ABSTRACT
An enormous number of apps have been developed for Android in recent years, making it one of the most popular mobile operating systems. However, the quality of the booming apps can be a concern [4]. Poorly engineered apps may contain security vulnerabilities that can severally undermine users' security and privacy. In this paper, we study a general category of vulnerabilities found in Android apps, namely the component hijacking vulnerabilities. Several types of previously reported app vulnerabilities, such as permission leakage, unauthorized data access, intent spoofing, and etc., belong to this category.
We propose CHEX, a static analysis method to automatically vet Android apps for component hijacking vulnerabilities. Modeling these vulnerabilities from a data-flow analysis perspective, CHEX analyzes Android apps and detects possible hijack-enabling flows by conducting low-overhead reachability tests on customized system dependence graphs. To tackle analysis challenges imposed by Android's special programming paradigm, we employ a novel technique to discover component entry points in their completeness and introduce app splitting to model the asynchronous executions of multiple entry points in an app.
We prototyped CHEX based on Dalysis, a generic static analysis framework that we built to support many types of analysis on Android app bytecode. We evaluated CHEX with 5,486 real Android apps and found 254 potential component hijacking vulnerabilities. The median execution time of CHEX on an app is 37.02 seconds, which is fast enough to be used in very high volume app vetting and testing scenarios.
- Android and security. http://googlemobile.blogspot.com/2012/02/android-and-security.html.Google Scholar
- Baksmali: a disassembler for Android's dex format. http://code.google.com/p/smali/.Google Scholar
- Google's 10 billion android app downloads. www.wired.com/gadgetlab/2011/12/10-billion-apps-detailed/.Google Scholar
- Quality of Android market apps is pathetically low. http://www.huffingtonpost.com/2011/06/20/android-market-quality_n_880478.html.Google Scholar
- WALA: T.J. Watson libraries for analysis. http://wala.sourceforge.netl.Google Scholar
- Android application components. http://developer.android.com/guide/topics/fundamentals.html#Components, 2012.Google Scholar
- BANDHAKAVI, S., KING, S. T., MADHUSUDAN, P., AND WINSLETT, M. Vex: vetting browser extensions for security vulnerabilities. In Proceedings of the 19th USENIX Security Symposium (2010). Google ScholarDigital Library
- BUGIEL, S., DAVI, L., DMITRIENKO, A., FISCHER, T., AND SADEGHI, A.-R. Xmandroid: A new android evolution to mitigate privilege escalation attacks. Tech. Rep. TR-2011-04, Technische Universitat Darmstadt, 2011.Google Scholar
- CHEN, H., AND WAGNER, D. Mops: an infrastructure for examining security properties of software. In Proceedings of the 9th ACM CCS (2002). Google ScholarDigital Library
- CHIN, E., FELT, A. P., GREENWOOD, K., AND WAGNER, D. Analyzing inter-application communication in android. In Proceedings of the 9th MobiSys (2011). Google ScholarDigital Library
- DAVI, L., DMITRIENKO, A., SADEGHI, A.-R., AND WINANDY, M. Privilege escalation attacks on android. In Proceedings of the 13th ISC (2010). Google ScholarDigital Library
- DIETZ, M., SHEKHAR, S., PISETSKY, Y., SHU, A., AND WALLACH, D. S. Quire: Lightweight provenance for smart phone operating systems. In Proceedings of the 20th USENIX Security Symposium (2011). Google ScholarDigital Library
- EFSTATHOPOULOS, P., KROHN, M., VANDEBOGART, S., FREY, C., ZIEGLER, D., KOHLER, E., MAZIÈRES, D., KAASHOEK, F., AND MORRIS, R. Labels and event processes in the asbestos operating system. In Proceedings of the 20th ACM SOSP (2005). Google ScholarDigital Library
- EGELE, M., KRUEGEL, C., KIRDA, E., AND VIGNA, G. Pios: Detecting privacy leaks in ios applications. In Proceedings of the 19th NDSS (2011).Google Scholar
- ENCK, W., GILBERT, P., CHUN, B.-G., COX, L. P., JUNG, J., MCDANIEL, P., AND SHETH, A. N. Taintdroid: an information-flow tracking system for realtime privacy monitoring on smartphones. In Proceedings of the 9th USENIX OSDI (2010). Google ScholarDigital Library
- ENCK, W., OCTEAU, D., MCDANIEL, P., AND CHAUDHURI, S. A study of android application security. In Proceedings of the 20th USENIX Security Symposium (2011). Google ScholarDigital Library
- ENCK, W., ONGTANG, M., AND MCDANIEL, P. On lightweight mobile phone application certification. In Proceedings of the 16th ACM CCS (2009). Google ScholarDigital Library
- FELMETSGER, V., CAVEDON, L., KRUEGEL, C., AND VIGNA, G. Toward automated detection of logic vulnerabilities in web applications. In Proceedings of the 19th USENIX Security Symposium (2010). Google ScholarDigital Library
- FELT, A. P., CHIN, E., HANNA, S., SONG, D., AND WAGNER, D. Android permissions demystified. In Proceedings of the 18th ACM CCS (2011). Google ScholarDigital Library
- FELT, A. P., WANG, H. J., MOSHCHUK, A., HANNA, S., AND CHIN, E. Permission re-delegation: attacks and defenses. In Proceedings of the 20th USENIX Security Symposium (2011). Google ScholarDigital Library
- GRACE, M., ZHOU, Y., WANG, Z., AND JIANG, X. Systematic detection of capability leaks in stock Android smartphones. In Proceedings of the 19th NDSS (2012).Google Scholar
- GUNDOTRA, V., AND BARRA, H. Android: Momentum, mobile and more at Google I/O. http://www.google.com/events/io/2011/.Google Scholar
- HARDY, N. The confused deputy: (or why capabilities might have been invented). SIGOPS Oper. Syst. Rev. 22, 4 (1988), 36--38. Google ScholarDigital Library
- HORNYACK, P., HAN, S., JUNG, J., SCHECHTER, S., AND WETHERALL, D. These aren't the droids you're looking for: retrofitting android to protect data from imperious applications. In Proceedings of the 18th ACM CCS (2011). Google ScholarDigital Library
- HORWITZ, S., REPS, T., AND BINKLEY, D. Interprocedural slicing using dependence graphs. SIGPLAN Not. 23, 7 (1988), 35--46. Google ScholarDigital Library
- JOVANOVIC, N., KRUEGEL, C., AND KIRDA, E. Pixy: A static analysis tool for detecting web application vulnerabilities (short paper). In Proceedings of the IEEE S&P'06 (2006). Google ScholarDigital Library
- LINEBERRY, A., RICHARDSON, D. L., AND WYATT, T. These aren't permissions you're looking for. In Proceedings of the Blackhat'10 (2010).Google Scholar
- LIVSHITS, V. B., AND LAM, M. S. Finding security vulnerabilities in java applications with static analysis. In Proceedings of the 14th USENIX Security Symposium (2005). Google ScholarDigital Library
- MYERS, A. C. Jflow: practical mostly-static information flow control. In Proceedings of the 26th ACM POPL (1999). Google ScholarDigital Library
- STAIGER, S. Reverse engineering of graphical user interfaces using static analyses. In Proceedings of the 14th IEEE WCRE (2007). Google ScholarDigital Library
- STAIGER, S. Static analysis of programs with graphical user interface. In Proceedings of the 11th IEEE CSMR (2007). Google ScholarDigital Library
- TRIPP, O., PISTOIA, M., FINK, S. J., SRIDHARAN, M., AND WEISMAN, O. TAJ: effective taint analysis of web applications. In Proceedings of the ACM PLDI '09 (2009). Google ScholarDigital Library
- WASSERMANN, G., AND SU, Z. Static detection of cross-site scripting vulnerabilities. In Proceedings of the 30th ACM ICSE (2008). Google ScholarDigital Library
- ZELDOVICH, N., BOYD-WICKIZER, S., KOHLER, E., AND MAZIÈRES, D. Making information flow explicit in histar. In Proceedings of the 7th USENIX OSDI (2006). Google ScholarDigital Library
- ZHOU, W., ZHOU, Y., JIANG, X., AND NING, P. DroidMOSS: Detecting repackaged smartphone applications in third-party android. In Proceedings of ACM CODASPY'12 (2012). Google ScholarDigital Library
- ZHOU, Y., AND JIANG, X. Dissecting android malware: Characterization and evolution. In Proceedings of the IEEE Symposium on S&P'12 (2012). Google ScholarDigital Library
- ZHOU, Y., WANG, Z., ZHOU, W., AND JIANG, X. Hey, you, get off of my market: Detecting malicious apps in official and alternative android markets. In Proceedings of the 20th NDSS (2012).Google Scholar
Index Terms
- CHEX: statically vetting Android apps for component hijacking vulnerabilities
Recommendations
HybriDroid: static analysis framework for Android hybrid applications
ASE '16: Proceedings of the 31st IEEE/ACM International Conference on Automated Software EngineeringMobile applications (apps) have long invaded the realm of desktop apps, and hybrid apps become a promising solution for supporting multiple mobile platforms. Providing both platform-specific functionalities via native code like native apps and user ...
Code Injection Attacks on HTML5-based Mobile Apps: Characterization, Detection and Mitigation
CCS '14: Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications SecurityDue to the portability advantage, HTML5-based mobile apps are getting more and more popular.Unfortunately, the web technology used by HTML5-based mobile apps has a dangerous feature, which allows data and code to be mixed together, making code injection ...
COVERT: Compositional Analysis of Android Inter-App Permission Leakage
Android is the most popular platform for mobile devices. It facilitates sharing of data and services among applications using a rich inter-app communication system. While access to resources can be controlled by the Android permission system, enforcing ...
Comments