Li,Alexandre Bartel,Tegawende F. Bissyande,Jacques Klein,Yves Le Traon,Steven Arzt,Siegfried Rasthofer,Eric Bodden,Damien Octeau,Patrick McDaniel

DOI: https://doi.org/10.1109/icse.2015.48

2015-01-01

Abstract:Shake Them All is a popular "Wallpaper" application exceeding millions of downloads on Google Play. At installation, this application is given permission to (1) access the Internet (for updating wallpapers) and (2) use the device microphone (to change background following noise changes). With these permissions, the application could silently record user conversations and upload them remotely. To give more confidence about how Shake Them All actually processes what it records, it is necessary to build a precise analysis tool that tracks the flow of any sensitive data from its source point to any sink, especially if those are in different components. Since Android applications may leak private data carelessly or maliciously, we propose IccTA, a static taint analyzer to detect privacy leaks among components in Android applications. IccTA goes beyond state-of-the-art approaches by supporting inter-component detection. By propagating context information among components, IccTA improves the precision of the analysis. IccTA outperforms existing tools on two benchmarks for ICC-leak detectors: DroidBench and ICC-Bench. Moreover, our approach detects 534 ICC leaks in 108 apps from MalGenome and 2,395 ICC leaks in 337 apps in a set of 15,000 Google Play apps.

Hao Zhou,Haoyu Wang,Xiapu Luo,Ting Chen,Yajin Zhou,Ting Wang

DOI: https://doi.org/10.14722/ndss.2022.23166

2022-01-01

Abstract:—Due to the complexity resulted from the huge code base and the multi-context nature of Android, inconsistent access control enforcement exists in Android, which can be exploited by malware to bypass the access control and perform unauthorized security-sensitive operations. Unfortunately, existing studies only focus on the inconsistent access control enforcement in the Java context of Android. In this paper, we conduct the first systematic investigation on the inconsistent access control enforcement across the Java context and native context of Android. In particular, to automatically discover cross-context inconsistencies, we design and implement IAceFinder , a new tool that extracts and contrasts the access control enforced in the Java context and native context of Android. Applying IAceFinder to 14 open-source Android ROM s, we find that it can effectively uncover their cross-context inconsistent access control enforcement. Specifically, IAceFinder discovers 23 inconsistencies that can be abused by attackers to compromise the device and violate user privacy.

Yi He,Qi Li

DOI: https://doi.org/10.1109/pccc.2016.7820624

2016-01-01

Abstract:Android encourages inter-app interactions and facilitates functionality reusability by providing flexible inter-component communication (ICC) among apps. Components in apps can communicate with other components within single app or cross different apps. However, through this mechanism, components may leak permissions either carelessly or maliciously. Unfortunately, the current app-level permission model in Android cannot prevent such permissions leaks incurred by inter app communication. Simple permission enforcement is not sufficient as it cannot differentiate between normal permission usage and malicious permission usage (i.e., permission leakage). Therefore, users are required to grant permissions to apps during app installation, which may lead to permission mismanaged. In this paper, we propose IntentChecker that aims to detect permission leakage by proposing a light-weight mechanism. IntentChecker defends against the permission leakage attacks by adding authorization extension to the ICC mechanism and automatically generating patches for vulnerable apps. We evaluate IntentChecker with two benchmarks, i.e., Droidbench and ICCbench, and with 4031 real world apps. IntentChecker finds 324 apps that includes at least one permission leakage. We verify the effectiveness of the defense mechanism with 10 apps randomly selected from the vulnerable apps, which demonstrates that it is effective to prevent inter app permission leakage.

Yajin Zhou,Xinwen Zhang,Xuxian Jiang,Vincent W. Freeh

DOI: https://doi.org/10.1007/978-3-642-21599-5_7

2011-01-01

Abstract:Smartphones have been becoming ubiquitous and mobile users are increasingly relying on them to store and handle personal information. However, recent studies also reveal the disturbing fact that users' personal information is put at risk by (rogue) smartphone applications. Existing solutions exhibit limitations in their capabilities in taming these privacy-violating smartphone applications. In this paper, we argue for the need of a new privacy mode in smartphones. The privacy mode can empower users to flexibly control in a fine-grained manner what kinds of personal information will be accessible to an application. Also, the granted access can be dynamically adjusted at runtime in a fine-grained manner to better suit a user's needs in various scenarios (e.g., in a different time or location). We have developed a system called TISSA that implements such a privacy mode on Android. The evaluation with more than a dozen of information-leaking Android applications demonstrates its effectiveness and practicality. Furthermore, our evaluation shows that TISSA introduces negligible performance overhead.

Yajin Zhou,Xuxian Jiang

2013-01-01

Abstract:In this paper, we systematically study two vulnerabilities and their presence in existing Android applications (or “apps”). These two vulnerabilities are rooted in an unprotected Android component, i.e., content provider, inside vulnerable apps. Because of the lack of necessary access control enforcement, affected apps can be exploited to either passively disclose various types of private in-app data or inadvertently manipulate certain security-sensitive in-app settings or configurations that may subsequently cause serious system-wide side effects (e.g., blocking all incoming phone calls or SMS messages). To assess the prevalence of these two vulnerabilities, we analyze 62, 519 apps collected in February 2012 from various Android markets. Our results show that among these apps, 1, 279 (2.0%) and 871 (1.4%) of them are susceptible to these two vulnerabilities, respectively. In addition, we find that 435 (0.7%) and 398 (0.6%) of them are accessible from official Google Play and some of them are extremely popular with more than 10, 000, 000 installs. The presence of a large number of vulnerable apps in popular Android markets as well as the variety of private data for leaks and manipulation reflect the severity of these two vulnerabilities. To address them, we also explore and examine possible mitigation solutions.

Lei Xue,Chenxiong Qian,Hao Zhou,Xiapu Luo,Yajin Zhou,Yuru Shao,Alvin T. S. Chan

DOI: https://doi.org/10.1109/tifs.2018.2866347

IF: 7.231

2019-01-01

IEEE Transactions on Information Forensics and Security

Abstract:For performance and compatibility reasons, developers tend to use native code in their applications (or simply apps). This makes a bidirectional data flow through multiple contexts, i.e., the Java context and the native context, in Android apps. Unfortunately, this interaction brings serious challenges to existing dynamic analysis systems, which fail to capture the data flow across different contexts. In this paper, we first performed a large-scale study on apps using native code and reported some observations. Then, we identified several scenarios where data flow cannot be tracked by existing systems, leading to uncaught information leakage. Based on these insights, we designed and implemented NDroid, an efficient dynamic taint analysis system that could track the data flow between both Java context and native context. The evaluation of real apps demonstrated the effectiveness of NDroid in identifying information leakage with reasonable performance overhead.

Jordan Samhi,Alexandre Bartel,Tegawendé F. Bissyandé,Jacques Klein

DOI: https://doi.org/10.48550/arXiv.2012.09916

2021-01-15

Abstract:Inter-Component Communication (ICC) is a key mechanism in Android. It enables developers to compose rich functionalities and explore reuse within and across apps. Unfortunately, as reported by a large body of literature, ICC is rather "complex and largely unconstrained", leaving room to a lack of precision in apps modeling. To address the challenge of tracking ICCs within apps, state of the art static approaches such as Epicc, IccTA and Amandroid have focused on the documented framework ICC methods (e.g., startActivity) to build their approaches. In this work we show that ICC models inferred in these state of the art tools may actually be incomplete: the framework provides other atypical ways of performing ICCs. To address this limitation in the state of the art, we propose RAICC a static approach for modeling new ICC links and thus boosting previous analysis tasks such as ICC vulnerability detection, privacy leaks detection, malware detection, etc. We have evaluated RAICC on 20 benchmark apps, demonstrating that it improves the precision and recall of uncovered leaks in state of the art tools. We have also performed a large empirical investigation showing that Atypical ICC methods are largely used in Android apps, although not necessarily for data transfer. We also show that RAICC increases the number of ICC links found by 61.6% on a dataset of real-world malicious apps, and that RAICC enables the detection of new ICC vulnerabilities.

Software Engineering

Xu JIANG,Chang-sheng ZHANG,Da-meng DAI,Jing RUAN,De-jun MU

DOI: https://doi.org/10.3785/j.issn.1008-973X.2016.12.016

2016-01-01

Abstract:A multi-level detection method based on semi-lattice data flow analysis was proposed in order to solve the problem of Android privacy data leakage .For the applications without root privilege ,the fine-grained range of source functions was determined that generated privacy data and sink functions that leaked them ,according to the permissions for the application .If the source functions and the sink functions existed in the same application ,the detection system began to analyze data flow .When the two kinds of functions located in different components , the method could transform inter-component communication (ICC ) problem into inter-procedural distributive environment (IDE ) problem . Results show that the proposed method can detect the privacy data leakage not only for communication in the same component , but also for communication between different components .The accuracy of the proposed method reaches 91 .5% ,which can significantly save detection time compared with other state-of-the-art methods under the condition of similar precision and recall rate .

Daojuan Zhang,Rui Wang,Zimin Lin,Dianjie Guo,Xiaochun Cao

DOI: https://doi.org/10.1109/iscc.2016.7543779

2016-01-01

Abstract:Inter-App Communication (IAC) plays an important role in Android platform to share data and services among applications. However, the existence of IAC capability leaks could lead to the unauthorized privileged operations. In this paper, we first investigate the usage of IAC in Android applications to show the prevalence of IAC in the Android development model. To mitigate the threat caused by IAC capability leaks in Android, we develop a real-time monitoring and control system, called IacDroid, which distinguishes and prevents the IAC capability leak accurately in both third-party and in-rom applications at runtime. IacDroid extends the Binder IPC mechanism and the system service to construct context-based component call chains between multiple applications. By leveraging the call chains, the permission system is extended to detect and prevent the IAC capability leaks. IacDroid also presents an intuitive client-side solution to help users control the IAC capability leaks. We implement the prototype in Android 4.3, and present a comprehensive assessment with 500 Google Play applications and 36 malicious applications. The experimental results demonstrate that IacDroid can effectively prevent the IAC capability leaks with a negligible performance overhead.

Yupeng Hu,Zhe Jin,Wenjia Li,Yang Xiang,Jiliang Zhang

DOI: https://doi.org/10.48550/arXiv.2006.12831

2020-06-23

Abstract:In this paper, we present the design and implementation of a Systematic Inter-Component Communication Analysis Technology (SIAT) consisting of two key modules: \emph{Monitor} and \emph{Analyzer}. As an extension to the Android operating system at framework layer, the \emph{Monitor} makes the first attempt to revise the taint tag approach named TaintDroid both at method-level and file-level, to migrate it to the app-pair ICC paths identification through systemwide tracing and analysis of taint in intent both at the data flow and control flow. By taking over the taint logs offered by the \emph{Monitor}, the \emph{Analyzer} can build the accurate and integrated ICC models adopted to identify the specific threat models with the detection algorithms and predefined rules. Meanwhile, we employ the models' deflation technology to improve the efficiency of the \emph{Analyzer}. We implement the SIAT with Android Open Source Project and evaluate its performance through extensive experiments on well-known datasets and real-world apps. The experimental results show that, compared to state-of-the-art approaches, the SIAT can achieve about 25\%$\sim$200\% accuracy improvements with 1.0 precision and 0.98 recall at the cost of negligible runtime overhead. Moreover, the SIAT can identify two undisclosed cases of bypassing that prior technologies cannot detect and quite a few malicious ICC threats in real-world apps with lots of downloads on the Google Play market.

Cryptography and Security

Zi-Peng Zhang,Ming Fu,Xin-Yu Feng

DOI: https://doi.org/10.1007/s11390-019-1949-1

2019-01-01

Abstract:Inter-process communication (IPC) provides a message passing mechanism for information exchange between applications. It has been long believed that IPCs can be abused by malware writers to launch collusive information leak using two or more applications. Much work on privacy protection focuses on the simple information leak caused by the individual applications and lacks effective approaches to preventing the collusive information leak caused by IPCs between multiple processes. In this paper, we propose a hybrid approach to prevent the collusive information leak based on information flow control. Our approach combines static information flow analysis and dynamic runtime checking together. Information leak caused by individual processes is prevented through static information flow control, and dynamic checking is done at runtime to prevent the collusive information leak. Such a combination may effectively reduce the runtime overhead of pure dynamic checking, and reduce false-alarms in pure static analysis. We develop this approach based on an abstract and simplified programming model, and formalize a novel definition of the leak-freedom property as our target security property. A simulation-based proof technique is used to prove that our approach is able to guarantee leak-freedom. All proofs are mechanized in Coq.

Songyang Wu,Yong Zhang,Bo Jin,Wei Cao

DOI: https://doi.org/10.1109/icct.2017.8359970

2017-01-01

Abstract:The permission model is an essential Android mechanism for resisting security threats: android malware can do very little if the user denies its requests for permissions. However, the recent literatures show that certain vulnerable applications with insufficiently enforced privileges may lead to critical permissions leakage via inter-application interaction. Malicious applications can trick these vulnerable applications to perform actions that are beyond their given privileges. This study proposes an efficient approach for the analysis of permission leakage vulnerabilities in Android inter-process communications; this approach identifies suspicious vulnerable paths based on an analysis of control-flow and dataflow. We handle the unsafe control flows over inter-component communication and asynchronous calls through Android callbacks, which is the major difference from previous related studies. The proposed system was evaluated using 550 real-world Android applications and the experiment result demonstrated the practicality of our method.

Zhemin Yang,Min Yang,Yuan Zhang,Guofei Gu,Peng Ning,Xiaoyang Sean Wang

DOI: https://doi.org/10.1145/2508859.2516676

2013-01-01

Abstract:ABSTRACTAndroid phones often carry personal information, attracting malicious developers to embed code in Android applications to steal sensitive data. With known techniques in the literature, one may easily determine if sensitive data is being transmitted out of an Android phone. However, transmission of sensitive data in itself does not necessarily indicate privacy leakage; a better indicator may be whether the transmission is by user intention or not. When transmission is not intended by the user, it is more likely a privacy leakage. The problem is how to determine if transmission is user intended. As a first solution in this space, we present a new analysis framework called AppIntent. For each data transmission, AppIntent can efficiently provide a sequence of GUI manipulations corresponding to the sequence of events that lead to the data transmission, thus helping an analyst to determine if the data transmission is user intended or not. The basic idea is to use symbolic execution to generate the aforementioned event sequence, but straightforward symbolic execution proves to be too time-consuming to be practical. A major innovation in AppIntent is to leverage the unique Android execution model to reduce the search space without sacrificing code coverage. We also present an evaluation of AppIntent with a set of 750 malicious apps, as well as 1,000 top free apps from Google Play. The results show that AppIntent can effectively help separate the apps that truly leak user privacy from those that do not.

Li Li,kevin allix,daoyuan li,alexandre bartel,Tegawendé F. Bissyandé,jacques klein

DOI: https://doi.org/10.1109/QRS.2015.36

2015-01-01

Abstract:We discuss the capability of a new feature set for malware detection based on potential component leaks (PCLs). PCLs are defined as sensitive data-flows that involve Android inter-component communications. We show that PCLs are common in Android apps and that malicious applications indeed manipulate significantly more PCLs than benign apps. Then, we evaluate a machine learning-based approach relying on PCLs. Experimental validations show high performance for identifying malware, demonstrating that PCLs can be used for discriminating malicious apps from benign apps.

YANG Guang-liang,GONG Xiao-rui,YAO Gang,HAN Xin-hui

DOI: https://doi.org/10.3969/j.issn.1000-3428.2012.23.001

2012-01-01

Abstract:To detect user’s privacy leakage in Android software,this paper proposes an automated detection system based on dynamic taint tracking,called TaintChaser.TaintChaser can detect behaviors of user’s data leakage in Android applications under test at a fine granularity,and the system also can analyze and test massive Android software in the automatic way.It uses TaintChaser to automatically analyze 28 369 popular Android applications and finds that 24.69% of them may leak user’s privacy.

Wei Yang,Xusheng Xiao,Benjamin Andow,Sihan Li,Tao Xie,William Enck

DOI: https://doi.org/10.1109/icse.2015.50

2015-01-01

Abstract:Mobile malware attempts to evade detection during app analysis by mimicking security-sensitive behaviors of benign apps that provide similar functionality (e.g., sending SMS messages), and suppressing their payload to reduce the chance of being observed (e.g., executing only its payload at night). Since current approaches focus their analyses on the types of security-sensitive resources being accessed (e.g., network), these evasive techniques in malware make differentiating between malicious and benign app behaviors a difficult task during app analysis. We propose that the malicious and benign behaviors within apps can be differentiated based on the contexts that trigger security-sensitive behaviors, i.e., the events and conditions that cause the security-sensitive behaviors to occur. In this work, we introduce AppContext, an approach of static program analysis that extracts the contexts of security-sensitive behaviors to assist app analysis in differentiating between malicious and benign behaviors. We implement a prototype of AppContext and evaluate AppContext on 202 malicious apps from various malware datasets, and 633 benign apps from the Google Play Store. AppContext correctly identifies 192 malicious apps with 87.7% precision and 95% recall. Our evaluation results suggest that the maliciousness of a security-sensitive behavior is more closely related to the intention of the behavior (reflected via contexts) than the type of the security-sensitive resources that the behavior accesses.

Pascal Gadient,Mohammad Ghafari,Patrick Frischknecht,Oscar Nierstrasz

DOI: https://doi.org/10.1007/s10664-018-9673-y

2018-12-10

Abstract:Android Inter-Component Communication (ICC) is complex, largely unconstrained, and hard for developers to understand. As a consequence, ICC is a common source of security vulnerability in Android apps. To promote secure programming practices, we have reviewed related research, and identified avoidable ICC vulnerabilities in Android-run devices and the security code smells that indicate their presence. We explain the vulnerabilities and their corresponding smells, and we discuss how they can be eliminated or mitigated during development. We present a lightweight static analysis tool on top of Android Lint that analyzes the code under development and provides just-in-time feedback within the IDE about the presence of such smells in the code. Moreover, with the help of this tool we study the prevalence of security code smells in more than 700 open-source apps, and manually inspect around 15% of the apps to assess the extent to which identifying such smells uncovers ICC security vulnerabilities.

Cryptography and Security,Software Engineering

Daibin Wang,Haixia Yao,Yingjiu Li,Hai Jin,Deqing Zou,Robert H. Deng

DOI: https://doi.org/10.1145/2766498.2766518

2015-01-01

Abstract:ABSTRACTAndroid's permission system offers an all-or-nothing installation choice for users. To make it more flexible, users may choose a popular app tool, called permission manager, to selectively grant or revoke an app's permissions at runtime. A fundamental requirement for such permission manager is that the granted or revoked permissions should be enforced faithfully. However, we discover that none of existing permission managers meet this requirement due to permission leaks. To address this problem, we propose CICC, a fine-grained, semantic-aware, and transparent approach for any permission managers to defend against the permission leaks. Compared to existing solutions, CICC is fine-grained because it detects the permission leaks using call-chain information at the component instance level, instead of at the app level or component level. The fine-grained feature enables it to generate a minimal impact on the usability of running apps. CICC is semantic-aware in a sense that it manages call-chains in the whole lifecycle of each component instance. CICC is transparent to users and app developers, and it requires minor modification to permission managers. Our evaluation shows that CICC incurs relatively low performance overhead and power consumption.

Abdul Moiz,Manar H. Alalfi

DOI: https://doi.org/10.48550/arXiv.2011.04066

2020-11-09

Abstract:The advancements in the digitization world has revolutionized the automotive industry. Today's modern cars are equipped with internet, computers that can provide autonomous driving functionalities as well as infotainment systems that can run mobile operating systems, like Android Auto and Apple CarPlay. Android Automotive is Google's android operating system tailored to run natively on vehicle's infotainment systems, it allows third party apps to be installed and run on vehicle's infotainment systems. Such apps may raise security concerns related to user's safety, security and privacy. This paper investigates security concerns of in-vehicle apps, specifically, those related to inter component communication (ICC) among these apps. ICC allows apps to share information via inter or intra apps components through a messaging object called intent. In case of insecure communication, Intent can be hijacked or spoofed by malicious apps and user's sensitive information can be leaked to hacker's database. We investigate the attack surface and vulnerabilities in these apps and provide a static analysis approach and a tool to find data leakage vulnerabilities. The approach can also provide hints to mitigate these leaks. We evaluate our approach by analyzing a set of Android Auto apps downloaded from Google Play store, and we report our validated results on vulnerabilities identified on those apps.

Cryptography and Security,Software Engineering

Yunhao Liu,Xiaohong Li,Zhiyong Feng,Jianye Hao

DOI: https://doi.org/10.1007/978-3-319-68690-5_19

2017-01-01

Abstract:Android applications can leak sensitive information through collusion, which gives the smartphone users a great security risk. We propose an Android collusion attack detection method based on control flow and data flow analysis. This method gives analysis of data propagation between different applications firstly. And then, a multi-apps program slice model based on both data and control flow are given. Last, the privacy data leakage paths of multi-apps are computed by reaching-definition analysis. Meanwhile, the criterions of mobile device information leakage edge are redefined according to the correlation of mobile devices. Based on the above principle, we implemented an Android collusion attack sensitive information leakage detection tools called CollusionDetector. Case study is carried out for typical collusion attack scenarios and it can obtain better results than existing tools and methods. Experiments show that the analysis of control flow can more accurately find the path of privacy propagation, and more effectively to identify collusion attacks.