Vulvet: Vetting of Vulnerabilities in Android Apps to Thwart Exploitation

Authors:
Jyoti Gajrani

MNIT Jaipur, Rajasthan, India

MNIT Jaipur, Rajasthan, India

0000-0002-8223-5975
View Profile

,
Meenakshi Tripathi

MNIT Jaipur, Rajasthan, India

MNIT Jaipur, Rajasthan, India
View Profile

,
Vijay Laxmi

MNIT Jaipur, Rajasthan, India

MNIT Jaipur, Rajasthan, India
View Profile

,
Gaurav Somani

Central University of Rajasthan, Ajmer, Rajasthan, India

Central University of Rajasthan, Ajmer, Rajasthan, India
View Profile

,
Akka Zemmari

LaBRI, Bordeaux INP, University of Bordeaux, CNRS, Bordeaux, France

LaBRI, Bordeaux INP, University of Bordeaux, CNRS, Bordeaux, France
View Profile

,
Manoj Singh Gaur

Indian Institute of Technology Jammu, J8K, India

Indian Institute of Technology Jammu, J8K, India
View Profile

Authors Info & Claims

Digital Threats: Research and Practice Volume 1 Issue 2Article No.: 10pp 1–25https://doi.org/10.1145/3376121

Published:29 May 2020Publication History

Digital Threats: Research and Practice

Abstract

Data security and privacy of Android users is one of the challenging security problems addressed by the security research community. A major source of the security vulnerabilities in Android apps is attributed to bugs within source code, insecure APIs, and unvalidated code before performing sensitive operations. Specifically, the major class of app vulnerabilities is related to the categories such as inter-component communication (ICC), networking, web, cryptographic APIs, storage, and runtime-permission validation. A major portion of current contributions focus on identifying a smaller subset of vulnerabilities. In addition, these methods do not discuss how to remove detected vulnerabilities from the affected code.

In this work, we propose a novel vulnerability detection and patching framework, Vulvet, which employs static analysis approaches from different domains of program analysis for detection of a wide range of vulnerabilities in Android apps. We propose an additional light-weight technique, FP-Validation, to mitigate false positives in comparison to existing solutions owing to over-approximation. In addition to improved detection, Vulvet provides an automated patching of apps with safe code for each of the identified vulnerability using bytecode instrumentation. We implement Vulvet as an extension of Soot. To demonstrate the efficiency of our proposed framework, we analyzed 3,700 apps collected from various stores and benchmarks consisting of various weak implementations. Our results indicate that Vulvet is able to achieve vulnerability detection with 95.23% precision and 0.975 F-measure on benchmark apps; a significant improvement in comparison to recent works along with successful patching of identified vulnerabilities.

References

Stefan Krüger, Sarah Nadi, Michael Reif, Karim Ali, Mira Mezini, Eric Bodden, Florian Göpfert, Felix Günther, Christian Weinert, Daniel Demmler, et al. 2017. CogniCrypt: Supporting developers in using cryptography. In Proceedings of the 32nd IEEE/ACM International Conference on Automated Software Engineering. IEEE Press, 931--936.Google ScholarDigital Library
Youn Kyu Lee, Jae Young Bang, Gholamreza Safi, Arman Shahbazian, Yixue Zhao, and Nenad Medvidovic. 2017. A SEALANT for inter-app security holes in Android. In Proceedings of the IEEE/ACM 39th International Conference on Software Engineering (ICSE’17). IEEE, 312--323.Google ScholarDigital Library
Joydeep Mitra and Venkatesh-Prasad Ranganath. 2017. Ghera: A repository of Android app vulnerability benchmarks. In Proceedings of the 13th International Conference on Predictive Models and Data Analytics in Software Engineering. ACM, 43--52.Google Scholar
Ibéria Medeiros, Nuno Neves, and Miguel Correia. 2016. Detecting and removing web application vulnerabilities with static analysis and data mining. IEEE Trans. Reliab. 65, 1 (2016), 54--69.Google ScholarCross Ref
Yuji Kosuga, Kenji Kono, Miyuki Hanaoka, Miho Hishiyama, and Yu Takahama. 2007. Sania: Syntactic and semantic analysis for automated testing against SQL injection. In Proceedings of the 23rd Annual Computer Security Applications Conference (ACSAC’07). IEEE, 107--117.Google Scholar
V. Benjamin Livshits and Monica S. Lam. 2005. Finding security vulnerabilities in Java applications with static analysis. In Proceedings of the USENIX Security Symposium, Vol. 14.Google Scholar
Nenad Jovanovic, Christopher Kruegel, and Engin Kirda. 2006. Pixy: A static analysis tool for detecting web application vulnerabilities. In Proceedings of the IEEE Symposium on Security and Privacy. IEEE, 6--pp.Google Scholar
Omer Tripp and Omri Weisman. 2018. Identifying stored security vulnerabilities in computer software applications. US Patent 9,904,786.Google Scholar
MITRE. 2018. Common Vulnerabilities and Exposures (CVE). Retrieved from https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=Android.Google Scholar
Patrick Lam, Eric Bodden, Ondrej Lhoták, and Laurie Hendren. 2011. The Soot framework for Java program analysis: A retrospective. In Proceedings of the Cetus Users and Compiler Infastructure Workshop (CETUS’11), Vol. 15. 35.Google Scholar
Erika Chin, Adrienne Porter Felt, Kate Greenwood, and David Wagner. 2011. Analyzing inter-application communication in Android. In Proceedings of the 9th International Conference on Mobile Systems, Applications, and Services. ACM, 239--252.Google ScholarDigital Library
Lingguang Lei, Yi He, Kun Sun, Jiwu Jing, Yuewu Wang, Qi Li, and Jian Weng. 2017. Vulnerable implicit service: A revisit. In Proceedings of the ACM SIGSAC Conference on Computer and Communications Security (CCS’17). ACM, New York, NY, 1051--1063. DOI:http://dx.doi.org/10.1145/3133956.3133975Google ScholarDigital Library
Tosin Daniel Oyetoyan and Marcos Lordello Chaim. 2017. Comparing capability of static analysis tools to detect security weaknesses in mobile applications. In CEUR Workshop Proceedings Vol. 1977. 8--18.Google Scholar
Lori Flynn. 2015. DRD09. Restrict access to sensitive activities. Retrieved from https://wiki.sei.cmu.edu/confluence/display/android/DRD09.+Restrict+access+to+sensitive+activities.Google Scholar
Gaku Mochizuki. 2015. JVN#37825153 AirDroid for Android vulnerable in handling of implicit intents. Retrieved from http://jvn.jp/en/jp/JVN37825153/.Google Scholar
Wei Xu, Sandeep Bhatkar, and Ramachandran Sekar. 2006. Taint-enhanced policy enforcement: A practical approach to defeat a wide range of attacks. In Proceedings of the USENIX Security Symposium. 121--136.Google Scholar
Yajin Zhou Xuxian Jiang and Zhou Xuxian. 2013. Detecting passive content leaks and pollution in Android applications. In Proceedings of the 20th Network and Distributed System Security Symposium (NDSS’13).Google Scholar
Hiroshi Kumagai. 2014. JVN#55438786 Content Provider in CamiApp for Android fails to restrict access permissions. Retrieved from http://jvn.jp/en/jp/JVN55438786/index.html.Google Scholar
Alberto Ornaghi and Marco Valleri. 2003. Man in the middle attacks demos, 2003. https://bbs.pku.edu.cn/attach/53/35/533561f8d8187eb6/ManInMiddle.pdf (visited: 2020-05-04).Google Scholar
Tongbo Luo, Hao Hao, Wenliang Du, Yifei Wang, and Heng Yin. 2011. Attacks on WebView in the Android system. In Proceedings of the 27th Computer Security Applications Conference. ACM, 343--352.Google ScholarDigital Library
NIST. 2018. CVE-2018-5298 Detail. Retrieved from https://nvd.nist.gov/vuln/detail/CVE-2018-5298.Google Scholar
MITRE. 2014. CVE-2014-5930. (2014). Retrieved from https://www.cvedetails.com/cve/CVE-2014-5930/.Google Scholar
MITRE. 2014. CVE-2014-7609. (2014). Retrieved from https://www.cvedetails.com/cve/CVE-2014-7609/.Google Scholar
Checkmarx. 2018. Common Vulnerabilities and Exposures (CVE). Retrieved from https://www.checkmarx.com/2018/01/23/tinder-someone-may-watching-swipe-2/.Google Scholar
Mu Zhang and Heng Yin. 2014. AppSealer: Automatic generation of vulnerability-specific patches for preventing component hijacking attacks in Android applications. In Proceedings of the 21st Network and Distributed System Security Symposium (NDSS’14). Citeseer.Google Scholar
Michelle Y. Wong and David Lie. 2016. IntelliDroid: A targeted input generator for the dynamic analysis of Android malware. In Proceedings of the Network and Distributed System Security Symposium (NDSS’16), Vol. 16. 21--24.Google Scholar
Siegfried Rasthofer, Steven Arzt, and Eric Bodden. 2014. A machine-learning approach for classifying and categorizing Android sources and sinks. In Proceedings of the Network and Distributed System Security Symposium (NDSS’14), Vol. 14. Citeseer, 1125.Google Scholar
Steven Arzt, Siegfried Rasthofer, Christian Fritz, Eric Bodden, Alexandre Bartel, Jacques Klein, Yves Le Traon, Damien Octeau, and Patrick McDaniel. 2014. Flowdroid: Precise context, flow, field, object-sensitive, and lifecycle-aware taint analysis for Android apps. ACM Sigplan Not. 49, 6 (2014), 259--269.Google ScholarDigital Library
Yu-Cheng Lin. 2015. Androbugs Framework Project. Retrieved from https://github.com/AndroBugs/AndroBugs_Framework.Google Scholar
Chia-Wei Tien, Tse-Yung Huang, Ting-Chun Huang, Wei-Ho Chung, and Sy-Yen Kuo. 2017. MAS: Mobile-apps assessment and analysis system. In Proceedings of the 47th IEEE/IFIP International Conference on Dependable Systems and Networks Workshop (DSN-W’17). IEEE, 145--148.Google Scholar
Frances E. Allen. 1970. Control flow analysis. ACM Sigplan Not., Vol. 5. ACM, 1--19.Google Scholar
2018. Findsecbugs. Retrieved from https://find-sec-bugs.github.io/.Google Scholar
Edward Flanker and Anant Shrivastava. 2014. Joint Advanced Defect assEsment for Android applications. Retrieved from https://github.com/flankerhqd/JAADAS.Google Scholar
Google Play market. Retrieved from http://play.google.com/store/apps/.Google Scholar
2014 PlayDrone Android Apps. Retrieved from https://archive.org/details/android.Google Scholar
Nduo Market. Retrieved from https://www.nduo.cn/.Google Scholar
Mobomarket. Retrieved from https://mobomarket.jaleco.com/.Google Scholar
APK4Fun. Retrieved from https://www.apk4fun.com/.Google Scholar
GFAN. Retrieved from http://apk.gfan.com/.Google Scholar
Androidpur. Retrieved from http://androidpur.org/.Google Scholar
APPSAPK. Retrieved from https://www.appsapk.com/.Google Scholar
CWE-329. Retrieved from https://cwe.mitre.org/data/definitions/329.html.Google Scholar
Animesh Chhotaray, Adib Nahiyan, Thomas Shrimpton, Domenic Forte, and Mark Tehranipoor. 2017. Standardizing bad cryptographic practice: A teardown of the IEEE standard for protecting electronic-design intellectual property. In Proceedings of the ACM SIGSAC Conference on Computer and Communications Security. ACM, 1533--1546.Google Scholar
Zakir Durumeric, Frank Li, James Kasten, Johanna Amann, Jethro Beekman, Mathias Payer, Nicolas Weaver, David Adrian, Vern Paxson, Michael Bailey, et al. 2014. The matter of heartbleed. In Proceedings of the Conference on Internet Measurement. ACM, 475--488.Google ScholarDigital Library
Mu Zhang, Yue Duan, Heng Yin, and Zhiruo Zhao. 2014. Semantics-aware Android malware classification using weighted contextual API dependency graphs. In Proceedings of the ACM SIGSAC Conference on Computer and Communications Security. ACM, 1105--1116.Google Scholar
Haoyu Wang, Yao Guo, Ziang Ma, and Xiangqun Chen. 2015. Wukong: A scalable and accurate two-phase approach to Android app clone detection. In Proceedings of the International Symposium on Software Testing and Analysis. ACM, 71--82.Google Scholar
Wu Zhou, Yajin Zhou, Xuxian Jiang, and Peng Ning. 2012. Detecting repackaged smartphone applications in third-party Android marketplaces. In Proceedings of the 2nd ACM Conference on Data and Application Security and Privacy. ACM, 317--326.Google Scholar
Charlie Soh, Hee Beng Kuan Tan, Yauhen Leanidavich Arnatovich, and Lipo Wang. 2015. Detecting clones in Android applications through analyzing user interfaces. In Proceedings of the IEEE 23rd International Conference on Program Comprehension. IEEE Press, 163--173.Google Scholar
Amiangshu Bosu, Fang Liu, Danfeng Daphne Yao, and Gang Wang. 2017. Collusive data leak and more: Large-scale threat analysis of inter-app communications. In Proceedings of the ACM on Asia Conference on Computer and Communications Security. ACM, 71--85.Google Scholar
Japan Smart Phone Security Association. 2016. Android Application Secure Design/Secure Coding Guidebook. Retrieved from https://www.jssec.org/dl/android_securecoding.pdf.Google Scholar
Steve Quirolgico, Jeffrey Voas, Tom Karygiannis, Christoph Michael, and Karen Scarfone. 2015. Vetting the Security of Mobile Applications. Retrieved from http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-163.pdf.Google Scholar
Taiwan Industrial Development Bureau Ministry of Economic Affairs. 2016. Mobile Application Security Guideline. Retrieved from http://www.mas.org.tw/spaw2/uploads/files/1050219-1.pdf.Google Scholar
Steven Arzt, Sarah Nadi, Karim Ali, Eric Bodden, Sebastian Erdweg, and Mira Mezini. 2015. Towards secure integration of cryptographic software. In Proceedings of the ACM International Symposium on New Ideas, New Paradigms, and Reflections on Programming and Software (Onward!). ACM, 1--13.Google Scholar
Alireza Sadeghi, Hamid Bagheri, and Sam Malek. 2015. Analysis of Android inter-app security vulnerabilities using COVERT. In Proceedings of the IEEE/ACM 37th IEEE International Conference on Software Engineering (ICSE’15), Vol. 2. IEEE, 725--728.Google Scholar
Long Lu, Zhichun Li, Zhenyu Wu, Wenke Lee, and Guofei Jiang. 2012. CHEX: Statically vetting Android apps for component hijacking vulnerabilities. In Proceedings of the ACM Conference on Computer and Communications Security. ACM, 229--240.Google Scholar
David Sounthiraraj, Justin Sahs, Garret Greenwood, Zhiqiang Lin, and Latifur Khan. 2014. SMV-HUNTER: Large scale, automated detection of SSL/TLS man-in-the-middle vulnerabilities in Android apps. In Proceedings of the 21stNetwork and Distributed System Security Symposium (NDSS’14). Citeseer.Google Scholar
Google Developers. 2018. Android Lint. Retrieved from https://developer.android.com/studio/write/lint.Google Scholar
Daniele Gallingani, Rigel Gjomemo, VN Venkatakrishnan, and Stefano Zanero. 2014. Static detection and automatic exploitation of intent message vulnerabilities in android applications, 2014. http://www.ieee-security.org/TC/SPW2015/MoST/papers/s3p1.pdf (visited: 2020-05-04).Google Scholar
Sebastian Poeplau, Yanick Fratantonio, Antonio Bianchi, Christopher Kruegel, and Giovanni Vigna. 2014. Execute this! Analyzing unsafe and malicious dynamic code loading in Android applications. In Proceedings of the Network and Distributed System Security Symposium (NDSS), Vol. 14. 23--26.Google ScholarCross Ref
Fengguo Wei, Sankardas Roy, Xinming Ou, et al. 2014. Amandroid: A precise and general inter-component data flow analysis framework for security vetting of Android apps. In Proceedings of the ACM SIGSAC Conference on Computer and Communications Security. ACM, 1329--1341.Google Scholar

Index Terms

Vulvet: Vetting of Vulnerabilities in Android Apps to Thwart Exploitation
1. Security and privacy
  1. Software and application security
    1. Domain-specific security and privacy architectures

Recommendations

Bittersweet ADB: Attacks and Defenses
ASIA CCS '15: Proceedings of the 10th ACM Symposium on Information, Computer and Communications Security

Android devices and applications become prevalent and ask for unanticipated capabilities thanks to the increased interests in smartphones and web applications. As a way to use the capabilities not directly available to ordinary users, applications have ...
Read More
Automatically securing permission-based software by reducing the attack surface: an application to Android
ASE '12: Proceedings of the 27th IEEE/ACM International Conference on Automated Software Engineering

In the permission-based security model (used e.g. in Android and Blackberry), applications can be granted more permissions than they actually need, what we call a “permission gap”. Malware can leverage the unused permissions for achieving their ...
Read More
A Survey on Denial of Service Attacks and Preclusions
ICIA-16: Proceedings of the International Conference on Informatics and Analytics

Security is concerned with protecting assets. The aspects of security can be applied to any situation- defense, detection and deterrence. Network security plays important role of protecting information, hardware and software on a computer network. ...
Read More

Comments

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Article

Published in
Digital Threats: Research and Practice Volume 1, Issue 2
Field Notes
June 2020
139 pages
EISSN:2576-5337
DOI:10.1145/3403598
Editors:
Arun Lakhotia
University of Louisiana at Lafayette and Cythereal, USA
,
Leigh Metcalf
CERT, USA
Issue’s Table of Contents
Copyright © 2020 ACM
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]
Sponsors
In-Cooperation
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
- Published: 29 May 2020
- Online AM: 7 May 2020
- Accepted: 1 December 2019
- Revised: 1 October 2019
- Received: 1 April 2019
Published in dtrap Volume 1, Issue 2

Permissions
Request permissions about this article.
Request Permissions

Check for updates
Author Tags
Android
protection
security
static analysis
vulnerabilities
Qualifiers
- research-article
- Research
- Refereed
Conference
Funding Sources
Other Metrics
View Article Metrics

Article Metrics
- 7
  Total Citations
  View Citations
- 2,163
  Total Downloads
- Downloads (Last 12 months)305
- Downloads (Last 6 weeks)36
Other Metrics
View Author Metrics
Cited By
View all

PDF Format

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

HTML Format

View this article in HTML Format .

View HTML Format

Vulvet: Vetting of Vulnerabilities in Android Apps to Thwart Exploitation

Digital Threats: Research and Practice

Abstract

References

Cited By

Index Terms

Recommendations

Bittersweet ADB: Attacks and Defenses

Automatically securing permission-based software by reducing the attack surface: an application to Android

A Survey on Denial of Service Attacks and Preclusions