Yajin Zhou,Kunal Patel,Lei Wu,Zhi Wang,Xuxian Jiang

DOI: https://doi.org/10.1145/2714576.2714598

2015-01-01

Abstract:ABSTRACTUsers of Android phones increasingly entrust personal information to third-party apps. However, recent studies reveal that many apps, even benign ones, could leak sensitive information without user awareness or consent. Previous solutions either require to modify the Android framework thus significantly impairing their practical deployment, or could be easily defeated by malicious apps using a native library. In this paper, we propose AppCage, a system that thoroughly confines the run-time behavior of third-party Android apps without requiring framework modifications or root privilege. AppCage leverages two complimentary user-level sandboxes to interpose and regulate an app's access to sensitive APIs. Specifically, dex sandbox hooks into the app's Dalvik virtual machine instance and redirects each sensitive framework API to a proxy which strictly enforces the user-defined policies, and native sandbox leverages software fault isolation to prevent the app's native libraries from directly accessing the protected APIs or subverting the dex sandbox. We have implemented a prototype of AppCage. Our evaluation shows that AppCage can successfully detect and block attempts to leak private information by third-party apps, and the performance overhead caused by AppCage is negligible for apps without native libraries and minor for apps with them.

Yajin Zhou,Xuxian Jiang

2013-01-01

Abstract:In this paper, we systematically study two vulnerabilities and their presence in existing Android applications (or “apps”). These two vulnerabilities are rooted in an unprotected Android component, i.e., content provider, inside vulnerable apps. Because of the lack of necessary access control enforcement, affected apps can be exploited to either passively disclose various types of private in-app data or inadvertently manipulate certain security-sensitive in-app settings or configurations that may subsequently cause serious system-wide side effects (e.g., blocking all incoming phone calls or SMS messages). To assess the prevalence of these two vulnerabilities, we analyze 62, 519 apps collected in February 2012 from various Android markets. Our results show that among these apps, 1, 279 (2.0%) and 871 (1.4%) of them are susceptible to these two vulnerabilities, respectively. In addition, we find that 435 (0.7%) and 398 (0.6%) of them are accessible from official Google Play and some of them are extremely popular with more than 10, 000, 000 installs. The presence of a large number of vulnerable apps in popular Android markets as well as the variety of private data for leaks and manipulation reflect the severity of these two vulnerabilities. To address them, we also explore and examine possible mitigation solutions.

Ye Yao,Jiayu Li,Yian Zhu,Liang Qian,Yake Han,Zhisheng Zhang

DOI: https://doi.org/10.1109/csat61646.2023.00022

2023-01-01

Abstract:In order to protect the data security and prevent reverse attack, this paper proposes a comprehensive protection scheme for Android application software to solve the problems of data security and self security. In view of the data security hidden trouble, the scheme mainly carries on the resource file protection. Wherein, Resource file protection includes resource file path confusion and image compression. Aiming at the problem of reverse attack, the scheme is carried out from two aspects: Dex file reinforcement and So file reinforcement. The reinforcement of Dex file mainly includes the key code extraction encryption and dynamic loading of Dex file, and the rein-forcement of So file mainly includes So file encryption and compression. Experiments show that the proposed security protection scheme for Android application Software can resist most of the reverse analysis and dynamic debugging attacks.

Lei Xue,Hao Zhou,Xiapu Luo,Le Yu,Dinghao Wu,Yajin Zhou,Xiaobo Ma

DOI: https://doi.org/10.1109/TSE.2020.2996433

2022-01-01

Abstract:App developers are increasingly using packing services (or packers) to protect their code against being reverse engineered or modified. However, such packing techniques are also leveraged by the malicious developers to prevent the malware from being analyzed and detected by the static malware analysis and detection systems. Though there are already studies on unpacking packed Android apps, they usually leverage the manual reverse engineered packing behaviors to unpack apps packed by the specific packers and cannot be appified to the evolved and new packers. In this paper, we propose a novel unpacking approach with the capacity of adaptively unpacking the evolved and newly encountered packers. Also, we develop a new system, named PackerGrind, based on this adaptive approach for unpacking Android packers. The evaluation with real packed apps demonstrates that PackerGrind can successfully reveal packers protection mechanisms, effectively handle their evolution and recover Dex files with low overhead.

Chenkai Guo,Jing Xu,Hongji Yang,Ying Zeng,Shuang Xing

DOI: https://doi.org/10.1145/2593501.2593503

2014-01-01

Abstract:ABSTRACT Recently, Google Android has occupied a major market share of mobile phone systems as a result of its openness for developers and richness for users. By the distribution channels of the Android market, both development and use of Android applications soar. However, the low development threshold of applications leads to weak security awareness of developers. Moreover, Android applications lack strict security standards, resulting that security crisis has become increasingly prominent. For now, an application's biggest security threat falls on its messaging mechanism between components. Once permission’s verification is neglected, it is easy to be exploited by attackers, causing immeasurable loss. We analyze the security mechanism of Android inter-application components, and accordingly construct the security rules. Specifically, a compositional approach including static and dynamic automated testing techniques is proposed to detect the security vulnerabilities caused by messaging between components. In our approach, the static part obtains rough results and some parameter information. After that, the dynamic part automatically generates attack cases for verifying these results. This approach can be used not only to discover potential weaknesses within inter-application components but also to automatically simulate attack behaviors. Thereby, the detection results’ effectiveness can be verified.

Xinghang Lv,Tao Peng,Junwei Tang,Ruhan He,Xinrong Hu,Minghua Jiang,Zaihui Deng,Wenli Cao

DOI: https://doi.org/10.1109/msn57253.2022.00072

2022-01-01

Abstract:During the process of pushing patch packets for Android application hotfix, the attacker can hijack and tamper with the dex file due to the lack of adding a digital signature, which leads to code injection with serious consequences. To address the above problems, an dynamic vulnerability detection system based on mitmproxy is primary proposed, which first utilizes mitmproxy to capture all the packets interacted between the client and the server while locating the dex file, then injects the test code into the dex and pushes it to the client for execution using a man-in-the-middle attack, and finally verifies through the log output by the application whether there is a code injection vulnerability. For 1000 applications in the application market, our system successfully detects 34 new unknown applications with dex injection, and the experimental results show that the system is effective in detecting real-world applications with vulnerabilities caused by hotfix.

Zhu Hongjun,Chen Yaoguang,Hua Baojian,Chen Hao

DOI: https://doi.org/10.3969/j.issn.1000-386x.2016.11.067

2016-01-01

Abstract:Nowadays,the problem of Android application security is increasingly prominent.A large number of Android applications encounter the attacks such as reverse,illegal copy and malicious code injection,etc.We studied the security mechanism of Android applications,based on analysing static reverse and dynamic reverse attacks principle,we put forward a reinforcement protection scheme for mobile applications.The scheme comprehensively uses the application reinforcement technologies of shelling,anti-debugging,signature verification and anti-decompiling,etc.,to reinforce target applications.Through a series of tests,it is proved that this scheme can well resist common reverse attacks of static analysis and dynamic analysis.

Jiyuan Sun,Shaozhen Ye,Jianwei Liu,Tao Shang,Qi Lei

DOI: https://doi.org/10.1109/icgi.2017.14

2017-01-01

Abstract:Both benign and malicious developers are attracted to Android platform because anyone is allowed to publish applications on the Android market. Such capability leak vulnerability on the Android platform may lead to permission elevation and privacy disclosure by making malware bypass Android security mechanism. This paper presents a code scanner tool—Droidprotector which is applied to help developers search bugs and focus on the business of applications rather than the security problems. Firstly, Markov blanket is used for feature selection. Secondly, source code is analyzed by a machine-leaning method. Finally, malicious intents and capability leaks are detected. By collecting 3482 applications and 59 source files to learn Markov blanket as the feature set and testing this code scanner tool, the experimental results show that DroidProtector can detect the vulnerability of Android source code effectively by using Markov blanket to select features correctly.

Daoyuan Wu,Debin Gao,Yingjiu Li,Robert H. Deng

DOI: https://doi.org/10.48550/arXiv.1609.03322

2016-09-12

Cryptography and Security

Abstract:Cross-app collaboration via inter-component communication is a fundamental mechanism on Android. Although it brings the benefits such as functionality reuse and data sharing, a threat called component hijacking is also introduced. By hijacking a vulnerable component in victim apps, an attack app can escalate its privilege for originally prohibited operations. Many prior studies have been performed to understand and mitigate this issue, but component hijacking remains a serious open problem in the Android ecosystem due to no effective defense deployed in the wild. In this paper, we present our vision on practically defending against component hijacking in Android apps. First, we argue that to fundamentally prevent component hijacking, we need to switch from the previous mindset (i.e., performing system-level control or repackaging vulnerable apps after they are already released) to a more proactive version that aims to help security-inexperienced developers make secure components in the first place. To this end, we propose to embed into apps a secure component library (SecComp), which performs in-app mandatory access control on behalf of app components. An important factor for SecComp to be effective is that we find it is possible to devise a set of practical in-app policies to stop component hijacking. Furthermore, we allow developers design custom policies, beyond our by-default generic policies, to support more fine-grained access control. We have overcome challenges to implement a preliminary SecComp prototype, which stops component hijacking with very low performance overhead. We hope the future research that fully implements our vision can eventually help real-world apps get rid of component hijacking.

Hui Lu,Chengjie Jin,Xiaohan Helu,Xiaojiang Du,Mohsen Guizani,Zhihong Tian

DOI: https://doi.org/10.1109/tnse.2021.3100750

IF: 6.6

2021-01-01

IEEE Transactions on Network Science and Engineering

Abstract:The rapid growth of Android smart phones and abundant applications (Apps), a new security solution for distributed computing and mobile communications, has prompted many enhanced vendors to use different methods to effectively protect important Android files on distributed systems / servers. However, it also brings some serious distributed security problems: for example, malicious applications use reinforcement methods to hide their high-risk code, and even hide in normal applications to avoid being detected by anti-virus engines. This makes it more difficult to filter or detect malware applications. In serious cases, it will greatly affect the efficiency of mobile communication and threaten the security of distributed computers. In this paper, we propose a generic and easy to deploy and extend unpacking framework called DeepAutoD (hereinafter referred to as d-ad). By eliminating the influence of reinforcement, the framework outputs the original DEX files containing malicious features, which can provide complete feature information input for distributed machine learning based on malicious code detection. The unpacking technology solution we use integrates the deep deception call chain, which can detect the mainstream applications in the application market in a short time (a large number of malicious code will be hidden in the conventional applications), and the algorithm can adapt to any high version of Android system. Data analysis and experimental results show that the program is superior to the existing main programs in terms of safety and effectiveness.

Xuewen Zhang,Yuanyuan Zhang,Juanru Li,Yikun Hu,Huayi Li,Dawu Gu

DOI: https://doi.org/10.1109/icsme.2017.15

2017-01-01

Abstract:The rapid-iteration, web-style update cycle of Android helps fix revealed security vulnerabilities for its latest version. However, such security enhancements are usually only available for few Android devices released by certain manufacturers (e.g., Google's official Nexus devices). More manufactures choose to stop providing system update service for their obsolete models, remaining millions of vulnerable Android devices in use. In this situation, a feasible solution is to leverage existing source code patches to fix outdated vulnerable devices. To implement this, we introduce EMBROIDERY, a binary rewriting based vulnerability patching system for obsolete Android devices without requiring the manufacturer's source code against Android fragmentation. EMBROIDERY patches the known critical framework and kernel vulnerabilities in Android using both static and dynamic binary rewriting techniques. It transplants official patches (CVE source code patches) of known vulnerabilities to different devices by adopting heuristic matching strategies to deal with the code diversity introduced by Android fragmentation, and fulfills a complex dynamic memory modification to implement kernel vulnerabilities patching. We employ EMBROIDERY to patch sophisticated Android kernel and framework vulnerabilities for various manufactures' obsolete devices ranging from Android 4.2 to 5.1. The result shows the patched devices are able to defend against known exploits and the normal functions are not affected.

Yunhao Liu,Xiaohong Li,Zhiyong Feng,Jianye Hao

DOI: https://doi.org/10.1007/978-3-319-68690-5_19

2017-01-01

Abstract:Android applications can leak sensitive information through collusion, which gives the smartphone users a great security risk. We propose an Android collusion attack detection method based on control flow and data flow analysis. This method gives analysis of data propagation between different applications firstly. And then, a multi-apps program slice model based on both data and control flow are given. Last, the privacy data leakage paths of multi-apps are computed by reaching-definition analysis. Meanwhile, the criterions of mobile device information leakage edge are redefined according to the correlation of mobile devices. Based on the above principle, we implemented an Android collusion attack sensitive information leakage detection tools called CollusionDetector. Case study is carried out for typical collusion attack scenarios and it can obtain better results than existing tools and methods. Experiments show that the analysis of control flow can more accurately find the path of privacy propagation, and more effectively to identify collusion attacks.

Keke Lian,Lei Zhang,Guangliang Yang,Shuo Mao,Xinjie Wang,Yuan Zhang,Min Yang

DOI: https://doi.org/10.1145/3643730

2024-01-01

Abstract:Nowadays, mobile apps have greatly facilitated our daily work and lives. They are often designed to work closely and interact with each other through app components for data and functionality sharing. The security of app components has been extensively studied and various component attacks have been proposed. Meanwhile, Android system vendors and app developers have introduced a series of defense measures to mitigate these security threats. However, we have discovered that as apps evolve and develop, existing app component defenses have become inadequate to address the emerging security requirements. This latency in adaptation has given rise to the feasibility of cross-layer exploitation, where attackers can indirectly manipulate app internal functionalities by polluting their dependent data. To assess the security risks of cross-layer exploitation in real-world apps, we design and implement a novel vulnerability analysis approach, called CLDroid, which addresses two non-trivial challenges. Our experiments revealed that 1,215 (8.8%) popular apps are potentially vulnerable to cross-layer exploitation, with a total of more than 18 billion installs. We verified that through cross-layer exploitation, an unprivileged app could achieve various severe security consequences, such as arbitrary code execution, click hijacking, content spoofing, and persistent DoS. We ethically reported verified vulnerabilities to the developers, who acknowledged and rewarded us with bug bounties. As a result, 56 CVE IDs have been assigned, with 22 of them rated as ‘critical’ or ‘high’ severity.

Wei You,Bin Liang,Wenchang Shi,Shuyang Zhu,Peng Wang,Sikefu Xie,Xiangyu Zhang

DOI: https://doi.org/10.1145/2884781.2884863

2016-01-01

Abstract:Many efforts have been paid to enhance the security of Android. However, less attention has been given to how to practically adopt the enhancements on off-the-shelf devices. In particular, securing Android devices often requires modifying their write-protected underlying system component files (especially the system libraries) by flashing or rooting devices, which is unacceptable in many realistic cases. In this paper, a novel technique, called reference hijacking, is presented to address the problem. By introducing a specially designed reset procedure, a new execution environment is constructed for the target application, in which the reference to the underlying system libraries will be redirected to the security-enhanced alternatives. The technique can be applicable to both the Dalvik and Android Runtime (ART) environments and to almost all mainstream Android versions (2.x to 5.x). To demonstrate the capability of reference hijacking, we develop three prototype systems, PatchMan, ControlMan, and TaintMan, to enforce specific security enhancements, involving patching vulnerabilities, protecting inter-component communications, and performing dynamic taint analysis for the target application. These three prototypes have been successfully deployed on a number of popular Android devices from different manufacturers, without modifying the underlying system. The evaluation results show that they are effective and do not introduce noticeable overhead. They strongly support that reference hijacking can substantially improve the practicability of many security enhancement efforts for Android.

Yang Xu,Ju Ren,Yaoxue Zhang,Guojun Wang

DOI: https://doi.org/10.1109/ispa/iucc.2017.00116

2017-01-01

Abstract:Android is the world's most popular mobile platform. Nevertheless, in spite of continuous efforts on its permission system, it is still incapable of resisting privilege escalation attacks, specially, the confused deputy attacks on numerous poor-designed applications. Worse yet, most existing security solutions become costly or rigid in recent Android dynamic permission environment. In this paper, we proposed a flexible and efficient security extension to Android middleware for protecting the vulnerable privileged applications from being abused by malwares in the dynamic permission scenario. Our framework maintains fresh permission states of applications at runtime and enforces access control on inter-component communications conservatively by checking the capability differences between applications, so as to provide more precise and temperate protection for applications. Moreover, we also introduced an efficient cache mechanism together with an optimized proactive updating method for decisions, which contributes significantly to improving the inspection efficiency. Finally, experimental results reveal that our framework is effective and adaptable in defending against confused deputy attacks on applications with negligible overhead and limited impact on application usability.

Zhongkai He,Guixin Ye,Lu Yuan,Zhanyong Tang,Xiaofeng Wang,Jie Ren,Wei Wang,Jianfeng Yang,Dingy Fang,Zheng Wang

DOI: https://doi.org/10.1109/access.2019.2921417

IF: 3.9

2019-01-01

IEEE Access

Abstract:Application repackaging is a severe problem for Android systems. Many Android malware programs pass the mobile platform fundamental security barriers through repackaging other legitimate apps. Most of the existing anti-repackaging schemes only work at the Android DEX bytecode level, but not for the shared object files consisting of native ARM-based machine instructions. Lacking the protection at the native machine code level opens a door for attackers to launch repackaging attacks on the shared libraries that are commonly used on Android apps. This paper presents CodeCloak, a novel anti-repackaging system to protect Android apps at the native code level. CodeCloak employs binary-level code virtualization techniques to protect the target application. At the native machine code level, it uses a newly designed stack-based virtualization structure to obfuscate and protect critical algorithm implementations that have been compiled into native instructions. It leverages multiple dynamic code protection schemes to increase the diversity of the program behavior at runtime, aiming to increase the difficulties for performing code reverse engineering. We evaluate CodeCloak under typical app repackaging scenarios. Experimental results show that CodeCloak can effectively protect apps against repackaging attacks at the cost of minimum overhead.

Zhen-yu ZHANG,Dong-lai ZHU,Zhe-min YANG,Min YANG

DOI: https://doi.org/10.3969/j.issn.1000-1220.2019.08.037

2019-01-01

Abstract:Anti-analysis techniques refers to a series of mechanisms to evade program analysis. Benign application authors use anti-a-nalysis techniques to protect their application from cracking by other developers,while malware authors use anti-analysis techniques to evade detection. However,there isn′t any systematic study on the influence of anti-analysis techniques on the security of Android eco-system. To conduct this study,we design and implement AATPacker,which can apply dynamic code loading,anti-emulator,anti-debug and integrity check techniques to APK files automatically. We are the first to evaluate the anti-anti-analysis ability of the commercial packing services. We conduct our experiment on 239 application samples which are hardened from 31 original samples with different combinations of anti-analysis techniques by AATPacker. We observed that current anti-anti-analysis researches are not fully used,and using anti-analysis techniques will dramatically hinder the security check in Android ecosystem. By applying anti-analysis techniques, the detection rate of malware significantly decreased;on the other side,benign application was falsely detected. Among all the anti-a-nalysis techniques,dynamic code loading has the greatest impact on the security of Android ecosystem.

Wenqi Bu,Minhui Xue,Lihua Xu,Yajin Zhou,Zhushou Tang,Tao Xie

DOI: https://doi.org/10.1145/3106237.3117764

2017-08-21

Abstract:Despite recent progress in program analysis techniques to identify vulnerabilities in Android apps, significant challenges still remain for applying these techniques to large-scale industrial environments. Modern software-security providers, such as Qihoo 360 and Pwnzen (two leading companies in China), are often required to process more than 10 million mobile apps at each run. In this work, we focus on effectively and efficiently identifying vulnerable usage of Internet sockets in an industrial setting. To achieve this goal, we propose a practical hybrid approach that enables lightweight yet precise detection in the industrial setting. In particular, we integrate the process of categorizing potential vulnerable apps with analysis techniques, to reduce the inevitable human inspection effort. We categorize potential vulnerable apps based on characteristics of vulnerability signatures, to reduce the burden on static analysis. We flexibly integrate static and dynamic analyses for apps in each identified family, to refine the family signatures and hence target on precise detection. We implement our approach in a practical system and deploy the system on the Pwnzen platform. By using the system, we identify and report potential vulnerabilities of 24 vulnerable apps (falling into 3 vulnerability families) to their developers, and some of these reported vulnerabilities are previously unknown. The apps of each vulnerability family in total have over 50 million downloads. We also propose countermeasures and highlight promising directions for technology transfer.

chen chen,jia xing song,wei dong liu

DOI: https://doi.org/10.4028/www.scientific.net/AMR.981.161

2014-01-01

Advanced Materials Research

Abstract:As one of the most popular mobile operating system, Android has been troubled by privilege escalation attacks. This is because that the original Android ignores the inspection of transmitted data inintent. It only checks the permission ofintentto determine whether the Inter-Process Communication (IPC) could continue. We developed Nipdroid to solve the mentioned defect in Android IPC detection. Nipdroid is based on the technology of marking and tracking sensitive data. After the original Android detection, Nipdroid extracts the sensitive tags fromintent, and matches them with the permission lists of both communication apps, and then checks whether there is unreasonable data transmission in IPC. Experiments show that Nipdroid is effective on both preventing privilege escalation attacks and protecting user's sensitive data.

Atefeh Nirumand,Bahman Zamani,Behrouz Tork Ladani

DOI: https://doi.org/10.1007/s10515-024-00439-8

IF: 1.677

2024-06-06

Automated Software Engineering

Abstract:The Inter-Component Communication (ICC) model in Android enables the sharing of data and services among app components. However, it has been associated with several problems, including complexity, support for unconstrained communication, and difficulties for developers to understand. These issues have led to numerous security vulnerabilities in Android ICC. While existing research has focused on specific subsets of these vulnerabilities, it lacks comprehensive and scalable modeling of app specifications and interactions, which limits the precision of analysis. To tackle these problems, we introduce VAnDroid3, a Model-Driven Reverse Engineering (MDRE) framework. VAnDroid3 utilizes purposeful model-based representations to enhance the comprehension of apps and their interactions. We have made significant extensions to our previous work, which include the identification of six prominent ICC vulnerabilities and the consideration of both Intent and Data sharing mechanisms that facilitate ICCs. By employing MDRE techniques to create more efficient and accurate domain-specific models from apps, VAnDroid3 enables the analysis of ICC vulnerabilities on intra- and inter-app communication levels. We have implemented VAnDroid3 as an Eclipse-based tool and conducted extensive experiments to evaluate its correctness, scalability, and run-time performance. Additionally, we compared VAnDroid3 with state-of-the-art tools. The results substantiate VAnDroid3 as a promising framework for revealing Android inter-app ICC security issues.

computer science, software engineering