论文信息 - Borrowing your enemy’s arrows: the case of code reuse in Android via direct inter-app code invocation

Borrowing your enemy’s arrows: the case of code reuse in Android via direct inter-app code invocation

The Android ecosystem offers different facilities to enable communication among app components and across apps to ensure that rich services can be composed through functionality reuse. At the heart of this system is the Inter-component communication (ICC) scheme, which has been largely studied in the literature. Less known in the community is another powerful mechanism that allows for direct inter-app code invocation which opens up for different reuse scenarios, both legitimate or malicious. This paper exposes the general workflow for this mechanism, which beyond ICCs, enables app developers to access and invoke functionalities (either entire Java classes, methods or object fields) implemented in other apps using official Android APIs. We experimentally showcase how this reuse mechanism can be leveraged to “plagiarize" supposedly-protected functionalities. Typically, we were able to leverage this mechanism to bypass security guards that a popular video broadcaster has placed for preventing access to its video database from outside its provided app. We further contribute with a static analysis toolkit, named DICIDer, for detecting direct inter-app code invocations in apps. An empirical analysis of the usage prevalence of this reuse mechanism is then conducted. Finally, we discuss the usage contexts as well as the implications of this studied reuse mechanism.

[1] Jacques Klein,et al. FraudDroid: automated ad fraud detection for Android apps , 2017, ESEC/SIGSOFT FSE.

[2] Jacques Klein,et al. SimiDroid: Identifying and Explaining Similarities in Android Apps , 2017, 2017 IEEE Trustcom/BigDataSE/ICESS.

[3] Jacques Klein,et al. Static analysis of android apps: A systematic literature review , 2017, Inf. Softw. Technol..

[4] Michalis Faloutsos,et al. Permission evolution in the Android ecosystem , 2012, ACSAC '12.

[5] Jacques Klein,et al. MadDroid: Characterising and Detecting Devious Ad Content for Android Apps , 2020, ArXiv.

[6] Vivek Sarkar,et al. Automatic detection of inter-application permission leaks in Android applications , 2013, IBM J. Res. Dev..

[7] Haowei Wu,et al. Automated Test Generation for Detection of Leaks in Android Applications , 2016, 2016 IEEE/ACM 11th International Workshop in Automation of Software Test (AST).

[8] K. Yi,et al. Static Analyzer for Detecting Privacy Leaks in Android Applications , 2012 .

[9] Gang Wang,et al. Collusive Data Leak and More: Large-scale Threat Analysis of Inter-app Communications , 2017, AsiaCCS.

[10] Jacques Klein,et al. MoonlightBox: Mining Android API Histories for Uncovering Release-Time Inconsistencies , 2018, 2018 IEEE 29th International Symposium on Software Reliability Engineering (ISSRE).

[11] Alessandra Gorla,et al. How Do Apps Evolve in Their Permission Requests? A Preliminary Study , 2017, 2017 IEEE/ACM 14th International Conference on Mining Software Repositories (MSR).

[12] Tuomas Aura,et al. Unblocking Stolen Mobile Devices Using SS7-MAP Vulnerabilities: Exploiting the Relationship between IMEI and IMSI for EIR Access , 2015, 2015 IEEE Trustcom/BigDataSE/ISPA.

[13] Hahn-Ming Lee,et al. DroidMat: Android Malware Detection through Manifest and API Calls Tracing , 2012, 2012 Seventh Asia Joint Conference on Information Security.

[14] Yajin Zhou,et al. RiskRanker: scalable and accurate zero-day android malware detection , 2012, MobiSys '12.

[15] Marco Pistoia,et al. Dynamic detection of inter-application communication vulnerabilities in Android , 2015, ISSTA.

[16] Jacques Klein,et al. DroidRA: taming reflection to support whole-program analysis of Android apps , 2016, ISSTA.

[17] Jeremy Clark,et al. Understanding and improving app installation security mechanisms through empirical analysis of android , 2012, SPSM '12.

[18] Jacques Klein,et al. AndroZoo++: Collecting Millions of Android Apps and Their Metadata for the Research Community , 2017, ArXiv.

[19] Haowei Wu,et al. Static detection of energy defect patterns in Android applications , 2016, CC.

[20] William Snavely,et al. Making DidFail Succeed: Enhancing the CERT Static Taint Analyzer for Android App Sets , 2015 .

[21] Xuxian Jiang,et al. AppInk: watermarking android apps for repackaging deterrence , 2013, ASIA CCS '13.

[22] Haipeng Cai,et al. Identifying Mobile Inter-App Communication Risks , 2020, IEEE Transactions on Mobile Computing.

[23] Antonella Santone,et al. Download malware? no, thanks: how formal methods can block update attacks , 2016, FM 2016.

[24] Helen J. Wang,et al. Permission Re-Delegation: Attacks and Defenses , 2011, USENIX Security Symposium.

[25] Jacques Klein,et al. ApkCombiner: Combining Multiple Android Apps to Support Inter-App Analysis , 2015, SEC.

[26] Wenke Lee,et al. CHEX: statically vetting Android apps for component hijacking vulnerabilities , 2012, CCS.

[27] Jacques Klein,et al. Understanding the Evolution of Android App Vulnerabilities , 2021, IEEE Transactions on Reliability.

[28] Artem Starostin,et al. A framework for static detection of privacy leaks in android applications , 2012, SAC '12.

[29] Aaron Tomb,et al. Multi-App Security Analysis with FUSE: Statically Detecting Android App Collusion , 2014, PPREW-4.

[30] Ahmed E. Hassan,et al. Understanding reuse in the Android Market , 2012, 2012 20th IEEE International Conference on Program Comprehension (ICPC).

[31] Jacques Klein,et al. AndroZoo: Collecting Millions of Android Apps for the Research Community , 2016, 2016 IEEE/ACM 13th Working Conference on Mining Software Repositories (MSR).

[32] Ondrej Lhoták,et al. The Soot framework for Java program analysis: a retrospective , 2011 .

[33] Yajin Zhou,et al. The impact of vendor customizations on android security , 2013, CCS.

[34] Jacques Klein,et al. Rebooting Research on Detecting Repackaged Android Apps: Literature Review and Benchmark , 2018, IEEE Transactions on Software Engineering.

[35] Jeong Hyun Yi,et al. Repackaging Attack on Android Banking Applications and Its Countermeasures , 2013, Wirel. Pers. Commun..

[36] Jacques Klein,et al. Mining Android crash fixes in the absence of issue- and change-tracking systems , 2019, ISSTA.

[37] Jacques Klein,et al. Understanding Android App Piggybacking: A Systematic Study of Malicious Code Grafting , 2017, IEEE Transactions on Information Forensics and Security.

[38] William B. Frakes,et al. Software reuse research: status and future , 2005, IEEE Transactions on Software Engineering.

[39] Avik Chaudhuri,et al. SCanDroid: Automated Security Certification of Android , 2009 .

[40] LiLi,et al. Static analysis of android apps , 2017 .

[41] Jacques Klein,et al. Effective Inter-Component Communication Mapping in Android: An Essential Step Towards Holistic Security Analysis , 2013, USENIX Security Symposium.

[42] Xiang Gao,et al. Repairing Crashes in Android Apps , 2018, 2018 IEEE/ACM 40th International Conference on Software Engineering (ICSE).

[43] Yue Jia,et al. Sapienz: multi-objective automated testing for Android applications , 2016, ISSTA.

[44] Jacques Klein,et al. Combining static analysis with probabilistic models to enable market-scale Android inter-component analysis , 2016, POPL.

[45] Yang Liu,et al. Guided, stochastic model-based GUI testing of Android apps , 2017, ESEC/SIGSOFT FSE.

[46] Jacques Klein,et al. FlowDroid: precise context, flow, field, object-sensitive and lifecycle-aware taint analysis for Android apps , 2014, PLDI.

[47] Mu Zhang,et al. AppSealer: Automatic Generation of Vulnerability-Specific Patches for Preventing Component Hijacking Attacks in Android Applications , 2014, NDSS.

[48] Jacques Klein,et al. Potential Component Leaks in Android Apps: An Investigation into a New Feature Set for Malware Detection , 2015, 2015 IEEE International Conference on Software Quality, Reliability and Security.

[49] Vijay Laxmi,et al. Android inter-app communication threats and detection techniques , 2016, Comput. Secur..

[50] Jacques Klein,et al. IccTA: Detecting Inter-Component Privacy Leaks in Android Apps , 2015, 2015 IEEE/ACM 37th IEEE International Conference on Software Engineering.

[51] Jacques Klein,et al. Automated Testing of Android Apps: A Systematic Literature Review , 2019, IEEE Transactions on Reliability.

[52] Narseo Vallina-Rodriguez,et al. Beyond Google Play: A Large-Scale Comparative Study of Chinese Android App Markets , 2018, Internet Measurement Conference.

[53] Li Li,et al. Do Energy-Oriented Changes Hinder Maintainability? , 2019, 2019 IEEE International Conference on Software Maintenance and Evolution (ICSME).

[54] Li Li,et al. How do Mobile Apps Violate the Behavioral Policy of Advertisement Libraries? , 2018, HotMobile '18.

[55] Eric Bodden,et al. A Machine-learning Approach for Classifying and Categorizing Android Sources and Sinks , 2014, NDSS.