ARF: identifying re-delegation vulnerabilities in Android system services

Over the past decade, the security of the Android platform has undergone significant scrutiny by both academic and industrial researchers. This scrutiny has been largely directed towards third-party applications and a few critical system interfaces, leaving much of Android's middleware unstudied. Building upon recent efforts to more rigorously analyze authorization logic in Android's system services, we revisit the problem of permission re-delegation, but in the context of system service entry points. In this paper, we propose the Android Re-delegation Finder (ARF) analysis framework for helping security analysts identify permission re-delegation vulnerabilities within Android's system services. ARF analyzes an interconnected graph of entry points in system services, deriving calling dependencies, annotating permission checks, and identifying potentially vulnerable deputies that improperly expose information or functionality to third-party applications. We apply ARF to Android AOSP version 8.1.0 and find that it refines the set of 15,483 paths between entry points down to a manageable set of 490 paths. Upon manual inspection, we found that 170 paths improperly exposed information or functionality, consisting of 86 vulnerable deputies. Through this effort, we demonstrate the need for continued investigation of automated tools to analyze the authorization logic within the Android middleware.

[1]  Seungyeop Han,et al.  These aren't the droids you're looking for: retrofitting android to protect data from imperious applications , 2011, CCS '11.

[2]  Nan Zhang,et al.  The Peril of Fragmentation: Security Hazards in Android Device Driver Customizations , 2014, 2014 IEEE Symposium on Security and Privacy.

[3]  Peng Wang,et al.  AsDroid: detecting stealthy behaviors in Android applications by user interface and program behavior contradiction , 2014, ICSE.

[4]  XiaoFeng Wang,et al.  Upgrading Your Android, Elevating My Malware: Privilege Escalation through Mobile OS Updating , 2014, 2014 IEEE Symposium on Security and Privacy.

[5]  Patrick Traynor,et al.  *droid , 2016, ACM Comput. Surv..

[6]  Patrick D. McDaniel,et al.  Understanding Android Security , 2009, IEEE Security & Privacy Magazine.

[7]  Norman Hardy,et al.  The Confused Deputy: (or why capabilities might have been invented) , 1988, OPSR.

[8]  Shashi Shekhar,et al.  QUIRE: Lightweight Provenance for Smart Phone Operating Systems , 2011, USENIX Security Symposium.

[9]  Erik Derr,et al.  On Demystifying the Android Application Framework: Re-Visiting Android Permission Specification Analysis , 2016, USENIX Security Symposium.

[10]  Michael D. Ernst,et al.  Collaborative Verification of Information Flow for a High-Assurance App Store , 2014, Software Engineering & Management.

[11]  Mu Zhang,et al.  Semantics-Aware Android Malware Classification Using Weighted Contextual API Dependency Graphs , 2014, CCS.

[12]  Ahmad-Reza Sadeghi,et al.  Privilege Escalation Attacks on Android , 2010, ISC.

[13]  Ninghui Li,et al.  AceDroid: Normalizing Diverse Android Access Control Checks for Inconsistency Detection , 2018, NDSS.

[14]  Ninghui Li,et al.  Precise Android API Protection Mapping Derivation and Reasoning , 2018, CCS.

[15]  Matthew Smith,et al.  SoK: Lessons Learned from Android Security Research for Appified Software Platforms , 2016, 2016 IEEE Symposium on Security and Privacy (SP).

[16]  Zhuoqing Morley Mao,et al.  Kratos: Discovering Inconsistent Security Policy Enforcement in the Android Framework , 2016, NDSS.

[17]  Patrick D. McDaniel,et al.  On lightweight mobile phone application certification , 2009, CCS.

[18]  Steve Hanna,et al.  Android permissions demystified , 2011, CCS '11.

[19]  Jacques Klein,et al.  FlowDroid: precise context, flow, field, object-sensitive and lifecycle-aware taint analysis for Android apps , 2014, PLDI.

[20]  Olga Gadyatskaya,et al.  Small Changes, Big Changes: An Updated View on the Android Permission System , 2016, RAID.

[21]  Eric Bodden,et al.  ACMiner: Extraction and Analysis of Authorization Checks in Android's Middleware , 2019, CODASPY.

[22]  Helen J. Wang,et al.  Permission Re-Delegation: Attacks and Defenses , 2011, USENIX Security Symposium.

[23]  David A. Wagner,et al.  Android permissions: user attention, comprehension, and behavior , 2012, SOUPS.

[24]  Zhen Huang,et al.  PScout: analyzing the Android permission specification , 2012, CCS.

[25]  Yajin Zhou,et al.  Systematic Detection of Capability Leaks in Stock Android Smartphones , 2012, NDSS.

[26]  Jacques Klein,et al.  Effective inter-component communication mapping in Android with Epicc: an essential step towards holistic security analysis , 2013 .

[27]  Wenke Lee,et al.  CHEX: statically vetting Android apps for component hijacking vulnerabilities , 2012, CCS.

[28]  Sankardas Roy,et al.  Amandroid: A Precise and General Inter-component Data Flow Analysis Framework for Security Vetting of Android Apps , 2014, CCS.

[29]  Jeff H. Perkins,et al.  Information Flow Analysis of Android Applications in DroidSafe , 2015, NDSS.

[30]  Ondrej Lhoták,et al.  The Soot framework for Java program analysis: a retrospective , 2011 .

[31]  Yajin Zhou,et al.  The impact of vendor customizations on android security , 2013, CCS.

[32]  Swarat Chaudhuri,et al.  A Study of Android Application Security , 2011, USENIX Security Symposium.

[33]  Hao Chen,et al.  AndroidLeaks: Automatically Detecting Potential Privacy Leaks in Android Applications on a Large Scale , 2012, TRUST.

[34]  Byung-Gon Chun,et al.  TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones , 2010, OSDI.

[35]  David A. Wagner,et al.  Analyzing inter-application communication in Android , 2011, MobiSys '11.

[36]  David A. Wagner,et al.  How to Ask for Permission , 2012, HotSec.

[37]  Zhong Chen,et al.  AutoCog: Measuring the Description-to-permission Fidelity in Android Applications , 2014, CCS.

[38]  Laurie Hendren,et al.  Soot: a Java bytecode optimization framework , 2010, CASCON.