论文信息 - IntentFuzzer: detecting capability leaks of android applications

IntentFuzzer: detecting capability leaks of android applications

Capability leak is a vulnerability in Android applications, which violates the enforcement of permission model and threatens the secure usage of Android phone users. Malicious applications can launch permission escalation attacks with this vulnerability. In this paper, we propose a dynamic Intent fuzzing mechanism to uncover vulnerable applications in both Android markets and closed source ROMs. We built a prototype called IntentFuzzer. With it, we analyzed more than 2000 Android applications in Google Play and hundreds of in-rom applications inside two closed source ROMs. We found that 161 applications in Google Play have at least one permission leak, and 26 permissions in Xiaomi Hongmi phone and 19 permissions in Lenovo K860i stock phone are leaked. Finally, we give several cases of exploitation to verify our analysis result.

Kun Yang | Hai-Xin Duan | Jianwei Zhuge | Yongke Wang | Lujue Zhou

[1] Byung-Gon Chun,et al. Vision: automated security validation of mobile apps at app markets , 2011, MCS '11.

[2] David A. Wagner,et al. Analyzing inter-application communication in Android , 2011, MobiSys '11.

[3] Siu-Ming Yiu,et al. DroidChecker: analyzing android applications for capability leak , 2012, WISEC '12.

[4] Yajin Zhou,et al. Systematic Detection of Capability Leaks in Stock Android Smartphones , 2012, NDSS.

[5] Helen J. Wang,et al. Permission Re-Delegation: Attacks and Defenses , 2011, USENIX Security Symposium.

[6] Hao Chen,et al. AndroidLeaks: Automatically Detecting Potential Privacy Leaks in Android Applications on a Large Scale , 2012, TRUST.

[7] Yuan Zhang,et al. Vetting undesirable behaviors in android apps with permission use analysis , 2013, CCS.