Dynamic detection of inter-application communication vulnerabilities in Android

A main aspect of the Android platform is Inter-Application Communication (IAC), which enables reuse of functionality across apps and app components via message passing. While a powerful feature, IAC also constitutes a serious attack surface. A malicious app can embed a payload into an IAC message, thereby driving the recipient app into a potentially vulnerable behavior if the message is processed without its fields first being sanitized or validated. We present what to our knowledge is the first comprehensive testing algorithm for Android IAC vulnerabilities. Toward this end, we first describe a catalog, stemming from our field experience, of 8 concrete vulnerability types that can potentially arise due to unsafe handling of incoming IAC messages. We then explain the main challenges that automated discovery of Android IAC vulnerabilities entails, including in particular path coverage and custom data fields, and present simple yet surprisingly effective solutions to these challenges. We have realized our testing approach as the IntentDroid system, which is available as a commercial cloud service. IntentDroid utilizes lightweight platform-level instrumentation, implemented via debug breakpoints (to run atop any Android device without any setup or customization), to recover IAC-relevant app-level behaviors. Evaluation of IntentDroid over a set of 80 top-popular apps has revealed a total 150 IAC vulnerabilities — some already fixed by the developers following our report — with a recall rate of 92% w.r.t. a ground truth established via manual auditing by a security expert.

[1]  Jan S. Rellermeyer,et al.  An empirical study of the robustness of Inter-component Communication in Android , 2012, IEEE/IFIP International Conference on Dependable Systems and Networks (DSN 2012).

[2]  Heng Yin,et al.  Attacks on WebView in the Android system , 2011, ACSAC '11.

[3]  Byung-Gon Chun,et al.  TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones , 2010, OSDI.

[4]  David A. Wagner,et al.  Reducing attack surfaces for intra-application communication in android , 2012, SPSM '12.

[5]  Wenke Lee,et al.  CHEX: statically vetting Android apps for component hijacking vulnerabilities , 2012, CCS.

[6]  John Regehr,et al.  Intent fuzzer: crafting intents of death , 2014, WODA+PERTEA 2014.

[7]  William Enck,et al.  AppsPlayground: automatic security analysis of smartphone applications , 2013, CODASPY.

[8]  Eran Yahav,et al.  Verifying atomicity via data independence , 2014, ISSTA 2014.

[9]  Herbert Bos,et al.  Paranoid Android: versatile protection for smartphones , 2010, ACSAC '10.

[10]  Kun Yang,et al.  IntentFuzzer: detecting capability leaks of android applications , 2014, AsiaCCS.

[11]  Eric Bodden,et al.  DroidForce: Enforcing Complex, Data-centric, System-wide Policies in Android , 2014, 2014 Ninth International Conference on Availability, Reliability and Security.

[12]  Hui Ye,et al.  DroidFuzzer: Fuzzing the Android Apps with Intent-Filter Tag , 2013, MoMM '13.

[13]  Geoffrey H. Kuenning,et al.  Improving the security of Android inter-component communication , 2013, 2013 IFIP/IEEE International Symposium on Integrated Network Management (IM 2013).

[14]  David A. Wagner,et al.  Analyzing inter-application communication in Android , 2011, MobiSys '11.

[15]  Patrick D. McDaniel,et al.  Understanding Android Security , 2009, IEEE Security & Privacy Magazine.

[16]  Pierre Wolper,et al.  Expressing interesting properties of programs in propositional temporal logic , 1986, POPL '86.

[17]  Thomas W. Reps,et al.  Precise Interprocedural Dataflow Analysis with Applications to Constant Propagation , 1995, TAPSOFT.

[18]  Jacques Klein,et al.  Effective inter-component communication mapping in Android with Epicc: an essential step towards holistic security analysis , 2013 .