Component Security Ten Years Later: An Empirical Study of Cross-Layer Threats in Real-World Mobile Applications
Authors: 
Keke Lian, Lei Zhang, Guangliang Yang, Shuo Mao, Xinjie Wang, Yuan Zhang, Min YangAuthors Info & Claims
Keke Lian, Lei Zhang, Guangliang Yang, Shuo Mao, Xinjie Wang, Yuan Zhang, Min YangAuthors Info & ClaimsArticle No.: 4, Pages 70 - 91
Abstract
Nowadays, mobile apps have greatly facilitated our daily work and lives. They are often designed to work closely and interact with each other through app components for data and functionality sharing. The security of app components has been extensively studied and various component attacks have been proposed. Meanwhile, Android system vendors and app developers have introduced a series of defense measures to mitigate these security threats. However, we have discovered that as apps evolve and develop, existing app component defenses have become inadequate to address the emerging security requirements. This latency in adaptation has given rise to the feasibility of cross-layer exploitation, where attackers can indirectly manipulate app internal functionalities by polluting their dependent data. To assess the security risks of cross-layer exploitation in real-world apps, we design and implement a novel vulnerability analysis approach, called CLDroid, which addresses two non-trivial challenges. Our experiments revealed that 1,215 (8.8%) popular apps are potentially vulnerable to cross-layer exploitation, with a total of more than 18 billion installs. We verified that through cross-layer exploitation, an unprivileged app could achieve various severe security consequences, such as arbitrary code execution, click hijacking, content spoofing, and persistent DoS. We ethically reported verified vulnerabilities to the developers, who acknowledged and rewarded us with bug bounties. As a result, 56 CVE IDs have been assigned, with 22 of them rated as ‘critical’ or ‘high’ severity.
References
[1]
Yousra Aafer, Nan Zhang, Zhongwen Zhang, Xiao Zhang, Kai Chen, XiaoFeng Wang, Xiaoyong Zhou, Wenliang Du, and Michael Grace. 2015. Hare hunting in the wild android: A study on the threat of hanging attribute references. In Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security. 1248-1259.
[2]
AppBrain. 2023. Android library statistics. Retrieved April 5, 2023 from https://www.appbrain.com/stats/libraries
[3]
Steven Arzt, Siegfried Rasthofer, Christian Fritz, Eric Bodden, Alexandre Bartel, Jacques Klein, Yves Le Traon, Damien Octeau, and Patrick McDaniel. 2014. Flowdroid: Precise context, flow, field, object-sensitive and lifecycle-aware taint analysis for android apps. Acm Sigplan Notices 49, 6 ( 2014 ), 259-269.
[4]
Michael Backes, Sven Bugiel, Sebastian Gerling, and Philipp von Styp-Rekowsky. 2014. Android security framework: Enabling generic and extensible access control on android. arXiv preprint arXiv:1404.1395 ( 2014 ).
[5]
Michael Backes, Sebastian Gerling, Christian Hammer, Matteo Mafei, and Philipp von Styp-Rekowsky. 2013. AppGuardEnforcing User Requirements on Android Apps. In TACAS, Vol. 13. Springer, 543-548.
[6]
Yinzhi Cao, Yanick Fratantonio, Antonio Bianchi, Manuel Egele, Christopher Kruegel, Giovanni Vigna, and Yan Chen. 2015. EdgeMiner: Automatically Detecting Implicit Control Flow Transitions through the Android Framework. In Network and Distributed Systems Security (NDSS) Symposium.
[7]
Erika Chin, Adrienne Porter Felt, Kate Greenwood, and David Wagner. 2011. Analyzing inter-application communication in Android. In Proceedings of the 9th international conference on Mobile systems, applications, and services. 239-252.
[8]
John Corpuz and Jordan Palmer. 2023. Best Android launchers 2022. Retrieved April 5, 2023 from https://www. tomsguide.com/round-up/best-android-launchers
[9]
Johannes Dahse and Thorsten Holz. 2014. Static detection of second-order vulnerabilities in web applications. In 23rd {USENIX} Security Symposium ({USENIX} Security 14). 989-1003.
[10]
Johannes Dahse, Nikolai Krein, and Thorsten Holz. 2014. Code reuse attacks in php: Automated pop chain generation. In Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security. 42-53.
[11]
Biniam Fisseha Demissie, Davide Ghio, Mariano Ceccato, and Andrea Avancini. 2016. Identifying android inter app communication vulnerabilities using static and dynamic analysis. In Proceedings of the International Conference on Mobile Software Engineering and Systems. 255-266.
[12]
Android Developers. 2022. Runtime Permissions. Retrieved April 5, 2023 from https://source.android.com/docs/core/ permissions/runtime_perms
[13]
Android Developers. 2023. Google MonkeyRunner. Retrieved April 5, 2023 from https://developer.android.com/studio/ test/monkeyrunner
[14]
Android Developers. 2023. Guide to App Architecture. Retrieved April 5, 2023 from https://developer.android.com/ topic/architecture
[15]
Android Developers. 2023. Security tips on content providers. Retrieved April 5, 2023 from https://developer.android. com/training/articles/security-tips#ContentProviders
[16]
Mohamed Elsabagh, Ryan Johnson, Angelos Stavrou, Chaoshun Zuo, Qingchuan Zhao, and Zhiqiang Lin. 2020. {FIRMSCOPE}: Automatic Uncovering of {Privilege-Escalation} Vulnerabilities in {Pre-Installed} Apps in Android Firmware. In 29th USENIX Security Symposium (USENIX Security 20). 2379-2396.
[17]
William Enck, Peter Gilbert, Seungyeop Han, Vasant Tendulkar, Byung-Gon Chun, Landon P Cox, Jaeyeon Jung, Patrick McDaniel, and Anmol N Sheth. 2014. Taintdroid: an information-flow tracking system for realtime privacy monitoring on smartphones. ACM Transactions on Computer Systems (TOCS) 32, 2 ( 2014 ), 1-29.
[18]
Adrienne Porter Felt, Helen J Wang, Alexander Moshchuk, Steve Hanna, and Erika Chin. 2011. Permission re-delegation: Attacks and defenses. In USENIX security symposium, Vol. 30. 88.
[19]
Julien Gamba, Mohammed Rashed, Abbas Razaghpanah, Juan Tapiador, and Narseo Vallina-Rodriguez. 2020. An analysis of pre-installed android software. In 2020 IEEE Symposium on Security and Privacy (SP). IEEE, 1039-1055.
[20]
Indradeep Ghosh, Nastaran Shafiei, Guodong Li, and Wei-Fan Chiang. 2013. JST: An automatic test generation tool for industrial Java applications with strings. In 2013 35th International Conference on Software Engineering (ICSE). IEEE, 992-1001.
[21]
Michael I Gordon, Deokhwan Kim, Jef H Perkins, Limei Gilham, Nguyen Nguyen, and Martin C Rinard. 2015. Information flow analysis of android applications in droidsafe. In Network and Distributed Systems Security (NDSS) Symposium, Vol. 15. 110.
[22]
Michael C Grace, Yajin Zhou, Zhi Wang, and Xuxian Jiang. 2012. Systematic detection of capability leaks in stock android smartphones. In Network and Distributed Systems Security (NDSS) Symposium, Vol. 14. 19.
[23]
Roee Hay, Omer Tripp, and Marco Pistoia. 2015. Dynamic detection of inter-application communication vulnerabilities in Android. In Proceedings of the 2015 International Symposium on Software Testing and Analysis. 118-128.
[24]
Jianjun Huang, Xiangyu Zhang, and Lin Tan. 2016. Detecting sensitive data disclosure via bi-directional text correlation analysis. In Proceedings of the 2016 24th ACM SIGSOFT International Symposium on Foundations of Software Engineering. 169-180.
[25]
Yuede Ji, Mohamed Elsabagh, Ryan Johnson, and Angelos Stavrou. 2021. { DEFInit}: An Analysis of Exposed Android Init Routines. In 30th USENIX Security Symposium (USENIX Security 21). 3685-3702.
[26]
Yunhan Jack Jia, Qi Alfred Chen, Yikai Lin, Chao Kong, and Z Morley Mao. 2017. Open doors for bob and mallory: Open port usage in android apps and security implications. In 2017 IEEE European Symposium on Security and Privacy (EuroS&P). IEEE, 190-203.
[27]
Yajin Zhou Xuxian Jiang. 2013. Detecting passive content leaks and pollution in android applications. In Proceedings of the 20th Network and Distributed System Security Symposium (NDSS).
[28]
Xing Jin, Xunchao Hu, Kailiang Ying, Wenliang Du, Heng Yin, and Gautam Nagesh Peri. 2014. Code injection attacks on html5-based mobile apps: Characterization, detection and mitigation. In Proceedings of the 2014 ACM SIGSAC conference on computer and communications security. 66-77.
[29]
Patrick Lam, Eric Bodden, Ondrej Lhoták, and Laurie Hendren. 2011. The Soot framework for Java program analysis: a retrospective. In Cetus Users and Compiler Infastructure Workshop (CETUS 2011), Vol. 15.
[30]
Phi Tuong Lau. 2019. Static detection of event-driven races in HTML5-based mobile apps. In International Conference on Verification and Evaluation of Computer and Communication Systems. Springer, 32-46.
[31]
Ding Li, Yingjun Lyu, Mian Wan, and William GJ Halfond. 2015. String analysis for Java and Android applications. In Proceedings of the 2015 10th Joint Meeting on Foundations of Software Engineering. 661-672.
[32]
Li Li, Alexandre Bartel, Tegawendé F Bissyandé, Jacques Klein, Yves Le Traon, Steven Arzt, Siegfried Rasthofer, Eric Bodden, Damien Octeau, and Patrick McDaniel. 2015. Iccta: Detecting inter-component privacy leaks in android apps. In 2015 IEEE/ACM 37th IEEE International Conference on Software Engineering, Vol. 1. IEEE, 280-291.
[33]
Shuai Li, Zhemin Yang, Nan Hua, Peng Liu, Xiaohan Zhang, Guangliang Yang, and Min Yang. 2022. Collect Responsibly But Deliver Arbitrarily? A Study on Cross-User Privacy Leakage in Mobile Apps. In Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security. 1887-1900.
[34]
Tongxin Li, Xueqiang Wang, Mingming Zha, Kai Chen, XiaoFeng Wang, Luyi Xing, Xiaolong Bai, Nan Zhang, and Xinhui Han. 2017. Unleashing the walking dead: Understanding cross-app remote infections on mobile webviews. In Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security. 829-844.
[35]
Chia-Chi Lin, Hongyang Li, Xiao-yong Zhou, and XiaoFeng Wang. 2014. Screenmilker: How to Milk Your Android Screen for Secrets. In Network and Distributed Systems Security (NDSS) Symposium.
[36]
Fang Liu, Chun Wang, Andres Pico, Danfeng Yao, and Gang Wang. 2017. Measuring the insecurity of mobile deep links of android. In 26th USENIX Security Symposium (USENIX Security 17). 953-969.
[37]
Long Lu, Zhichun Li, Zhenyu Wu, Wenke Lee, and Guofei Jiang. 2012. Chex: statically vetting android apps for component hijacking vulnerabilities. In Proceedings of the 2012 ACM conference on Computer and communications security. 229-240.
[38]
Björn Mathis, Vitalii Avdiienko, Ezekiel O Soremekun, Marcel Böhme, and Andreas Zeller. 2017. Detecting information lfow by mutating input data. In 2017 32nd IEEE/ACM International Conference on Automated Software Engineering (ASE). IEEE, 263-273.
[39]
Yuhong Nan, Min Yang, Zhemin Yang, Shunfan Zhou, Guofei Gu, and XiaoFeng Wang. 2015. { UIPicker}:{User-Input} Privacy Identification in Mobile Applications. In 24th USENIX Security Symposium (USENIX Security 15). 993-1008.
[40]
Yuhong Nan, Zhemin Yang, Xiaofeng Wang, Yuan Zhang, Donglai Zhu, and Min Yang. 2018. Finding Clues for Your Secrets: Semantics-Driven, Learning-Based Privacy Discovery in Mobile Apps. In NDSS.
[41]
Damien Octeau, Daniel Luchaup, Matthew Dering, Somesh Jha, and Patrick McDaniel. 2015. Composite constant propagation: Application to android inter-component communication analysis. In 2015 IEEE/ACM 37th IEEE International Conference on Software Engineering, Vol. 1. IEEE, 77-88.
[42]
Oswaldo Olivo, Isil Dillig, and Calvin Lin. 2015. Detecting and exploiting second order denial-of-service vulnerabilities in web applications. In Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security. 616-628.
[43]
Siegfried Rasthofer, Steven Arzt, and Eric Bodden. 2014. A machine-learning approach for classifying and categorizing android sources and sinks. In NDSS, Vol. 14. 1125.
[44]
Matthew Rossi, Dario Facchinetti, Enrico Bacis, Marco Rosa, Stefano Paraboschi, et al. 2021. SEApp: Bringing Mandatory Access Control to Android Apps. In USENIX Security Symposium. 3613-3630.
[45]
Nirupam Roy, Haitham Hassanieh, and Romit Roy Choudhury. 2017. Backdoor: Making microphones hear inaudible sounds. In Proceedings of the 15th Annual International Conference on Mobile Systems, Applications, and Services. 2-14.
[46]
Nirupam Roy, Sheng Shen, Haitham Hassanieh, and Romit Roy Choudhury. 2018. Inaudible Voice Commands: The {Long-Range} Attack and Defense. In 15th USENIX Symposium on Networked Systems Design and Implementation (NSDI 18). 547-560.
[47]
Alireza Sadeghi, Hamid Bagheri, and Sam Malek. 2015. Analysis of android inter-app security vulnerabilities using covert. In 2015 IEEE/ACM 37th IEEE International Conference on Software Engineering, Vol. 2. IEEE, 725-728.
[48]
Samsung. 2022. Samsung Internet Browser. Retrieved November 5, 2022 from https://play.google.com/store/apps/ details?id=com.sec.android.app.sbrowser
[49]
Mikhail Shcherbakov, Musard Balliu, and Cristian-Alexandru Staicu. 2023. Silent spring: Prototype pollution leads to remote code execution in Node. js. In USENIX Security Symposium 2023.
[50]
Sooel Son, Daehyeok Kim, and Vitaly Shmatikov. 2016. What Mobile Ads Know About Mobile Users. In Network and Distributed Systems Security (NDSS) Symposium.
[51]
Wei Song, Qingqing Huang, and Jef Huang. 2018. Understanding javascript vulnerabilities in large real-world Android applications. IEEE Transactions on Dependable and Secure Computing 17, 5 ( 2018 ), 1063-1078.
[52]
Marius Stefens, Christian Rossow, Martin Johns, and Ben Stock. 2019. Don't Trust The Locals: Investigating the Prevalence of Persistent Client-Side Cross-Site Scripting in the Wild. ( 2019 ).
[53]
He Su, Feng Li, Lili Xu, Wenbo Hu, Yujie Sun, Qing Sun, Huina Chao, and Wei Huo. 2023. Splendor: Static Detection of Stored XSS in Modern Web Applications. In Proceedings of the 32nd ACM SIGSOFT International Symposium on Software Testing and Analysis. 1043-1054.
[54]
Mingshen Sun, Tao Wei, and John CS Lui. 2016. Taintart: A practical multi-level information-flow tracking system for android runtime. In Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security. 331-342.
[55]
Rui Wang, Luyi Xing, XiaoFeng Wang, and Shuo Chen. 2013. Unauthorized origin crossing on mobile platforms: Threats and mitigation. In Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security. 635-646.
[56]
Xiaolei Wang, Andrea Continella, Yuexiang Yang, Yongzhong He, and Sencun Zhu. 2019. Leakdoctor: Toward automatically diagnosing privacy leaks in mobile applications. Proceedings of the ACM on Interactive, Mobile, Wearable and Ubiquitous Technologies 3, 1 ( 2019 ), 1-25.
[57]
Fengguo Wei, Sankardas Roy, and Xinming Ou. 2018. Amandroid: A precise and general inter-component data flow analysis framework for security vetting of android apps. ACM Transactions on Privacy and Security (TOPS) 21, 3 ( 2018 ), 1-32.
[58]
Daoyuan Wu and Rocky KC Chang. 2015. Indirect file leaks in mobile applications. Proc. IEEE Mobile Security Technologies (MoST) ( 2015 ).
[59]
Daoyuan Wu, Debin Gao, Rocky KC Chang, En He, Eric KT Cheng, and Robert H Deng. 2019. Understanding open ports in Android applications: Discovery, diagnosis, and security assessment. ( 2019 ).
[60]
Lei Wu, Michael Grace, Yajin Zhou, Chiachih Wu, and Xuxian Jiang. 2013. The impact of vendor customizations on android security. In Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security. 623-634.
[61]
Qiben Yan, Kehai Liu, Qin Zhou, Hanqing Guo, and Ning Zhang. 2020. Surfingattack: Interactive hidden attack on voice assistants using ultrasonic guided waves. In Network and Distributed Systems Security (NDSS) Symposium.
[62]
Guoming Zhang, Chen Yan, Xiaoyu Ji, Tianchen Zhang, Taimin Zhang, and Wenyuan Xu. 2017. Dolphinattack: Inaudible voice commands. In Proceedings of the 2017 ACM SIGSAC conference on computer and communications security. 103-117.
[63]
Chaoshun Zuo, Zhiqiang Lin, and Yinqian Zhang. 2019. Why does your data leak? uncovering the data leakage in cloud from mobile apps. In 2019 IEEE Symposium on Security and Privacy (SP). IEEE, 1296-1310.
Index Terms
- Component Security Ten Years Later: An Empirical Study of Cross-Layer Threats in Real-World Mobile Applications
Recommendations
An Explorative Study of the Mobile App Ecosystem from App Developers' Perspective
WWW '17: Proceedings of the 26th International Conference on World Wide WebWith the prevalence of smartphones, app markets such as Apple App Store and Google Play has become the center stage in the mobile app ecosystem, with millions of apps developed by tens of thousands of app developers in each major market. This paper ...
Cross-Compiling Android Applications to iOS and Windows Phone 7
Android is currently leading the smartphone segment in terms of market share since its introduction in 2007. Android applications are written in Java using an API designed for mobile apps. Other smartphone platforms, such as Apple's iOS or Microsoft's ...
Cross-compiling Android applications to the iPhone
PPPJ '10: Proceedings of the 8th International Conference on the Principles and Practice of Programming in JavaSmartphones such as Android-based devices and Apple's iPhone have become popular platforms for mobile applications. In particular, they allow the development of native applications that can take advantage of special purpose hardware such as ...
Comments
Information & Contributors
Information
Published In
July 2024
2770 pages
Copyright © 2024 Owner/Author.
This work is licensed under a Creative Commons Attribution International 4.0 License.
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
Published: 12 July 2024
Published in PACMSE Volume 1, Issue FSE
Badges
Distinguished Paper
Author Tags
Qualifiers
- Research-article
Funding Sources
- National Key Research and Development Program of China
- National Natural Science Foundation of China
- Shanghai Rising-Star Program
- Shanghai Pilot Program for Basic Research- Fudan University
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 531Total Downloads
- Downloads (Last 12 months)531
- Downloads (Last 6 weeks)46
Reflects downloads up to 03 Mar 2025
Other Metrics
Citations
View Options
Login options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign in