Call Me Back!: Attacks on System Server and System Apps in Android through Synchronous Callback

Android is the most commonly used mobile device operation system. The core of Android, the System Server (SS), is a multi-threaded process that provides most of the system services. Based on a new understanding of the security risks introduced by the callback mechanism in system services, we have discovered a general type of design flaw. A vulnerability detection tool has been designed and implemented based on static taint analysis. We applied the tool on all the 80 system services in the SS of Android 5.1.0. With its help, we have discovered six previously unknown vulnerabilities, which are further confirmed on Android 2.3.7-6.0.1. According to our analysis, about 97.3% of the entire 1.4 billion real-world Android devices are vulnerable. Our proof-of-concept attack proves that the vulnerabilities can enable a malicious app to freeze critical system functionalities or soft-reboot the system immediately. It is a neat type of denial-of-service at-tack. We also proved that the attacks can be conducted at mission critical moments to achieve meaningful goals, such as anti anti-virus, anti process-killer, hindering app updates or system patching. After being informed, Google confirmed our findings promptly. Several suggestions on how to use callbacks safely are also proposed to Google.

[1]  Byung-Gon Chun,et al.  TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones , 2010, OSDI.

[2]  Shay Artzi,et al.  F4F: taint analysis of framework-based web applications , 2011, OOPSLA '11.

[3]  Zhuoqing Morley Mao,et al.  Peeking into Your App without Actually Seeing It: UI State Inference and Novel Android Attacks , 2014, USENIX Security Symposium.

[4]  Julian Dolby,et al.  Scalable and precise taint analysis for Android , 2015, ISSTA.

[5]  Kai Chen,et al.  From System Services Freezing to System Server Shutdown in Android: All You Need Is a Loop in an App , 2015, CCS.

[6]  Jacques Klein,et al.  FlowDroid: precise context, flow, field, object-sensitive and lifecycle-aware taint analysis for Android apps , 2014, PLDI.

[7]  Zhemin Yang,et al.  LeakMiner: Detect Information Leakage on Android with Static Taint Analysis , 2012, 2012 Third World Congress on Software Engineering.

[8]  Lujo Bauer,et al.  Android taint flow analysis for app sets , 2014, SOAP '14.

[9]  Benjamin Livshits,et al.  Finding Security Vulnerabilities in Java Applications with Static Analysis , 2005, USENIX Security Symposium.

[10]  Zhang Yuqing,et al.  A fuzzing test for dynamic vulnerability detection on Android Binder mechanism , 2015, 2015 IEEE Conference on Communications and Network Security (CNS).

[11]  Menas Abdalla Awad Abdalla,et al.  Android Point of Sale (Android POS) , 2014 .

[12]  Atanas Rountev,et al.  IDE Dataflow Analysis in the Presence of Large Object-Oriented Libraries , 2008, CC.

[13]  Fernando C. Colón Osorio,et al.  “TrustDroid™”: Preventing the use of SmartPhones for information leaking in corporate networks through the used of static analysis taint tracking , 2012, 2012 7th International Conference on Malicious and Unwanted Software.

[14]  Stefan Savage,et al.  On The Security of Mobile Cockpit Information Systems , 2014, CCS.

[15]  Atul Prakash,et al.  Practical Always-on Taint Tracking on Mobile Devices , 2015, HotOS.

[16]  Gail E. Kaiser,et al.  Dynamic taint tracking for Java with phosphor (demo) , 2015, ISSTA.

[17]  Eric Bodden,et al.  Inter-procedural data-flow analysis with IFDS/IDE and Soot , 2012, SOAP '12.

[18]  Zheng Wei,et al.  LazyTainter: Memory-Efficient Taint Tracking in Managed Runtimes , 2014, SPSM@CCS.

[19]  Ji Xiang,et al.  Towards Analyzing the Input Validation Vulnerabilities associated with Android System Services , 2015, ACSAC.