Mike Grace,Yajin Zhou,Zhi Wang,Xuxian Jiang

2011-01-01

Abstract:Recent years have witnessed increased popularity and adoption of smartphones partially due to the functionalities and convenience offered to their users (e.g., the ability to run third-party applications). To manage the amount of access given to smartphone applications, Android provides a permission-based security model, which requires each application to explicitly request permissions before it can be installed to run. In this paper, we systematically analyze eight flagship Android smartphones from leading manufacturers, including HTC, Motorola, and Samsung and found out that the stock phone images do not properly enforce the permission model. Several privileged permissions that protect the access to sensitive user data and dangerous features on the phones are unsafely exposed to other applications which do not need to request them for the actual use, a security violation termed capability leak in this paper. To facilitate identifying these capability leaks, we take a static analysis approach and have accordingly developed a system called Woodpecker. Our results with eight phone images show that among 13 privileged permissions examined so far, 11 were leaked, with individual phones leaking up to eight permissions. By exploiting these leaked capabilities, an untrusted application can manage to wipe out the user data, send out SMS messages (e.g., to premium numbers), record user conversation, or obtain user geo-locations on the affected phones – all without the need of asking for any permission.

Mingsong Zhou,Fanping Zeng,Yu Zhang,Chengcheng Lv,Zhao Chen,Guozhu Chen

DOI: https://doi.org/10.1109/icstw.2019.00068

2019-01-01

Abstract:The capability leak of Android applications is one kind of serious vulnerability. It causes other apps to leverage its functions to achieve their illegal goals. In this paper, we propose a tool which can automatically generate capability leaks' exploits of Android applications with path-sensitive symbolic execution-based static analysis and test. It can aid in reducing false positives of vulnerability analysis and help engineers find bugs. We utilize control flow graph (CFG) reduction and call graph (CG) search optimization to optimize symbolic execution, which make our tool applicable for practical apps. By applying our tool to 439 popular applications of the Wandoujia (a famous app market in China) in 2017, we found 2239 capability leaks of 16 kinds of permissions. And the average analysis time was 4 minutes per app. A demo video can be found at the website https://youtu.be/dXFMNZWxEc0

Michael C. Grace,Yajin Zhou,Zhi Wang,Xuxian Jiang

2012-01-01

Abstract:Recent years have witnessed a meteoric increase in the adoption of smartphones. To manage information and features on such phones, Android provides a permission-based security model that requires each application to explicitly request permissions before it can be installed to run. In this paper, we analyze eight popular Android smartphones and discover that the stock phone images do not properly enforce the permission model. Several privileged permissions are unsafely exposed to other applications which do not need to request them for the actual use. To identify these leaked permissions or capabilities, we have developed a tool called Woodpecker. Our results with eight phone images show that among 13 privileged permissions examined so far, 11 were leaked, with individual phones leaking up to eight permissions. By exploiting them, an untrusted application can manage to wipe out the user data, send out SMS messages, or record user conversation on the affected phones – all without asking for any permission.

Kun Yang,Jianwei Zhuge,Yongke Wang,Lujue Zhou,Hai-Xin Duan

DOI: https://doi.org/10.1145/2590296.2590316

2014-01-01

Abstract:ABSTRACTCapability leak is a vulnerability in Android applications, which violates the enforcement of permission model and threatens the secure usage of Android phone users. Malicious applications can launch permission escalation attacks with this vulnerability. In this paper, we propose a dynamic Intent fuzzing mechanism to uncover vulnerable applications in both Android markets and closed source ROMs. We built a prototype called IntentFuzzer. With it, we analyzed more than 2000 Android applications in Google Play and hundreds of in-rom applications inside two closed source ROMs. We found that 161 applications in Google Play have at least one permission leak, and 26 permissions in Xiaomi Hongmi phone and 19 permissions in Lenovo K860i stock phone are leaked. Finally, we give several cases of exploitation to verify our analysis result.

Yajin Zhou,Xuxian Jiang

2013-01-01

Abstract:In this paper, we systematically study two vulnerabilities and their presence in existing Android applications (or “apps”). These two vulnerabilities are rooted in an unprotected Android component, i.e., content provider, inside vulnerable apps. Because of the lack of necessary access control enforcement, affected apps can be exploited to either passively disclose various types of private in-app data or inadvertently manipulate certain security-sensitive in-app settings or configurations that may subsequently cause serious system-wide side effects (e.g., blocking all incoming phone calls or SMS messages). To assess the prevalence of these two vulnerabilities, we analyze 62, 519 apps collected in February 2012 from various Android markets. Our results show that among these apps, 1, 279 (2.0%) and 871 (1.4%) of them are susceptible to these two vulnerabilities, respectively. In addition, we find that 435 (0.7%) and 398 (0.6%) of them are accessible from official Google Play and some of them are extremely popular with more than 10, 000, 000 installs. The presence of a large number of vulnerable apps in popular Android markets as well as the variety of private data for leaks and manipulation reflect the severity of these two vulnerabilities. To address them, we also explore and examine possible mitigation solutions.

Songyang Wu,Yong Zhang,Bo Jin,Wei Cao

DOI: https://doi.org/10.1109/icct.2017.8359970

2017-01-01

Abstract:The permission model is an essential Android mechanism for resisting security threats: android malware can do very little if the user denies its requests for permissions. However, the recent literatures show that certain vulnerable applications with insufficiently enforced privileges may lead to critical permissions leakage via inter-application interaction. Malicious applications can trick these vulnerable applications to perform actions that are beyond their given privileges. This study proposes an efficient approach for the analysis of permission leakage vulnerabilities in Android inter-process communications; this approach identifies suspicious vulnerable paths based on an analysis of control-flow and dataflow. We handle the unsafe control flows over inter-component communication and asynchronous calls through Android callbacks, which is the major difference from previous related studies. The proposed system was evaluated using 550 real-world Android applications and the experiment result demonstrated the practicality of our method.

YANG Guang-liang,GONG Xiao-rui,YAO Gang,HAN Xin-hui

DOI: https://doi.org/10.3969/j.issn.1000-3428.2012.23.001

2012-01-01

Abstract:To detect user’s privacy leakage in Android software,this paper proposes an automated detection system based on dynamic taint tracking,called TaintChaser.TaintChaser can detect behaviors of user’s data leakage in Android applications under test at a fine granularity,and the system also can analyze and test massive Android software in the automatic way.It uses TaintChaser to automatically analyze 28 369 popular Android applications and finds that 24.69% of them may leak user’s privacy.

Jiyuan Sun,Shaozhen Ye,Jianwei Liu,Tao Shang,Qi Lei

DOI: https://doi.org/10.1109/icgi.2017.14

2017-01-01

Abstract:Both benign and malicious developers are attracted to Android platform because anyone is allowed to publish applications on the Android market. Such capability leak vulnerability on the Android platform may lead to permission elevation and privacy disclosure by making malware bypass Android security mechanism. This paper presents a code scanner tool—Droidprotector which is applied to help developers search bugs and focus on the business of applications rather than the security problems. Firstly, Markov blanket is used for feature selection. Secondly, source code is analyzed by a machine-leaning method. Finally, malicious intents and capability leaks are detected. By collecting 3482 applications and 59 source files to learn Markov blanket as the feature set and testing this code scanner tool, the experimental results show that DroidProtector can detect the vulnerability of Android source code effectively by using Markov blanket to select features correctly.

Hao Zhou,Xiapu Luo,Haoyu Wang,Haipeng Cai

DOI: https://doi.org/10.1145/3548606.3560601

2022-01-01

Abstract:To prevent unauthorized apps from retrieving the sensitive data, Android framework enforces a permission based access control. However, it has long been known that, to bypass the access control, unauthorized apps can intercept the Intent objects which are sent by authorized apps and carry the retrieved sensitive data. We find that there is a new (previously unknown) attack surface in Android framework that can be exploited by unauthorized apps to violate the access control. Specifically, we discover that part of Intent objects that are sent by Android framework and carry sensitive data can be received by unauthorized apps, resulting in the leak of sensitive data. In this paper, we conduct the first systematic investigation on the new attack surface namely the Intent based leak of sensitive data in Android framework. To automatically uncover such kind of vulnerability in Android framework, we design and develop a new tool named LeakDetector, which finds the Intent objects sent by Android framework that can be received by unauthorized apps and carry the sensitive data. Applying LeakDetector to 10 commercial Android systems, we find that it can effectively uncover the Intent based leak of sensitive data in Android framework. Specifically, we discover 36 exploitable cases of such kind of data leak, which can be abused by unauthorized apps to steal the sensitive data, violating the access control. At the time of writing, 16 of them have been confirmed by Google, Samsung, and Xiaomi, and we received bug bounty rewards from these mobile vendors.

Xiaoyu Sun,Xiao Chen,Kui Liu,Sheng Wen,Li Li,John Grundy

DOI: https://doi.org/10.1109/issre52982.2021.00058

2021-10-01

Abstract:While extremely valuable to achieve advanced functions, mobile phone sensors can be abused by attackers to implement malicious activities in Android apps, as experimentally demonstrated by many state-of-the-art studies. There is hence a strong need to regulate the usage of mobile sensors so as to keep them from being exploited by malicious attackers. However, despite the fact that various efforts have been put in achieving this, i.e., detecting privacy leaks in Android apps, we have not yet found approaches to automatically detect sensor leaks in Android apps. To fill the gap, we designed and implemented a novel prototype tool, Seeker, that extends the famous FlowDroid tool to detect sensor-based data leaks in Android apps. Seeker conducts sensor-focused static taint analyses directly on the Android apps' bytecode and reports not only sensor-triggered privacy leaks but also the sensor types involved in the leaks. Experimental results using over 40,000 real-world Android apps show that Seeker is effective in detecting sensor leaks in Android apps, and malicious apps are more interested in leaking sensor data than benign apps.

Tao Liu,Zhushou Tang,Beijun Shen

DOI: https://doi.org/10.3969/j.issn.1000-386x.2015.03.070

2015-01-01

Abstract:When Android becomes the smartphone operating system with largest global market share,the malicious applications is booming on its platform.In particular,privacy leak problems in Android applications are getting worsening.With the development of technology,the concealment of privacy leaks in Android applications grows high increasingly,and its detection becomes more and more difficult as well,for instance,using reflection technique to hide the privacy leak operations.Facing such challenge,in this paper we detect and analyse the pseu-do-code of Android applications and propose a new analysis approach for detecting the reflection callings occurring in pseudo-code.Through re-constructing the reflection calling’s arguments and restoring it to the standard calling,we make the reflection calling explicit,so that those privacy leak behaviours which cannot be found and confirmed previously are detected.Based on this work,we design and implement a static detection tool for Android applications privacy leak.At last,the effectiveness of the proposed approach and tool is validated by the experi-ments and analyses on benign applications from Android market and the malicious applications collected from Internet.

Chen-Kai GUO,Jing XU,Guan-Nan SI,En-Peng LI,Si-Han XU

DOI: https://doi.org/10.11897/SP.J.1016.2016.02324

2016-01-01

Abstract:Program interfaces exposed against user’s wishes can lead to private information leak-ages within mobile applications.However,the complexity of design and context increases the detection difficulties of such leakages.Existing methods mainly rely on traditional static data flow analysis and dynamic monitoring techniques,which suffer from amounts of false negatives and false positives,and can hardly handle implicit information leakage problems.In this paper,the LTL (Linear Temporal Logic)model checking techniques are exploited for the first time to address those problems.Meanwhile,a statement instrumentation method based on the security features is proposed.Firstly,an abstract model of private information leakage is extracted from a targeted mobile application.Secondly,the driven generation rules and the instrumentation algorithm are constructed to generate the executable codes for model checking.Thirdly,a set of universal LTL properties are presented for detecting the information leakage.Besides,an optimal leakage detection algorithm is proposed to improve the detection efficiency.Finally,this paper also builds a mockup library of mobile platform,by which a corresponding prototype system <br> LFDroid (Leakage Finder of Android ) is developed. The experiment results on public benchmarks show that LFDroid can detect the implicit information leakage vulnerabilities smoothly and obtain a higher precision and recall compared to traditional methods.Meanwhile, LFDroid also finds out five implicit flow vulnerabilities within three real-world applications.

Xingqiu Zhong,Fanping Zeng,Zhichao Cheng,Niannian Xie,Xiaoxia Qin,Shuli Guo

DOI: https://doi.org/10.1109/bigcom.2017.21

2017-01-01

Abstract:As the most popular mobile operating system, there are large amount of applications developed for Android. Considering security issues, developers are forced to declare relative permissions in manifest file when they need to use sensitive APIs. With the ability of inter-component communication (ICC) provided by Android, malicious applications can indirectly call sensitive APIs through components exposed by other applications, leading to privilege escalation. To address this problem, we propose a method to detect this kind of privilege escalation between two applications. First, we compare the permission sets of both applications. Then, if necessary we identify call links between two applications and perform inter-application control flow analysis. Finally, according to the result of control flow analysis, we can judge whether the privilege escalation exists. As the experiment result shows, our method can accurately detect privilege escalation between two applications.

Hongyi Chen,Ho-fung Leung,Biao Han,Jinshu Su

DOI: https://doi.org/10.1109/icc.2017.7996335

2017-01-01

Abstract:Android apps frequently leak private data off the device with or without intentions. Researchers have proposed a large number of methods, for example, static and dynamic analysis methods, to pick out the apps which tend to leak private data. However, they are only able to identify part of private data leakage vulnerabilities, due to the dynamic features in codes or code coverage problem. This paper presents a novel hybrid approach that can find out more private data leakages than the existing static or dynamic methods. The approach, realized in a tool, called HybriDroid, which employs both static and dynamic analysis methods to extract the models of each apps, and then refines the behavior model to a more adequate one according to the dynamic analysis result. As a consequence, HybriDroid inherits the advantages of both static and dynamic analysis methods, which not only achieves a high code coverage, but also can deal with the dynamic features in codes. The evaluation results show that HybriDroid is effective in detecting privacy leakages for both inter-and intra-app communication. Comparing with the existing methods, it can achieve considerable improvements in data leakage detection performance with a 97.8% precision and 90% recall on the selected apps from DroidBench 3.0 test suite.

Ma Jun,Liu Sheng,Yue Shengtao,Tao Xianping,Lu Jian

DOI: https://doi.org/10.1109/compsac.2017.161

2017-01-01

Abstract:Memory leak, one of the most common problems threatening android apps, might drain the limited memory of mobile devices, cause unexpected delays, no-responses or even crashes to apps. Activity/Fragment Leak is one of the most common and serious causes of memory leaks and has a vast influence on the Android app market. Existing work to identify leaked activities/fragments either depend highly on the experience of developers, or require app's source code and manual interactions. In this paper, we propose an automatic tool named LeakDAF for detecting leaked activities/fragments automatically without manual intervention. LeakDAF makes use of UI testing technique to execute automatically the app under test, and applies memory analysis technique to inspect dumped heap files to identify leaked activities and fragments based on Android's mechanisms for managing them. To evaluate the effectiveness of LeakDAF, we successfully applied it to 35 open source and 64 commercial apps, and we detected at least one leaked activity or fragment for 10 open source apps and 35 commercial apps.

Yi He,Qi Li

DOI: https://doi.org/10.1109/pccc.2016.7820624

2016-01-01

Abstract:Android encourages inter-app interactions and facilitates functionality reusability by providing flexible inter-component communication (ICC) among apps. Components in apps can communicate with other components within single app or cross different apps. However, through this mechanism, components may leak permissions either carelessly or maliciously. Unfortunately, the current app-level permission model in Android cannot prevent such permissions leaks incurred by inter app communication. Simple permission enforcement is not sufficient as it cannot differentiate between normal permission usage and malicious permission usage (i.e., permission leakage). Therefore, users are required to grant permissions to apps during app installation, which may lead to permission mismanaged. In this paper, we propose IntentChecker that aims to detect permission leakage by proposing a light-weight mechanism. IntentChecker defends against the permission leakage attacks by adding authorization extension to the ICC mechanism and automatically generating patches for vulnerable apps. We evaluate IntentChecker with two benchmarks, i.e., Droidbench and ICCbench, and with 4031 real world apps. IntentChecker finds 324 apps that includes at least one permission leakage. We verify the effectiveness of the defense mechanism with 10 apps randomly selected from the vulnerable apps, which demonstrates that it is effective to prevent inter app permission leakage.

Xingmin Cui,Jingxuan Wang,Lucas Chi Kwong Hui,Zhongwei Xie,Tian Zeng,Siu-Ming Yiu

DOI: https://doi.org/10.1145/2766498.2766509

2015-01-01

Abstract:Due to the rapid increase of Android apps and their wide usage to handle personal data, a precise and large-scaling checker is in need to validate the apps' permission flow before they are listed on the market. Several tools have been proposed to detect sensitive data leaks in Android apps. But these tools are not applicable to large-scale analysis since they fail to deal with the arbitrary execution orders of different event handlers smartly. Event handlers are invoked by the framework based on the system state, therefore we cannot pre-determine their order of execution. Besides, since all exported components can be invoked by an external app, the execution orders of these components are also arbitrary. A naive way to simulate these two types of arbitrary execution orders yields a permutation of all event handlers in an app. The time complexity is O(n!) where n is the number of event handlers in an app. This leads to a high analysis overhead when n is big. To give an illustration, CHEX [10] found 50.73 entry points of 44 unique class types in an app on average. In this paper we propose an improved static taint analysis to deal with the challenge brought by the arbitrary execution orders without sacrificing the high precision. Our analysis does not need to make permutations and achieves a polynomial time complexity. We also propose to unify the array and map access with object reference by propagating access paths to reduce the number of false positives due to field-insensitivity and over approximation of array access and map access. We implement a tool, WeChecker, to detect privilege escalation vulnerabilities [7] in Android apps. WeChecker achieves 96% precision and 96% recall in the state-of-the-art test suite DriodBench (for compairson, the precision and recall of FlowDroid [1] are 86% and 93%, respectively). The evaluation of WeChecker on real apps shows that it is efficient (average analysis time of each app: 29.985s) and fits for large-scale checking.

Xu JIANG,Chang-sheng ZHANG,Da-meng DAI,Jing RUAN,De-jun MU

DOI: https://doi.org/10.3785/j.issn.1008-973X.2016.12.016

2016-01-01

Abstract:A multi-level detection method based on semi-lattice data flow analysis was proposed in order to solve the problem of Android privacy data leakage .For the applications without root privilege ,the fine-grained range of source functions was determined that generated privacy data and sink functions that leaked them ,according to the permissions for the application .If the source functions and the sink functions existed in the same application ,the detection system began to analyze data flow .When the two kinds of functions located in different components , the method could transform inter-component communication (ICC ) problem into inter-procedural distributive environment (IDE ) problem . Results show that the proposed method can detect the privacy data leakage not only for communication in the same component , but also for communication between different components .The accuracy of the proposed method reaches 91 .5% ,which can significantly save detection time compared with other state-of-the-art methods under the condition of similar precision and recall rate .

YANG Bo,TANG Zhu-shou,ZHU Hao-jin,SHEN Bei-jun,LIN Jiu-chuan

DOI: https://doi.org/10.3969/j.issn.1002-137X.2012.z3.005

2012-01-01

Computer Science

Abstract:Android applications that have access to crucial system resources are the targets of attackers.An application applies the access rights when it is installed,and users always ignore that.This paper proposes a new method to detect overprivilege in compiled Android applications,which leverages dataflow analysis to get the parameters of an API call.A static detection tool "Brox" is implemented based on this method.And Brox is tested using multiply Android applications.The test results on the accuracy and performance are quite encouraging.

Haoyu Wang,Yao Guo,Zihao Tang,Guangdong Bai,Xiangqun Chen

DOI: https://doi.org/10.1109/GLOCOM.2015.7417621

2015-01-01

Abstract:Recent studies on the Android permission system have found that there exists a permission gap between the requested permissions and permissions actually used in an Android app. However, current approaches face some challenges when detecting such permission gaps in Android apps due to the limitation of static analysis techniques. This paper proposes a novel approach to detect permission gaps in Android apps and determine the precise set of permissions that an app needs to run correctly. Our approach includes a static analysis technique to extract permission usage information from API invocations, and a dynamic testing technique to test and monitor the runtime permission usage behaviors of apps. By combining static analysis and dynamic testing, our approach can detect significantly more permission usage information compared to static analysis, indicating that our approach could improve the detection accuracy and reduce the false positives in permission gap detection. We have implemented a prototype to study more than 1,000 popular apps from Google Play. The results show that our approach could detect on average 30% more permissions that are used in apps, while more than 8% of the overprivileged apps detected by previous approaches are false positives.