COVERT: Compositional Analysis of Android Inter-App Permission Leakage

Android is the most popular platform for mobile devices. It facilitates sharing of data and services among applications using a rich inter-app communication system. While access to resources can be controlled by the Android permission system, enforcing permissions is not sufficient to prevent security violations, as permissions may be mismanaged, intentionally or unintentionally. Android's enforcement of the permissions is at the level of individual apps, allowing multiple malicious apps to collude and combine their permissions or to trick vulnerable apps to perform actions on their behalf that are beyond their individual privileges. In this paper, we present COVERT, a tool for compositional analysis of Android inter-app vulnerabilities. COVERT's analysis is modular to enable incremental analysis of applications as they are installed, updated, and removed. It statically analyzes the reverse engineered source code of each individual app, and extracts relevant security specifications in a format suitable for formal verification. Given a collection of specifications extracted in this way, a formal analysis engine (e.g., model checker) is then used to verify whether it is safe for a combination of applications-holding certain permissions and potentially interacting with each other-to be installed together. Our experience with using COVERT to examine over 500 real-world apps corroborates its ability to find inter-app vulnerabilities in bundles of some of the most popular apps on the market.

[1]  David Garlan,et al.  Analyzing architectural styles , 2010, J. Syst. Softw..

[2]  Yuval Elovici,et al.  Google Android: A Comprehensive Security Assessment , 2010, IEEE Security & Privacy.

[3]  Lujo Bauer,et al.  Android taint flow analysis for app sets , 2014, SOAP '14.

[4]  Yajin Zhou,et al.  RiskRanker: scalable and accurate zero-day android malware detection , 2012, MobiSys '12.

[5]  Ahmad-Reza Sadeghi,et al.  Towards Taming Privilege-Escalation Attacks on Android , 2012, NDSS.

[6]  Hamid Bagheri,et al.  Monarch: model-based development of software architectures , 2010, MODELS'10.

[7]  Sarfraz Khurshid,et al.  An analyzable annotation language , 2002, OOPSLA '02.

[8]  Sarfraz Khurshid,et al.  Query-Aware Test Generation Using a Relational Constraint Solver , 2008, 2008 23rd IEEE/ACM International Conference on Automated Software Engineering.

[9]  Hamid Bagheri,et al.  Spacemaker: Practical Formal Synthesis of Tradeoff Spaces for Object-Relational Mapping , 2012, SEKE.

[10]  Avik Chaudhuri,et al.  Language-based security on Android , 2009, PLAS '09.

[11]  S. Malek,et al.  Automated Dynamic Enforcement of Synthesized Security Policies in Android , 2015 .

[12]  Laurie Hendren,et al.  Soot: a Java bytecode optimization framework , 2010, CASCON.

[13]  Wenke Lee,et al.  CHEX: statically vetting Android apps for component hijacking vulnerabilities , 2012, CCS.

[14]  Benjamin Livshits,et al.  Finding application errors and security flaws using PQL: a program query language , 2005, OOPSLA '05.

[15]  Seungyeop Han,et al.  These aren't the droids you're looking for: retrofitting android to protect data from imperious applications , 2011, CCS '11.

[16]  Nenad Medvidovic,et al.  Identifying message flow in distributed event-based systems , 2013, ESEC/FSE 2013.

[17]  Paul C. van Oorschot,et al.  A methodology for empirical analysis of permission-based security models and its application to android , 2010, CCS '10.

[18]  Emina Torlak,et al.  A constraint solver for software engineering: finding models and cores of large relational specifications , 2009 .

[19]  Patrick Cousot,et al.  Andromeda: Accurate and Scalable Security Analysis of Web Applications , 2013, FASE.

[20]  Ahmad-Reza Sadeghi,et al.  Privilege Escalation Attacks on Android , 2010, ISC.

[21]  John B. Haviland Hey! , 2015, Top. Cogn. Sci..

[22]  Shashi Shekhar,et al.  QUIRE: Lightweight Provenance for Smart Phone Operating Systems , 2011, USENIX Security Symposium.

[23]  Jacques Klein,et al.  FlowDroid: precise context, flow, field, object-sensitive and lifecycle-aware taint analysis for Android apps , 2014, PLDI.

[24]  Patrick D. McDaniel,et al.  On lightweight mobile phone application certification , 2009, CCS.

[25]  David A. Wagner,et al.  Analyzing inter-application communication in Android , 2011, MobiSys '11.

[26]  Hamid Bagheri,et al.  TradeMaker: automated dynamic analysis of synthesized tradespaces , 2014, ICSE.

[27]  Yuanyuan Song,et al.  Architectural style as an independent variable , 2010, ASE.

[28]  Patrick D. McDaniel,et al.  Semantically Rich Application-Centric Security in Android , 2009, 2009 Annual Computer Security Applications Conference.

[29]  Joseph P. Near,et al.  A lightweight code analysis and its role in evaluation of a dependability case , 2011, 2011 33rd International Conference on Software Engineering (ICSE).

[30]  Pamela Zave A practical comparison of Alloy and Spin , 2014, Formal Aspects of Computing.

[31]  Byung-Gon Chun,et al.  TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones , 2010, OSDI.

[32]  G. G. Stokes "J." , 1890, The New Yale Book of Quotations.

[33]  Daniel Jackson,et al.  Finding bugs with a constraint solver , 2000, ISSTA '00.

[34]  Helen J. Wang,et al.  Permission Re-Delegation: Attacks and Defenses , 2011, USENIX Security Symposium.

[35]  Zhen Huang,et al.  PScout: analyzing the Android permission specification , 2012, CCS.

[36]  Lukasz Ziarek,et al.  Flow Permissions for Android , 2013, 2013 28th IEEE/ACM International Conference on Automated Software Engineering (ASE).

[37]  D. Perry,et al.  Design and Validation of a General Security Model with the Alloy Analyzer , 2006 .

[38]  Lujo Bauer,et al.  Modeling and Enhancing Android's Permission System , 2012, ESORICS.

[39]  Yajin Zhou,et al.  Detecting Passive Content Leaks and Pollution in Android Applications , 2013, NDSS.

[40]  Tao Xie,et al.  WHYPER: Towards Automating Risk Assessment of Mobile Applications , 2013, USENIX Security Symposium.

[41]  Tahina Ramananandro,et al.  Mondex, an electronic purse: specification and refinement checks with the Alloy model-finding method , 2007, Formal Aspects of Computing.

[42]  Steve Hanna,et al.  Android permissions demystified , 2011, CCS '11.

[43]  Alfred V. Aho,et al.  Compilers: Principles, Techniques, and Tools , 1986, Addison-Wesley series in computer science / World student series edition.

[44]  Alfred V. Aho,et al.  Compilers: Principles, Techniques, and Tools (2nd Edition) , 2006 .

[45]  J. Foster,et al.  SCanDroid: Automated Security Certification of Android , 2009 .

[46]  Swarat Chaudhuri,et al.  A Study of Android Application Security , 2011, USENIX Security Symposium.

[47]  Hao Chen,et al.  AndroidLeaks: Automatically Detecting Potential Privacy Leaks in Android Applications on a Large Scale , 2012, TRUST.

[48]  Daniel Jackson,et al.  Alloy: a lightweight object modelling notation , 2002, TSEM.

[49]  Yajin Zhou,et al.  Hey, You, Get Off of My Market: Detecting Malicious Apps in Official and Alternative Android Markets , 2012, NDSS.

[50]  Artem Starostin,et al.  A framework for static detection of privacy leaks in android applications , 2012, SAC '12.

[51]  Yajin Zhou,et al.  Systematic Detection of Capability Leaks in Stock Android Smartphones , 2012, NDSS.

[52]  Jacques Klein,et al.  Dexpler: converting Android Dalvik bytecode to Jimple for static analysis with Soot , 2012, SOAP '12.

[53]  Jacques Klein,et al.  Effective inter-component communication mapping in Android with Epicc: an essential step towards holistic security analysis , 2013 .

[54]  Avik Chaudhuri,et al.  SCanDroid: Automated Security Certification of Android , 2009 .