Top

International Journal of Information Security

Published in:

22-04-2022 | regular contribution

IntentAuth: Securing Android’s Intent-based inter-process communication

Authors: Christos Lyvas, Costas Lambrinoudakis, Dimitris Geneiatakis

Published in: International Journal of Information Security | Issue 5/2022

Activate our intelligent search to find suitable subject content or patents.

search-config

AI-assisted search

Off

Abstract

Android Intent redirection, malicious activity launch and intent hijacking attacks can highly impact users’ data confidentiality and integrity. More specifically, malicious applications launch this type of attacks in order to manipulate the provided services and gain access to sensitive data. Though such attacks are not yet common, we argue that they require high attention as they can easily enable malevolent entities to access sensitive data. In this work, we introduce a novel, but also practical, operating system level service, namely IntentAuth that supports secure inter-process communication between applications, and allows the users to define their own policies for controlling applications’ interactions. Thus, a secure inter-process communication mechanism that provides encrypted transmission of intent data, based on user-defined policies, is proposed. We demonstrate that the proposed mechanism does not affect users’ experience whenever the execution flow switches, through implicit intents, among different applications.

previous article Efficient verifiable computation over quotient polynomial rings

next article A Digital Asset Inheritance Model to Convey Online Persona Posthumously

Dont have a licence yet? Then find out more about our products and how to get one now:

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 390 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Maschinenbau + Werkstoffe

Jetzt Wissensvorsprung sichern!

inform now

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

inform now

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 340 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

inform now

https://gitlab.ds.unipi.gr/systems-security-laboratory/intentauth.

https://android.googlesource.com/platform/system/core/+/refs/tags/android-11.0.0_r3/libcutils/include/private/android_filesystem_config.h.

https://android.googlesource.com/platform/system/security/+/refs/tags/android-11.0.0_r3/keystore/permissions.cpp.

https://cwe.mitre.org/data/definitions/926.html.

https://android.googlesource.com/platform/system/core/+/refs/tags/android-11.0.0_r3/libcutils/include/private/android_filesystem_config.h.

https://github.com/mobile-security/Morbs.

https://github.com/intentio-ex-machina/Intentio-Ex-Machina/wiki/My-First-User-Firewall.

https://github.com/intentio-ex-machina/Intentio-Ex-Machina/blob/master/IntentFirewall.java.

Statista, Mobile operating systems’ market share worldwide from January 2012 to October 2020, cited December 23rd 2020. https://www.statista.com/statistics/272698/global-market-share-held-by-mobile-operating-systems-since-2009/ (2020)

Tang, J., Cui, X., Zhao, Z., Guo, S., Xu, X., Hu, C., Ban, T., Mao, B.: Nivanalyzer: a tool for automatically detecting and verifying next-intent vulnerabilities in android apps. In: 2017 IEEE International Conference on Software Testing, Verification and Validation (ICST). IEEE, pp. 492–499 (2017)

El-Zawawy, M.A., Losiouk, E., Conti, M.: Do not let next-intent vulnerability be your next nightmare: type system-based approach to detect it in android apps. Int. J. Inf. Secur. 1–20 (2020)

Wang, R., Xing, L., Wang, X., Chen, S.: Unauthorized origin crossing on mobile platforms: threats and mitigation. In: Proceedings of the 2013 ACM SIGSAC Conference on Computer & Communications Security, pp. 635–646 (2013)

Chin, E., Felt, A.P., Greenwood, K., Wagner, D.: Analyzing inter-application communication in android. In: Proceedings of the 9th International Conference on Mobile Systems, Applications, and Services, pp. 239–252 (2011)

Yagemann, C., Du, W.: Intentio ex machina: Android intent access control via an extensible application hook. In: European Symposium on Research in Computer Security. Springer, pp. 383–400 (2016)

Android Open Source Project, Application Fundamentals. Technical report, cited March 22nd 2020. https://developer.android.com/guide/components/fundamentals (2019)

Singh, R.: An overview of android operating system and its security. J. Eng. Res. Appl. 4, 519–521 (2014)

Android Open Source Project, Security-Enhanced Linux in Android. Technical report, cited October 30 2020. https://source.android.com/security/selinux (2020)

10.

Kalysch, A., Deutel, M., Müller, T.: Template-based android inter process communication fuzzing. In: Proceedings of the 15th International Conference on Availability, Reliability and Security, pp. 1–6 (2020)

11.

Soares, P.G.: On remote procedure call. In: Proceedings of the 1992 Conference of the Centre for Advanced Studies on Collaborative Research—Volume 2, CASCON’92. IBM Press, pp. 215–267 (1992)

12.

Birrell, A.D., Nelson, B.J.: Implementing remote procedure calls. ACM Trans. Comput. Syst. 2(1), 39–59 (1984). https://doi.org/10.1145/2080.357392CrossRef

13.

Android Open Source Project, Android Architecture. Technical report, cited March 24nd 2020. https://source.android.com/devices/architecture (2020)

14.

Tang, X., Song, T., Wang, K., Liang, A.: Fine-grained access control on android through behavior monitoring. In: Advances in Computer Communication and Computational Sciences. Springer, pp. 525–532 (2019)

15.

Android Open Source Project, Intents and Intent Filters. Technical report, cited March 22nd 2020. https://developer.android.com/guide/components/intents-filters (2019)

16.

Octeau, D., McDaniel, P., Jha, S., Bartel, A., Bodden, E., Klein, J., Le Traon, Y.: Effective inter-component communication mapping in android: an essential step towards holistic security analysis. In: Presented as Part of the 22nd USENIX Security Symposium (USENIX Security 13), pp. 543–558 (2013)

17.

Android Open Source Project, Android Keystore System. Technical report, cited October 30 2020. https://developer.android.com/training/articles/keystore (2020)

18.

Android Open Source Project, Trusty TEE. Technical report, cited September 23rd 2020. https://source.android.com/security/trusty (2020)

19.

Jha, A.K., Lee, S., Lee, W.J.: Developer mistakes in writing android manifests: an empirical study of configuration errors. In: 2017 IEEE/ACM 14th International Conference on Mining Software Repositories (MSR), pp. 25–36 (2017). https://doi.org/10.1109/MSR.2017.41

20.

Wu, J., Cui, T., Ban, T., Guo, S., Cui, L.: Paddyfrog: systematically detecting confused deputy vulnerability in android applications. Secur. Commun. Netw. 8(13), 2338–2349 (2015)CrossRef

21.

Lu, L., Li, Z., Wu, Z., Lee, W., Jiang, G.: Chex: statically vetting android apps for component hijacking vulnerabilities. In: Proceedings of the 2012 ACM Conference on Computer and Communications Security, pp. 229–240 (2012)

22.

Chan, P.P., Hui, L.C., Yiu, S.-M.: Droidchecker: analyzing android applications for capability leak. In: Proceedings of the fifth ACM Conference on Security and Privacy in Wireless and Mobile Networks, pp. 125–136 (2012)

23.

Maqsood, H.M.A., Qureshi, K.N., Bashir, F., Islam, N.U.: Privacy leakage through exploitation of vulnerable inter-app communication on android. In: 2019 13th International Conference on Open Source Systems and Technologies (ICOSST). IEEE, pp. 1–6 (2019)

24.

Yang, K., Zhuge, J., Wang, Y., Zhou, L., Duan, H.: Intentfuzzer: detecting capability leaks of android applications. In: Proceedings of the 9th ACM Symposium on Information, Computer and Communications Security, pp. 531–536 (2014)

25.

Garcia, J., Hammad, M., Ghorbani, N., Malek, S.: Automatic generation of inter-component communication exploits for android applications. In: Proceedings of the 2017 11th Joint Meeting on Foundations of Software Engineering, pp. 661–671 (2017)

26.

Felt, A.P., Wang, H.J., Moshchuk, A., Hanna, S., Chin, E.: Permission re-delegation: attacks and defenses. In: USENIX Security Symposium, vol. 30, 2011, p. 88

27.

Kaladharan, Y., Mateti, P., Jevitha, K.: An encryption technique to thwart android binder exploits. In: Intelligent Systems Technologies and Applications. Springer, pp. 13–21 (2016)

28.

Ren, X., Sun, J., Xing, Z., Xia, X., Sun, J.: Demystify official api usage directives with crowdsourced api misuse scenarios, erroneous code examples and patches. In: Proceedings of the ACM/IEEE 42nd International Conference on Software Engineering, pp. 925–936 (2020)

29.

Egele, M., Brumley, D., Fratantonio, Y., Kruegel, C.: An empirical study of cryptographic misuse in android applications. In: Proceedings of the 2013 ACM SIGSAC Conference on Computer & Communications Security, pp. 73–84 (2013)

30.

Geneiatakis, D., Fovino, I.N., Kounelis, I., Stirparo, P.: A permission verification approach for android mobile applications. Comput. Secur. 49, 192–205 (2015)CrossRef

31.

Google Help, Remediation for Intent Redirection Vulnerability. Technical report, cited September 15nd 2020. https://support.google.com/faqs/answer/9267555?hl=en (2020)

32.

Nauman, M., Khan, S., Zhang, X.: Apex: extending android permission model and enforcement with user-defined runtime constraints. In: Proceedings of the 5th ACM Symposium on Information, Computer and Communications Security, ASIACCS’10, Association for Computing Machinery, New York, NY, USA, pp. 328–332 (2010). https://doi.org/10.1145/1755688.1755732. https://doi.org/10.1145/1755688.1755732

33.

Xu, R., Saïdi, H., Anderson, R.: Aurasium: practical policy enforcement for android applications. In: 21st USENIX Security Symposium (USENIX Security 12), USENIX Association, Bellevue, WA, pp. 539–552 (2012). https://www.usenix.org/conference/usenixsecurity12/technical-sessions/presentation/xu_rubin

34.

Schreckling, D., Köstler, J., Schaff, M.: Kynoid: real-time enforcement of fine-grained, user-defined, and data-centric security policies for android. Inf. Secur. Tech. Rep. 17(3), 71–80 (2013). https://doi.org/10.1016/j.istr.2012.10.006CrossRef

Title: IntentAuth: Securing Android’s Intent-based inter-process communication
Authors: Christos Lyvas
Costas Lambrinoudakis
Dimitris Geneiatakis
Publication date: 22-04-2022
Publisher: Springer Berlin Heidelberg
Published in: International Journal of Information Security / Issue 5/2022
Print ISSN: 1615-5262
Electronic ISSN: 1615-5270
DOI: https://doi.org/10.1007/s10207-022-00592-9

Springer Professional

Abstract

Please log in to get access to your license.

Dont have a licence yet? Then find out more about our products and how to get one now:

Springer Professional "Technik"

Springer Professional "Wirtschaft+Technik"

Springer Professional "Wirtschaft"

Other articles of this Issue 5/2022

Security analysis on “Three-factor authentication protocol using physical unclonable function for IoV”

Efficient verifiable computation over quotient polynomial rings

Lib2Desc: automatic generation of security-centric Android app descriptions using third-party libraries

Classifying resilience approaches for protecting smart grids against cyber threats

A Digital Asset Inheritance Model to Convey Online Persona Posthumously

ANS-based compression and encryption with 128-bit security

Premium Partner