Static Taint Analysis for JavaScript Programs. Tampa, USA (2020).
[10]
Sebastian Poeplau, Yanick Fratantonio, Antonio Bianchi, Christopher Kruegel, and Giovanni Vigna. 2014. Execute this! analyzing unsafe and malicious dynamic code loading in android applications. In NDSS, Vol. 14. 23–26.
[11]
Fang Yu, Tevfik Bultan, Marco Cova, and Oscar H Ibarra. 2008. Symbolic string verification: An automata-based approach. In International SPIN Workshop on Model Checking of Software. Springer, 306–324.

Cited By

View all

Recommendations

Comments

Information & Contributors

Information

Published In

cover image ACM Other conferences
ICMSS 2021: Proceedings of the 5th International Conference on Management Engineering, Software Engineering and Service Sciences
January 2021
180 pages
ISBN:9781450389709
DOI:10.1145/3459012
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 24 July 2021

Permissions

Request permissions for this article.

Check for updates

Qualifiers

  • Research-article
  • Research
  • Refereed limited

Conference

ICMSS 2021

Contributors

Other Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

  • 0
    Total Citations
  • 120
    Total Downloads
  • Downloads (Last 12 months)23
  • Downloads (Last 6 weeks)2
Reflects downloads up to 28 Dec 2024

Other Metrics

Citations

Cited By

View all

View Options

Login options

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

HTML Format

View this article in HTML Format.

HTML Format

Media

Figures

Other

Tables

Share

Share

Share this Publication link

Share on social media