Reducing attack surfaces for intra-application communication in android

The complexity of Android's message-passing system has led to numerous vulnerabilities in third-party applications. Many of these vulnerabilities are a result of developers confusing inter-application and intra-application communication mechanisms. Consequently, we propose modifications to the Android platform to detect and protect inter-application messages that should have been intra-application messages. Our approach automatically reduces attack surfaces in legacy applications. We describe our implementation for these changes and evaluate it based on the attack surface reduction and the extent to which our changes break compatibility with a large set of popular applications. We fix 100% of intra-application vulnerabilities found in our previous work, which represents 31.4% of the total security flaws found in that work. Furthermore, we find that 99.4% and 93.0% of Android applications are compatible with our sending and receiving changes, respectively.

[1]  Collin Jackson,et al.  Robust defenses for cross-site request forgery , 2008, CCS.

[2]  Yajin Zhou,et al.  Systematic Detection of Capability Leaks in Stock Android Smartphones , 2012, NDSS.

[3]  Steve Hanna,et al.  Android permissions demystified , 2011, CCS '11.

[4]  Jan S. Rellermeyer,et al.  An empirical study of the robustness of Inter-component Communication in Android , 2012, IEEE/IFIP International Conference on Dependable Systems and Networks (DSN 2012).

[5]  Byung-Gon Chun,et al.  TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones , 2010, OSDI.

[6]  Seungyeop Han,et al.  These aren't the droids you're looking for: retrofitting android to protect data from imperious applications , 2011, CCS '11.

[7]  Shashi Shekhar,et al.  QUIRE: Lightweight Provenance for Smart Phone Operating Systems , 2011, USENIX Security Symposium.

[8]  Helen J. Wang,et al.  Permission Re-Delegation: Attacks and Defenses , 2011, USENIX Security Symposium.

[9]  Avik Chaudhuri,et al.  SCanDroid: Automated Security Certification of Android , 2009 .

[10]  David A. Wagner,et al.  Analyzing inter-application communication in Android , 2011, MobiSys '11.

[11]  Patrick D. McDaniel,et al.  Semantically Rich Application-Centric Security in Android , 2009, 2009 Annual Computer Security Applications Conference.

[12]  Ahmad-Reza Sadeghi,et al.  Privilege Escalation Attacks on Android , 2010, ISC.

[13]  Dorian Cioban Android Market Exceeds 10 Billion App Downloads , 2011 .

[14]  J. Foster,et al.  SCanDroid: Automated Security Certification of Android , 2009 .

[15]  Swarat Chaudhuri,et al.  A Study of Android Application Security , 2011, USENIX Security Symposium.

[16]  Christopher Krügel,et al.  Preventing Cross Site Request Forgery Attacks , 2006, 2006 Securecomm and Workshops.