Erika Chin
ABSTRACT
Modern smartphone operating systems support the development of third-party applications with open system APIs. In addition to an open API, the Android operating system also provides a rich inter-application message passing system. This encourages inter-application collaboration and reduces developer burden by facilitating component reuse. Unfortunately, message passing is also an application attack surface. The content of messages can be sniffed, modified, stolen, or replaced, which can compromise user privacy. Also, a malicious application can inject forged or otherwise malicious messages, which can lead to breaches of user data and violate application security policies.
We examine Android application interaction and identify security risks in application components. We provide a tool, ComDroid, that detects application communication vulnerabilities. ComDroid can be used by developers to analyze their own applications before release, by application reviewers to analyze applications in the Android Market, and by end users. We analyzed 20 applications with the help of ComDroid and found 34 exploitable vulnerabilities; 12 of the 20 applications have at least one vulnerability.
- Android Market. http://www.android.com/market/.Google Scholar
- Android permissions. http://android.git.kernel.org/?p=platform/frameworks/base.git;a=blob;f=%core/res/AndroidManifest.xml.Google Scholar
- iPhone App Store. http://www.apple.com/iphone/apps-for-iphone/.Google Scholar
- MobiStealth. http://www.mobistealth.com/.Google Scholar
- Appventive. ICE: In case of emergency. http://www.appventive.com/ice.Google Scholar
- A. Barth, C. Jackson, and J. C. Mitchell. Robust defenses for cross-site request forgery. In Proc. of the 15th ACM Conference on Computer and Communications Security (CCS 2008), 2008. Google ScholarDigital Library
- J. Burns. Mobile application security on Android. Blackhat, 2009.Google Scholar
- B. Chess and G. McGraw. Static analysis for security. Security & Privacy, IEEE, 2(6):76--79, 2004. Google ScholarDigital Library
- W. Cheswick, S. Bellovin, and A. Rubin. Firewalls and Internet security: repelling the wily hacker. Addison-Wesley Longman Publishing Co., Inc. Boston, MA, USA, 2003. Google ScholarDigital Library
- P. Efstathopoulos, M. Krohn, S. VanDeBogart, C. Frey, D. Ziegler, E. Kohler, D. Mazieres, F. Kaashoek, and R. Morris. Labels and event processes in the Asbestos operating system. In Proc. of the 20th ACM Symposium on Operating Systems Principles, pages 17--30. ACM, 2005. Google ScholarDigital Library
- W. Enck, P. Gilbert, B.-g. Chun, L. P. Cox, J. Jung, P. McDaniel, and A. N. Sheth. TaintDroid: An information-flow tracking system for realtime privacy monitoring on smartphones. In Proc. of the USENIX Symposium on Operating Systems Design and Implementation (OSDI), Vancouver, October 2010. Google ScholarDigital Library
- W. Enck, D. Octeau, P. McDaniel, and S. Chaudhuri. A Study of Android Application Security. In Proc. of the 20th USENIX Security Symposium, August 2011. Google ScholarDigital Library
- W. Enck, M. Ongtang, and P. McDaniel. On lightweight mobile phone application certification. In Proc. of the 16th ACM Conference on Computer and Communications Security (CCS), November 2009. Google ScholarDigital Library
- W. Enck, M. Ongtang, and P. McDaniel. Understanding Android security. IEEE Security and Privacy, 7(1):50--57, 2009. Google ScholarDigital Library
- A. P. Fuchs, A. Chaudhuri, and J. S. Foster. SCanDroid: Automated security certification of Android applications. Technical report, University of Maryland, 2009.Google Scholar
- M. Howard, J. Pincus, and J. Wing. Measuring relative attack surfaces. Computer Security in the 21st Century, pages 109--137, 2005.Google ScholarCross Ref
- IMDb. IMDb Movies & TV. http://www.androlib.com/android.application.com-imdb-mobile-jzEzw.aspx.Google Scholar
- N. Jovanovic, E. Kirda, and C. Kruegel. Preventing cross site request forgery attacks. In Securecomm and Workshops, 2006, pages 1--10. IEEE, 2006.Google ScholarCross Ref
- M. Krohn, A. Yip, M. Brodsky, N. Cliffer, M. Kaashoek, E. Kohler, and R. Morris. Information flow control for standard OS abstractions. In Proc. of 21st ACM SIGOPS Symposium on Operating Systems Principles, pages 321--334. ACM, 2007. Google ScholarDigital Library
- H. Lee. Nationwide bus. http://www.androlib.com/android.application.net-hyeongkyu-android-inche%onbus-Eqwq.aspx.Google Scholar
- V. B. Livshits and M. S. Lam. Finding security vulnerabilities in Java applications with static analysis. In Proc. of the 14th Conference on USENIX Security Symposium, pages 18--18. USENIX Association, 2005. Google ScholarDigital Library
- P. Manadhata, J. Wing, M. Flynn, and M. McQueen. Measuring the attack surfaces of two FTP daemons. In Proc. of the 2nd ACM Workshop on Quality of Protection, pages 3--10. ACM, 2006. Google ScholarDigital Library
- A. Myers and B. Liskov. Protecting privacy using the decentralized label model. ACM Transactions on Software Engineering and Methodology (TOSEM), 9(4):410--442, 2000. Google ScholarDigital Library
- G. Paller. Dedexer. http://dedexer.sourceforge.net/.Google Scholar
- M. A. Troy Vennon. Android malware: Spyware in the Android Market. Technical report, SMobile Systems, March 2010.Google Scholar
- T. Vennon. Android malware: A study of known and potential malware threats. Technical report, SMobile Systems, February 2010.Google Scholar
- D. Wagner, J. Foster, E. Brewer, and A. Aiken. A first step towards automated detection of buffer overrun vulnerabilities. In Network and Distributed System Security Symposium, pages 3--17, 2000.Google Scholar
- N. Zeldovich, S. Boyd-Wickizer, E. Kohler, and D. Mazières. Making information flow explicit in HiStar. In Proc. of the 7th Symposium on Operating Systems Design and Implementation, pages 263--278. USENIX Association, 2006. Google ScholarDigital Library
Index Terms
- Analyzing inter-application communication in Android
Recommendations
Reducing attack surfaces for intra-application communication in android
SPSM '12: Proceedings of the second ACM workshop on Security and privacy in smartphones and mobile devicesThe complexity of Android's message-passing system has led to numerous vulnerabilities in third-party applications. Many of these vulnerabilities are a result of developers confusing inter-application and intra-application communication mechanisms. ...
An automated testing approach for inter-application security in Android
AST 2014: Proceedings of the 9th International Workshop on Automation of Software TestRecently, Google Android has occupied a major market share of mobile phone systems as a result of its openness for developers and richness for users. By the distribution channels of the Android market, both development and use of Android applications ...
Inter-app communication between Android apps developed in app-inventor and Android studio
MOBILESoft '16: Proceedings of the International Conference on Mobile Software Engineering and SystemsCommunications between mobile apps are an important aspect of mobile platforms. Android is specifically designed with inter-app communication in mind and depends on this to provide different platform specific functionalities. Android Apps can either be ...
Comments