Yajin Zhou,Xuxian Jiang

2013-01-01

Abstract:In this paper, we systematically study two vulnerabilities and their presence in existing Android applications (or “apps”). These two vulnerabilities are rooted in an unprotected Android component, i.e., content provider, inside vulnerable apps. Because of the lack of necessary access control enforcement, affected apps can be exploited to either passively disclose various types of private in-app data or inadvertently manipulate certain security-sensitive in-app settings or configurations that may subsequently cause serious system-wide side effects (e.g., blocking all incoming phone calls or SMS messages). To assess the prevalence of these two vulnerabilities, we analyze 62, 519 apps collected in February 2012 from various Android markets. Our results show that among these apps, 1, 279 (2.0%) and 871 (1.4%) of them are susceptible to these two vulnerabilities, respectively. In addition, we find that 435 (0.7%) and 398 (0.6%) of them are accessible from official Google Play and some of them are extremely popular with more than 10, 000, 000 installs. The presence of a large number of vulnerable apps in popular Android markets as well as the variety of private data for leaks and manipulation reflect the severity of these two vulnerabilities. To address them, we also explore and examine possible mitigation solutions.

Yupeng Hu,Zhe Jin,Wenjia Li,Yang Xiang,Jiliang Zhang

DOI: https://doi.org/10.48550/arXiv.2006.12831

2020-06-23

Abstract:In this paper, we present the design and implementation of a Systematic Inter-Component Communication Analysis Technology (SIAT) consisting of two key modules: \emph{Monitor} and \emph{Analyzer}. As an extension to the Android operating system at framework layer, the \emph{Monitor} makes the first attempt to revise the taint tag approach named TaintDroid both at method-level and file-level, to migrate it to the app-pair ICC paths identification through systemwide tracing and analysis of taint in intent both at the data flow and control flow. By taking over the taint logs offered by the \emph{Monitor}, the \emph{Analyzer} can build the accurate and integrated ICC models adopted to identify the specific threat models with the detection algorithms and predefined rules. Meanwhile, we employ the models' deflation technology to improve the efficiency of the \emph{Analyzer}. We implement the SIAT with Android Open Source Project and evaluate its performance through extensive experiments on well-known datasets and real-world apps. The experimental results show that, compared to state-of-the-art approaches, the SIAT can achieve about 25\%$\sim$200\% accuracy improvements with 1.0 precision and 0.98 recall at the cost of negligible runtime overhead. Moreover, the SIAT can identify two undisclosed cases of bypassing that prior technologies cannot detect and quite a few malicious ICC threats in real-world apps with lots of downloads on the Google Play market.

Cryptography and Security

Wei You,Bin Liang,Wenchang Shi,Peng Wang,Xiangyu Zhang

DOI: https://doi.org/10.1109/tdsc.2017.2740169

2020-01-01

Abstract:Dynamic taint analysis (DTA), as a mainstream information flow tracking technique, has been widely used in mobile security. On the Android platform, the existing DTA approaches are typically implemented by instrumenting the Dalvik virtual machine (DVM) interpreter or the Android emulator with taint enforcement code. The most prominent problem of the interpreter-based approaches is that they cannot work in the new Android RunTime (ART) environment introduced since the 5.0 release. For the emulator-based approaches, the most prominent problem is that they cannot be deployed on real devices. In addition, almost all the existing Android DTA approaches only concern the explicit information flow caused by data dependence, while completely ignore the impact of implicit information flow caused by control dependence. These problems limit their adoption in the latest Android system and make them ineffective in detecting the state-of-the-art malware whose privacy-breaching behaviors are inactivated in the analyzed environment (e.g., the emulator) or conducted via implicit information flow. In this paper, we present TaintMan, an ART-compatible DTA framework that can be deployed on unmodified and non-rooted Android devices. In TaintMan, the taint enforcement code is statically instrumented into both the target application and the system class libraries to track data flow and common control flow. A specially designed execution environment reconstruction technique, named reference hijacking, is proposed to force the target application to reference the instrumented system class libraries. By enforcing on-demand instrumentation and on-demand tracking, the performance overhead is significantly reduced. We have developed TaintMan and deployed it on two popular stock smartphones (HTC One S equipped with Android-4.0 and Motorola MOTO G equipped with Android-5.0). The evaluation with malware samples and real-world applications shows that TaintMan can effectively detect privacy leakage behaviors with an acceptable performance overhead.

Heping Tang,Shuguang Huang,Yongliang Li,Lei Bao

DOI: https://doi.org/10.1109/ICCET.2010.5485224

2010-01-01

Abstract:Untrusted Data originating from network input and configuration files, causes many software security problems. Keeping track of the propagation of untrusted data in program runtime is the main idea of dynamic taint analysis for vulnerability exploits detection. In this method data from network user input and configuration files were labeled as taint. In virtue of data flow analysis we design taint propagating algorithm, and define several taint detection policies for security-critical function which used taint data in dangerous ways that could cause vulnerability exploit. A vulnerability exploit detection prototype system was implemented. In contrast to other taint analysis systems, our prototype system has higher accuracy and vulnerability exploits coverage and low workloads.

Ruiguo Yang,Jiajin Cai,Xinhui Han

DOI: https://doi.org/10.1145/3548606.3563527

2022-01-01

Abstract:ABSTRACTIn this poster, we present TaintGrep, a novel static analysis approach to detect vulnerabilities of Android applications. This approach combines the advantages of semantic pattern matching and taint analysis to get better accuracy and be able to detect cross-function vulnerabilities. Compared with many traditional tools, TaintGrep does not require the full source code or building environment to analyze. Moreover, it supports users in defining their customized matching rules using their vulnerability mining experience, which makes this approach more flexible and scalable. In the preliminary experiment, we give a detailed analysis of the rules of two typical vulnerabilities: generic DoS and arbitrary file read/write, and have detected 77 0day vulnerabilities with these rules in 16 well-known Android applications.

Zhu Kelong,Song Yubo,Chen Fei

DOI: https://doi.org/10.1049/cp.2014.0736

2014-01-01

Abstract:As the increasing downloads of applications via Android Platform, more and more malicious codes were injected in those applications. And some problems are caused by that malicious code such as economic loss and privacy issues. Android has the highest market share of smartphone operating system, the security of Android platform is extremely important. Therefore, the security testing and evaluation of applications is imperative. Dynamic taint propagation is the most common method to do the test, but there are two problems: a) If the custom ROM runs in the smartphone, the running speed of ROM will be limited to the smartphone's battery life and computing power. b) If the program was running in emulator in PC, the efficiency will be very poor because of the manual operation for the triggering action during the running time. The paper presents an automated testing method which was accomplished in emulator. In addition, the system will record the tree structure of Activity and control distribution of each Activity. The test results showed that the system can trigger all the controls and compared with manual test, this method was proven to be more effective and completely.

Yang Liu,Yan Yu

DOI: https://doi.org/10.3969/j.issn.1000-386x.2017.09.029

2017-01-01

Abstract:This study was motivated by privacy leakage existing in Android applications.Therefore,a privacy leakage detecting method based on dynamic taint analysis was proposed.We first added taint mark to user privacy data through Android framework source code instrumentation.Moreover,we modified execution engine (Dalvik virtual machine) of Android application to ensure that the taint mark can accurately be traced during the execution of the program.When data moves,dynamic taint analysis will check whether or not the taint marks is private data,which makes those applications more transparent.Thus,our approach can effectively detect user privacy leakage,so as to protect the user privacy.

Songyang Wu,Yong Zhang,Bo Jin,Wei Cao

DOI: https://doi.org/10.1109/icct.2017.8359970

2017-01-01

Abstract:The permission model is an essential Android mechanism for resisting security threats: android malware can do very little if the user denies its requests for permissions. However, the recent literatures show that certain vulnerable applications with insufficiently enforced privileges may lead to critical permissions leakage via inter-application interaction. Malicious applications can trick these vulnerable applications to perform actions that are beyond their given privileges. This study proposes an efficient approach for the analysis of permission leakage vulnerabilities in Android inter-process communications; this approach identifies suspicious vulnerable paths based on an analysis of control-flow and dataflow. We handle the unsafe control flows over inter-component communication and asynchronous calls through Android callbacks, which is the major difference from previous related studies. The proposed system was evaluated using 550 real-world Android applications and the experiment result demonstrated the practicality of our method.

Junjie Tang,Xingmin Cui,Ziming Zhao,Shanqing Guo,Xinshun Xu,Chengyu Hu,Tao Ban,Bing Mao

DOI: https://doi.org/10.1109/icst.2017.56

2017-01-01

Abstract:In the Android system design, any app can start another app's public components to facilitate code reuse by sending an asynchronous message called Intent. In addition, Android also allows an app to have private components that should only be visible to the app itself. However, malicious apps can bypass this system protection and directly invoke private components in vulnerable apps through a class of newly discovered vulnerability, which is called next-intent vulnerability. In this paper, we design an intent flow analysis strategy which accurately tracks the intent in smali code to statically detect next-intent vulnerabilities efficiently and effectively on a large scale. We further propose an automated approach to dynamically verify the discovered vulnerabilities by generating exploit apps. Then we implement a tool named NIVAnalyzer and evaluate it on 20,000 apps downloaded from Google Play. As the result, we successfully confirms 190 vulnerable apps, some of which even have millions of downloads. We also confirmed that an open-source project and a third-party SDK, which are still used by other apps, have next intent vulnerabilities.

Jinkun Pan,Xiaoguang Mao,Weishi Li

DOI: https://doi.org/10.1109/icsess.2015.7339024

2015-01-01

Abstract:Taint analysis determines whether values from untrusted or private sources may flow into security-sensitive or public sinks, and can discover many common security vulnerabilities in both Web and mobile applications. Static taint analysis detects suspicious data flows without running the application and achieves a good coverage. However, most existing static taint analysis tools only focus on discovering taint paths from sources to sinks and do not concern about the requirements of analysts for sanitization check and exploration. The sanitization can make a taint path no more dangerous but should be checked or explored by analysts manually in many cases and the process is very costly. During our preliminary study, we found that many statements along taint paths are not relevant to the sanitization and there are a lot of redundancies among taint paths with the same source or sink. Based on these two observations, we have designed and implemented the taint path slicing and aggregation algorithms, aiming at mitigating the workload of the analysts and helping them get a better comprehension of the taint behaviors of target applications. Experimental evaluations on real-world applications show that our proposed algorithms can reduce the taint paths effectively and efficiently.

Zhemin Yang,Min Yang,Yuan Zhang,Guofei Gu,Peng Ning,Xiaoyang Sean Wang

DOI: https://doi.org/10.1145/2508859.2516676

2013-01-01

Abstract:ABSTRACTAndroid phones often carry personal information, attracting malicious developers to embed code in Android applications to steal sensitive data. With known techniques in the literature, one may easily determine if sensitive data is being transmitted out of an Android phone. However, transmission of sensitive data in itself does not necessarily indicate privacy leakage; a better indicator may be whether the transmission is by user intention or not. When transmission is not intended by the user, it is more likely a privacy leakage. The problem is how to determine if transmission is user intended. As a first solution in this space, we present a new analysis framework called AppIntent. For each data transmission, AppIntent can efficiently provide a sequence of GUI manipulations corresponding to the sequence of events that lead to the data transmission, thus helping an analyst to determine if the data transmission is user intended or not. The basic idea is to use symbolic execution to generate the aforementioned event sequence, but straightforward symbolic execution proves to be too time-consuming to be practical. A major innovation in AppIntent is to leverage the unique Android execution model to reduce the search space without sacrificing code coverage. We also present an evaluation of AppIntent with a set of 750 malicious apps, as well as 1,000 top free apps from Google Play. The results show that AppIntent can effectively help separate the apps that truly leak user privacy from those that do not.

Chenkai Guo,Jing Xu,Hongji Yang,Ying Zeng,Shuang Xing

DOI: https://doi.org/10.1145/2593501.2593503

2014-01-01

Abstract:ABSTRACT Recently, Google Android has occupied a major market share of mobile phone systems as a result of its openness for developers and richness for users. By the distribution channels of the Android market, both development and use of Android applications soar. However, the low development threshold of applications leads to weak security awareness of developers. Moreover, Android applications lack strict security standards, resulting that security crisis has become increasingly prominent. For now, an application's biggest security threat falls on its messaging mechanism between components. Once permission’s verification is neglected, it is easy to be exploited by attackers, causing immeasurable loss. We analyze the security mechanism of Android inter-application components, and accordingly construct the security rules. Specifically, a compositional approach including static and dynamic automated testing techniques is proposed to detect the security vulnerabilities caused by messaging between components. In our approach, the static part obtains rough results and some parameter information. After that, the dynamic part automatically generates attack cases for verifying these results. This approach can be used not only to discover potential weaknesses within inter-application components but also to automatically simulate attack behaviors. Thereby, the detection results’ effectiveness can be verified.

Zhenjiang,Shen Dong,Hui *,Jianhuai Ye,Victoria C. Yan,Kan Wu,Shaoyin,Wood-Hi Cheng,Zhun Fan,Jiang Jiang

2013-01-01

Abstract:Android has a strict permission management mechanism. Any applications that try to run on the Android system need to obtain permission. In this paper, we propose an efficient method of detecting malicious applications in the Android system. First, hundreds of permissions are classified into different groups. The application programming interfaces (APIs) associated with permissions that can interact with the outside environment are called sink functions. The APIs associated with other permissions are called taint functions. e construct association tables for block variables and function variables of each application. Malicious applications can then be detected by using the static taint-propagation method to analyze these tables.

唐和平,黄曙光,张亮

DOI: https://doi.org/10.3969/j.issn.1002-137x.2010.07.036

2010-01-01

Computer Science

Abstract:Untrusted data originating from network user input and configuration files,causes many software security problems,when operated by security-critical function without strict data validation.Keeping track of the propagation of untrusted data is the main idea of dynamic taint analysis for vulnerability exploits detection.Data derived from network user input and configuration files were labeled as taint.Executed taint propagating algorithm by virtue of data flow analysis,and carried out several taint detection policies for each security-critical function.A vulnerability exploits detection prototype system was implemented on open source emulator and many optimization mechanisms were deployed.

Dongming Xiang,Shuai Lin,Ke Huang,Zuohua Ding,Guanjun Liu,Xiaofeng Li

DOI: https://doi.org/10.1016/j.cose.2024.104162

IF: 5.105

2024-10-21

Computers & Security

Abstract:Static taint analysis is a widely used method to identify vulnerabilities in Android applications. However, the existing tools for static analysis often struggle with processing times, particularly when dealing with complex real-world programs. To reduce time consumption, some tools choose to sacrifice analytical precision, e.g., FastDroid sets an upper limit for analysis iterations in Android applications. In this paper, we propose a labeled taint value graph (LTVG) to store taint flows, and implement a fine-grained analysis tool called LabeledDroid . This graph is constructed based on the taint value graph (TVG) of FastDroid, and takes into account both precision and time consumption. That is, we decompile an Android app into Jimple statements, develop fine-grained propagation rules to handle List , and construct LTVGs according to these rules. Afterwards, we traverse LTVGs to obtain high-precision taint flows. An analysis of 39 apps from the TaintBench benchmark shows that LabeledDroid is 0.87 s faster than FastDroid on average. Furthermore, if some common accuracy parameters are adapted in both LabeledDroid and FastDroid, the experiment demonstrates that the former is more scalable. Moreover, the maximum analysis time of LabeledDroid is less than 200 s and its average time is 46.25 s, while FastDroid sometimes experiences timeouts with durations longer than 600 s. Additionally, LabeledDroid achieves a precision of 70% in handling lists, while FastDroid and TaintSA achieve precisions of 38.9% and 41.2%, respectively.

computer science, information systems

TANG He-ping,HUANG Shu-guang,ZHANG Liang

2010-01-01

Abstract:Software vulnerabilities have become an omnipresent and dangerous threat to network security.Vulnerability Exploits Detection is proposed to take active defense measures to monitor system state and cut exploit data sources off or terminate program execution before exploitation.Taint analysis for vulnerability exploits detection is composed of taint propagation link,taint propagation,taint analysis and taint track.A Vulnerability exploits detection prototype system was implemented by emulator and many optimization mechanisms.In contrast to the experiment result of other taint analysis systems,our prototype system has higher accuracy and vulnerability exploits coverage.

Wei XIAO,Yuan ZHANG,Min YANG

2017-01-01

Abstract:Intent is the built-in communication scheme among Android applications.If the receiver of an intent does not validate malformed data properly,the process that holds it will crash.To automatically diagnose this kind of vulnerability,we design and implement IntentChecker which leverages both static and dynamic analysis techniques.IntentChecker statically examines the data flow paths from the received intent and identifies this kind of vulnerability within the path,without requiring the application's source code.Besides,IntentChecker extracts key features of the detected vulnerabilities,and dynamically verifies these vulnerabilities.To analyze large-scale of applications in app-store efficiently,IntentChecker could schedule the analysis resources only on the most vulnerable code sections.This optimization greatly accelerates the analysis process without significantly impacting the effectiveness.The experiments on largescale applications show that about 19％ of popular applications are vulnerable and the detection only costs 15s per application on average.

Zheng SONG,Yongjian WANG,Bo JIN,Jiuchuan LIN

DOI: https://doi.org/10.3969/j.issn.1671-1122.2016.03.013

2016-01-01

Abstract:With the network security situation becoming increasingly worsening, detection technology that can timely and effectivly discover exploits and related advanced persistent threat(APT) attacks is of vital importance for network security. Dynamic taint analysis, which is one of the reliable exploit detection solutions, is a method that marks the non-trusted input source as tainted data, and tracks its spread with the execution of program to get the key position and data associated with the input. This paper ifrstly introduces the principle of dynamic taint analysis of binary programs and its development status in several typical systems, then analyzes existing problems with dynamic taint analysis of binary programs, and ifnally introduces the application of dynamic taint analysis. In this paper, the dynamic taint analysis technology of binary program is introduced in details, which is helpful to improve the network security protection level for important information system.

Pascal Gadient,Mohammad Ghafari,Patrick Frischknecht,Oscar Nierstrasz

DOI: https://doi.org/10.1007/s10664-018-9673-y

2018-12-10

Abstract:Android Inter-Component Communication (ICC) is complex, largely unconstrained, and hard for developers to understand. As a consequence, ICC is a common source of security vulnerability in Android apps. To promote secure programming practices, we have reviewed related research, and identified avoidable ICC vulnerabilities in Android-run devices and the security code smells that indicate their presence. We explain the vulnerabilities and their corresponding smells, and we discuss how they can be eliminated or mitigated during development. We present a lightweight static analysis tool on top of Android Lint that analyzes the code under development and provides just-in-time feedback within the IDE about the presence of such smells in the code. Moreover, with the help of this tool we study the prevalence of security code smells in more than 700 open-source apps, and manually inspect around 15% of the apps to assess the extent to which identifying such smells uncovers ICC security vulnerabilities.

Cryptography and Security,Software Engineering

Hong Song,Dandan Lin,Shuang Zhu,Weiping Wang,Shigeng Zhang

DOI: https://doi.org/10.1007/978-981-15-1301-5_25

2019-01-01

Abstract:With the booming mobile Internet and Android App market, Android security issues have become increasingly prominent. As the main way for information disclosure in Android Apps, sensitive path has become an important part of Android security research. Aiming at the problem that static analysis cannot verify whether the sensitive path is triggered by reality, this paper proposes a system ADS-SA based on static analysis to automatically detect sensitive path. The system first constructs an Android component conversion diagram through data flow analysis, and then obtains an Android function call graph through control flow analysis. Secondly, the sensitive path backtracking algorithm is designed and used to obtain the sensitive path set. Finally, the automated testing framework, Appium, is used to trigger and verify the authenticity of the sensitive path set. The test results show that the ADS-SA can automatically detect more than 87% of sensitive paths at a low time cost with high reliability and effectiveness.