ABSTRACT
Modern applications are often split into separate client and server tiers that communicate via message passing over the network. One well-understood threat to privacy for such applications is the leakage of sensitive user information either in transit or at the server. In response, an array of defensive techniques have been developed to identify or block unintended or malicious information leakage. However, prior work has primarily considered privacy leaks originating at the client directed at the server, while leakage in the reverse direction -- from the server to the client -- is comparatively under-studied. The question of whether and to what degree this leakage constitutes a threat remains an open question. We answer this question in the affirmative with Hush, a technique for semi-automatically identifying Server-based InFormation OvershariNg (SIFON) vulnerabilities in multi-tier applications. In particular, the technique detects SIFON vulnerabilities using a heuristic that overshared sensitive information from server-side APIs will not be displayed by the application's user interface. The technique first performs a scalable static program analysis to screen applications for potential vulnerabilities, and then attempts to confirm these candidates as true vulnerabilities with a partially-automated dynamic analysis. Our evaluation over a large corpus of Android applications demonstrates the effectiveness of the technique by discovering several previously-unknown SIFON vulnerabilities in eight applications.
- Androguard Team. 2015. Androguard. https://github.com/androguard/ androguard. (2015).Google Scholar
- AppBrain. 2015. AppBrain Stats. http://www.appbrain.com/stats/libraries/dev. (2015).Google Scholar
- Steven Arzt, Siegfried Rasthofer, Christian Fritz, Eric Bodden, Alexandre Bartel, Jacques Klein, Yves Le Traon, Damien Octeau, and Patrick McDaniel. 2014. Flow-Droid: Precise Context, Flow, Field, Object-sensitive and Lifecycle-aware Taint Analysis for Android Apps. In Proceedings of the ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI). ACM. Google ScholarDigital Library
- Kathy Wain Yee Au, Yi Fan Zhou, Zhen Huang, and David Lie. 2012. PScout: Analyzing the Android Permission Specification. In Proceedings of the ACM Conference on Computer and Communications Security (CCS). ACM. Google ScholarDigital Library
- Alastair R. Beresford, Andrew Rice, Nicholas Skehin, and Ripduman Sohan. 2011. MockDroid: Trading Privacy for Application Functionality on Smartphones. In Proceedings of the Workshop on Mobile Computing Systems and Applications (Hot-Mobile). Google ScholarDigital Library
- Sven Bugiel, Lucas Davi, Alexandra Dmitrienko, Thomas Fischer, and Ahmad-Reza Sadeghi. 2011. XManDroid: A New Android Evolution to Mitigate Privilege Escalation Attacks. Technical Report.Google Scholar
- Sven Bugiel, Stephen Heuser, and Ahmad-Reza Sadeghi. 2013. Flexible and Finegrained Mandatory Access Control on Android for Diverse Security and Privacy Policies. In Presented as part of the 22nd USENIX Security Symposium. Google ScholarDigital Library
- Charlie Hubbard. 2015. FLEXJSON. http://flexjson.sourceforge.net/. (2015).Google Scholar
- Shuo Chen, Rui Wang, XiaoFeng Wang, and Kehuan Zhang. 2010. Side-channel leaks in web applications: A reality today, a challenge tomorrow. In Security and Privacy (SP), 2010 IEEE Symposium on. IEEE, 191–206. Google ScholarDigital Library
- Stephen Chong, Jed Liu, Andrew C. Myers, Xin Qi, K. Vikram, Lantian Zheng, and Xin Zheng. 2007. Secure Web Applications via Automatic Partitioning. In Proceedings of Twenty-first ACM SIGOPS Symposium on Operating Systems Principles (SOSP ’07). ACM, New York, NY, USA. Google ScholarDigital Library
- Stephen Chong, K. Vikram, and Andrew C. Myers. 2007. SIF: Enforcing Confidentiality and Integrity in Web Applications. In Proceedings of 16th USENIX Security Symposium on USENIX Security Symposium (SS’07). USENIX Association, Berkeley, CA, USA, 1:1–1:16. Google ScholarDigital Library
- Shauvik Roy Choudhary, Alessandra Gorla, and Alessandro Orso. 2015. Automated Test Input Generation for Android: Are We There Yet? CoRR (2015).Google Scholar
- Hoang T Dinh, Chonho Lee, Dusit Niyato, and Ping Wang. 2013. A survey of mobile cloud computing: architecture, applications, and approaches. Wireless communications and mobile computing 13, 18 (2013), 1587–1611.Google Scholar
- Manuel Egele, David Brumley, Yanick Fratantonio, and Christopher Kruegel. 2013. An Empirical Study of Cryptographic Misuse in Android Applications. In Proceedings of the ACM Conference on Computer and Communications Security (CCS). ACM. Google ScholarDigital Library
- Manuel Egele, Christopher Kruegel, Engin Kirda, and Giovanni Vigna. 2011. In 18th Annual Network and Distributed System Security Symposium (NDSS). San Diego, UNITED STATES.Google Scholar
- William Enck, Peter Gilbert, Seungyeop Han, Vasant Tendulkar, Byung-Gon Chun, Landon P Cox, Jaeyeon Jung, Patrick McDaniel, and Anmol N Sheth. 2014.Google Scholar
- TaintDroid: an Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones. ACM Transactions on Computer Systems (TOCS) 32, 2 (2014). Google ScholarDigital Library
- William Enck, Machigar Ongtang, and Patrick McDaniel. 2009. On Lightweight Mobile Phone Application Certification. In Proceedings of the ACM Conference on Computer and Communications Security (CCS). ACM. Google ScholarDigital Library
- Facebook. 2015. Espresso: Functional UI Testing Framework. http://developer. android.com/tools/testing-support-library/index.html#Espresso. (2015).Google Scholar
- FasterXML, LLC. 2015. FasterXML, LLC. https://github.com/FasterXML. (2015).Google Scholar
- Adrienne Porter Felt, Erika Chin, Steve Hanna, Dawn Song, and David Wagner. 2011. Android permissions demystified. In Proceedings of the 18th ACM conference on Computer and communications security. ACM, 627–638. Google ScholarDigital Library
- Clint Gibler, Ryan Stevens, Jonathan Crussell, Hao Chen, Hui Zang, and Heesook Choi. 2013. AdRob: Examining the Landscape and Impact of Android Application Plagiarism. In Proceedings of the Annual International Conference on Mobile Systems, Applications, and Services. ACM. Google ScholarDigital Library
- Google, Inc. 2015. Gson Deserialization Library. https://sites.google.com/site/ gson/. (2015).Google Scholar
- Google, Inc. 2015. ProGuard. http://developer.android.com/tools/help/proguard. html. (2015).Google Scholar
- Google, Inc. 2015. Protocol Buffers. https://developers.google.com/ protocol-buffers/. (2015).Google Scholar
- Google, Inc. 2015. TelephonyManager, Android Developers. http://developer. android.com/reference/android/telephony/TelephonyManager.html. (2015).Google Scholar
- Google, Inc. 2015. The Monkey UI android testing tool. http://developer.android. com/tools/help/monkey.html. (2015).Google Scholar
- Google, Inc. 2017. Proguard configuration for Gson. https://github.com/google/ gson/blob/master/examples/android-proguard-example/proguard.cfg. (2017).Google Scholar
- Michael Gordon, Deokhwan Kim, Jeff Perkins, Limei Gilham, Nguyen Nguyen, and Martin Rinard. 2015. Information-Flow Analysis of Android Applications in DroidSafe. In Proceedings of the ISOC Network and Distributed Security Symposium (NDSS). Internet Society.Google ScholarCross Ref
- Michael C. Grace, Wu Zhou, Xuxian Jiang, and Ahmad-Reza Sadeghi. 2012. Unsafe Exposure Analysis of Mobile In-app Advertisements. In Proceedings of the ACM Conference on Security and Privacy in Wireless and Mobile Networks (WISEC). Google ScholarDigital Library
- Peter Hornyack, Seungyeop Han, Jaeyeon Jung, Stuart Schechter, and David Wetherall. 2011. These Aren’t the Droids You’re Looking For: Retrofitting Android to Protect Data from Imperious Applications. In Proceedings of the ACM Conference on Computer and Communications Security (CCS). Google ScholarDigital Library
- Numaan Huq. 2015. Follow the Data: Dissecting Data Breaches and Debunking Myths. (2015).Google Scholar
- William Klieber, Lori Flynn, Amar Bhosale, Limin Jia, and Lujo Bauer. 2014. Android taint flow analysis for app sets. In Proceedings of the 3rd ACM SIGPLAN International Workshop on the State of the Art in Java Program Analysis. Google ScholarDigital Library
- William Koch, Abdelberi Chaabane, Manuel Egele, William Robertson, and Engin Kirda. 2017. FlowDroid Modifications for Hush. https://github.com/ BUseclab/soot-infoflow-android. (2017).Google Scholar
- William Koch, Abdelberi Chaabane, Manuel Egele, William Robertson, and Engin Kirda. 2017. Hush. https://github.com/BUseclab/hush. (2017).Google Scholar
- P. Lantz. February 2011. Android Application Sandbox. http://code.google.com/ p/droidbox/. (February 2011).Google Scholar
- Martina Lindorfer, Matthias Neugschwandtner, Lukas Weichselbaum, Yanick Fratantonio, Victor van der Veen, and Christian Platzer. 2014.Google Scholar
- Benjamin Livshits, Manu Sridharan, Yannis Smaragdakis, Ondrej Lhoták, J. Nelson Amaral, Bor-Yuh Evan Chang, Samuel Z. Guyer, Uday P. Khedker, Anders Mller, and Dimitrios Vardoulakis. 2015. In Defense of Soundiness: A Manifesto. Commun. ACM (2015). Google ScholarDigital Library
- Long Lu, Zhichun Li, Zhenyu Wu, Wenke Lee, and Guofei Jiang. 2012. CHEX: Statically Vetting Android Apps for Component Hijacking Vulnerabilities. In Proceedings of the ACM Conference on Computer and Communications Security (CCS). Google ScholarDigital Library
- Machigar Ongtang, Stephen McLaughlin, William Enck, and Patrick McDaniel. 2012. Semantically rich application-centric security in Android. Security and Communication Networks (2012). Google ScholarDigital Library
- Privacy Rights Clearinghouse. 2015. Chronology of Data Breaches. http://www. privacyrights.org/data-breach. (2015).Google Scholar
- Vaibhav Rastogi, Yan Chen, and William Enck. 2013. AppsPlayground: Automatic Security Analysis of Smartphone Applications. In Proceedings of the Third ACM Conference on Data and Application Security and Privacy (CODASPY). Google ScholarDigital Library
- rovo89. 2015. Xposed Module Repository. http://repo.xposed.info/. (2015).Google Scholar
- Ken Schwaber. 2004. Agile project management with Scrum. Microsoft Press. Google ScholarDigital Library
- Qixiang Sun, Daniel R Simon, Yi-Min Wang, Wilf Russell, Venkata N Padmanabhan, and Lili Qiu. 2002. Statistical identification of encrypted web browsing traffic. In Security and Privacy, 2002. Proceedings. 2002 IEEE Symposium on. IEEE, 19–30. Google ScholarDigital Library
- Kimberly Tam, Salahuddin Khan, Aristide Fattori, and Lorenzo Cavallaro. 2015. CopperDroid: Automatic Reconstruction of Android Malware Behaviors. In Proceedings of the ISOC Network and Distributed Security Symposium (NDSS).Google ScholarCross Ref
- Nicolas Viennot, Edward Garcia, and Jason Nieh. 2014. A Measurement Study of Google Play. In Proceedings of the International Conference on Measurement and Modeling of Computer Systems. ACM. Google ScholarDigital Library
- Lok Kwong Yan and Heng Yin. 2012. DroidScope: Seamlessly Reconstructing the OS and Dalvik Semantic Views for Dynamic Android Malware Analysis. In Proceedings of the 21st USENIX Conference on Security Symposium. Google ScholarDigital Library
- Zhemin Yang and Min Yang. 2012. LeakMiner: Detect Information Leakage on Android with Static Taint Analysis. In Proceedings of the 2012 Third World Congress on Software Engineering (WCSE). Google ScholarDigital Library
- Zhibo Zhao and Fernando C. Colon Osono. 2012. TrustDroid: Preventing the use of SmartPhones for information leaking in corporate networks through the used of static analysis taint tracking. 2013 8th International Conference on Malicious and Unwanted Software: "The Americas" (MALWARE) (2012). Google ScholarDigital Library
- Cong Zheng, Shixiong Zhu, Shuaifu Dai, Guofei Gu, Xiaorui Gong, Xinhui Han, and Wei Zou. 2012. SmartDroid: An Automatic System for Revealing UI-based Trigger Conditions in Android Applications. In Proceedings of the Second ACM Workshop on Security and Privacy in Smartphones and Mobile Devices. Google ScholarDigital Library
- Yajin Zhou and Xuxian Jiang. 2012. Dissecting Android Malware: Characterization and Evolution. In Proceedings of the IEEE Symposium on Security and Privacy (Oakland). IEEE Computer Society. Google ScholarDigital Library
Index Terms
- Semi-automated discovery of server-based information oversharing vulnerabilities in Android applications
Recommendations
Machine Learning–based Cyber Attacks Targeting on Controlled Information: A Survey
Stealing attack against controlled information, along with the increasing number of information leakage incidents, has become an emerging cyber security threat in recent years. Due to the booming development and deployment of advanced analytics ...
Securing web applications from injection and logic vulnerabilities
Context: Web applications are trusted by billions of users for performing day-to-day activities. Accessibility, availability and omnipresence of web applications have made them a prime target for attackers. A simple implementation flaw in the ...
Automated removal of cross site scripting vulnerabilities in web applications
Context: Cross site scripting (XSS) vulnerability is among the top web application vulnerabilities according to recent surveys. This vulnerability occurs when a web application uses inputs received from users in web pages without properly checking them. ...
Comments