A SEALANT for Inter-App Security Holes in Android

Android's communication model has a major security weakness: malicious apps can manipulate other apps into performing unintended operations and can steal end-user data, while appearing ordinary and harmless. This paper presents SEALANT, a technique that combines static analysis of app code, which infers vulnerable communication channels, with runtime monitoring of inter-app communication through those channels, which helps to prevent attacks. SEALANT's extensive evaluation demonstrates that (1) it detects and blocks inter-app attacks with high accuracy in a corpus of over 1,100 real-world apps, (2) it suffers from fewer false alarms than existing techniques in several representative scenarios, (3) its performance overhead is negligible, and (4) end-users do not find it challenging to adopt.

[1]  Jeff H. Perkins,et al.  Information Flow Analysis of Android Applications in DroidSafe , 2015, NDSS.

[2]  Steve Hanna,et al.  Android permissions demystified , 2011, CCS '11.

[3]  Ahmad-Reza Sadeghi,et al.  Flexible and Fine-grained Mandatory Access Control on Android for Diverse Security and Privacy Policies , 2013, USENIX Security Symposium.

[4]  Ahmad-Reza Sadeghi,et al.  Towards Taming Privilege-Escalation Attacks on Android , 2012, NDSS.

[5]  Wenliang Du,et al.  On the effectiveness of API-level access control using bytecode rewriting in Android , 2013, ASIA CCS '13.

[6]  J. Foster,et al.  SCanDroid: Automated Security Certification of Android , 2009 .

[7]  Yajin Zhou,et al.  The impact of vendor customizations on android security , 2013, CCS.

[8]  Ahmad-Reza Sadeghi,et al.  ASM: A Programmable Interface for Extending Android Security , 2014, USENIX Security Symposium.

[9]  Hao Chen,et al.  AndroidLeaks: Automatically Detecting Potential Privacy Leaks in Android Applications on a Large Scale , 2012, TRUST.

[10]  Nenad Medvidovic,et al.  An End-to-End Domain Specific Modeling and Analysis Platform , 2016, 2016 IEEE/ACM 8th International Workshop on Modeling in Software Engineering (MiSE).

[11]  Bing Mao,et al.  DroidAlarm: an all-sided static analysis tool for Android privilege-escalation malware , 2013, ASIA CCS '13.

[12]  Mu Zhang,et al.  AppSealer: Automatic Generation of Vulnerability-Specific Patches for Preventing Component Hijacking Attacks in Android Applications , 2014, NDSS.

[13]  Hao Chen,et al.  RetroSkeleton: retrofitting android apps , 2013, MobiSys '13.

[14]  Yajin Zhou,et al.  Hey, You, Get Off of My Market: Detecting Malicious Apps in Official and Alternative Android Markets , 2012, NDSS.

[15]  Dawn Xiaodong Song,et al.  Contextual Policy Enforcement in Android Applications with Permission Event Graphs , 2013, NDSS.

[16]  Karsten Sohr,et al.  The Transitivity-of-Trust Problem in Android Application Interaction , 2013, 2013 International Conference on Availability, Reliability and Security.

[17]  Yajin Zhou,et al.  Dissecting Android Malware: Characterization and Evolution , 2012, 2012 IEEE Symposium on Security and Privacy.

[18]  Artem Starostin,et al.  A framework for static detection of privacy leaks in android applications , 2012, SAC '12.

[19]  David A. Wagner,et al.  Analyzing inter-application communication in Android , 2011, MobiSys '11.

[20]  Wenke Lee,et al.  CHEX: statically vetting Android apps for component hijacking vulnerabilities , 2012, CCS.

[21]  Helen J. Wang,et al.  Permission Re-Delegation: Attacks and Defenses , 2011, USENIX Security Symposium.

[22]  Matthew L. Dering,et al.  Composite Constant Propagation: Application to Android Inter-Component Communication Analysis , 2015, 2015 IEEE/ACM 37th IEEE International Conference on Software Engineering.

[23]  Zhen Huang,et al.  PScout: analyzing the Android permission specification , 2012, CCS.

[24]  Jacques Klein,et al.  Combining static analysis with probabilistic models to enable market-scale Android inter-component analysis , 2016, POPL.

[25]  Eric Bodden,et al.  DroidForce: Enforcing Complex, Data-centric, System-wide Policies in Android , 2014, 2014 Ninth International Conference on Availability, Reliability and Security.

[26]  Shashi Shekhar,et al.  QUIRE: Lightweight Provenance for Smart Phone Operating Systems , 2011, USENIX Security Symposium.

[27]  Shanqing Guo,et al.  PaddyFrog: systematically detecting confused deputy vulnerability in Android applications , 2015, Secur. Commun. Networks.

[28]  Nenad Medvidovic,et al.  Automated Extraction of Rich Software Models from Limited System Information , 2016, 2016 13th Working IEEE/IFIP Conference on Software Architecture (WICSA).

[29]  Yajin Zhou,et al.  Systematic Detection of Capability Leaks in Stock Android Smartphones , 2012, NDSS.

[30]  Alireza Sadeghi,et al.  COVERT: Compositional Analysis of Android Inter-App Permission Leakage , 2015, IEEE Transactions on Software Engineering.

[31]  Alireza Sadeghi,et al.  Practical, Formal Synthesis and Automatic Enforcement of Security Policies for Android , 2016, 2016 46th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN).

[32]  Ross J. Anderson,et al.  Aurasium: Practical Policy Enforcement for Android Applications , 2012, USENIX Security Symposium.

[33]  Mudhakar Srivatsa,et al.  EventGuard: A System Architecture for Securing Publish-Subscribe Networks , 2011, TOCS.

[34]  Siu-Ming Yiu,et al.  DroidChecker: analyzing android applications for capability leak , 2012, WISEC '12.

[35]  Jacques Klein,et al.  Effective inter-component communication mapping in Android with Epicc: an essential step towards holistic security analysis , 2013 .

[36]  Avik Chaudhuri,et al.  SCanDroid: Automated Security Certification of Android , 2009 .

[37]  Fernando C. Colón Osorio,et al.  “TrustDroid™”: Preventing the use of SmartPhones for information leaking in corporate networks through the used of static analysis taint tracking , 2012, 2012 7th International Conference on Malicious and Unwanted Software.

[38]  Patrick D. McDaniel,et al.  On lightweight mobile phone application certification , 2009, CCS.

[39]  Yuval Elovici,et al.  Securing Android-Powered Mobile Devices Using SELinux , 2010, IEEE Security & Privacy.

[40]  Yuan Zhang,et al.  AppIntent: analyzing sensitive data transmission in android for privacy leakage detection , 2013, CCS.

[41]  Jacques Klein,et al.  FlowDroid: precise context, flow, field, object-sensitive and lifecycle-aware taint analysis for Android apps , 2014, PLDI.

[42]  Jacques Klein,et al.  DroidRA: taming reflection to support whole-program analysis of Android apps , 2016, ISSTA.

[43]  Todd D. Millstein,et al.  Dr. Android and Mr. Hide: fine-grained permissions in android applications , 2012, SPSM '12.

[44]  S. Malek,et al.  Automated Dynamic Enforcement of Synthesized Security Policies in Android , 2015 .

[45]  Seungyeop Han,et al.  These aren't the droids you're looking for: retrofitting android to protect data from imperious applications , 2011, CCS '11.

[46]  Nenad Medvidovic,et al.  Identifying message flow in distributed event-based systems , 2013, ESEC/FSE 2013.

[47]  Michael D. Ernst,et al.  Collaborative Verification of Information Flow for a High-Assurance App Store , 2014, Software Engineering & Management.

[48]  Yan Wang,et al.  Static Control-Flow Analysis of User-Driven Callbacks in Android Applications , 2015, 2015 IEEE/ACM 37th IEEE International Conference on Software Engineering.

[49]  Byung-Gon Chun,et al.  TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones , 2010, OSDI.

[50]  Byeong-Mo Chang,et al.  A type and effect system for activation flow of components in Android programs , 2014, Inf. Process. Lett..

[51]  Johannes Köstler,et al.  Kynoid: Real-time enforcement of fine-grained, user-defined, and data-centric security policies for Android , 2013, Inf. Secur. Tech. Rep..

[52]  K. Yi,et al.  Static Analyzer for Detecting Privacy Leaks in Android Applications , 2012 .

[53]  Jean Bacon,et al.  Security Policy and Information Sharing in Distributed Event-Based Systems , 2011 .

[54]  Karim O. Elish,et al.  On the Need of Precise Inter-App ICC Classification for Detecting Android , 2015 .

[55]  Nenad Medvidovic,et al.  Detecting event anomalies in event-based systems , 2015, ESEC/SIGSOFT FSE.

[56]  Nenad Medvidovic,et al.  ViVA: a visualization and analysis tool for distributed event-based systems , 2014, ICSE Companion.

[57]  Lukasz Ziarek,et al.  Information flows as a permission mechanism , 2014, ASE.

[58]  Peng Wang,et al.  AsDroid: detecting stealthy behaviors in Android applications by user interface and program behavior contradiction , 2014, ICSE.

[59]  Lauri I. W. Pesonen,et al.  Encryption-enforced access control in dynamic multi-domain publish/subscribe networks , 2007, DEBS '07.

[60]  Hao Chen,et al.  I-ARM-Droid : A Rewriting Framework for In-App Reference Monitors for Android Applications , 2012 .

[61]  Jacques Klein,et al.  IccTA: Detecting Inter-Component Privacy Leaks in Android Apps , 2015, 2015 IEEE/ACM 37th IEEE International Conference on Software Engineering.

[62]  Yuewu Wang,et al.  DeepDroid: Dynamically Enforcing Enterprise Policy on Android Devices , 2015, NDSS.

[63]  Aaron Tomb,et al.  Multi-App Security Analysis with FUSE: Statically Detecting Android App Collusion , 2014, PPREW-4.

[64]  Yajin Zhou,et al.  Detecting Passive Content Leaks and Pollution in Android Applications , 2013, NDSS.

[65]  Patrick D. McDaniel,et al.  Semantically rich application-centric security in Android , 2012 .

[66]  Mira Mezini,et al.  Engineering Event-Based Systems with Scopes , 2002, ECOOP.

[67]  Michael Backes,et al.  AppGuard - Enforcing User Requirements on Android Apps , 2013, TACAS.

[68]  Eric Bodden,et al.  A Machine-learning Approach for Classifying and Categorizing Android Sources and Sinks , 2014, NDSS.

[69]  Ahmad-Reza Sadeghi,et al.  XManDroid: A New Android Evolution to Mitigate Privilege Escalation Attacks , 2011 .

[70]  Lujo Bauer,et al.  Android taint flow analysis for app sets , 2014, SOAP '14.

[71]  Sankardas Roy,et al.  Amandroid: A Precise and General Inter-component Data Flow Analysis Framework for Security Vetting of Android Apps , 2014, CCS.

[72]  David M. Eyers,et al.  Role-based access control for publish/subscribe middleware architectures , 2003, DEBS '03.

[73]  Jacques Klein,et al.  Automatically Exploiting Potential Component Leaks in Android Applications , 2014, 2014 IEEE 13th International Conference on Trust, Security and Privacy in Computing and Communications.

[74]  Steven J. Templeton,et al.  Detecting spoofed packets , 2003, Proceedings DARPA Information Survivability Conference and Exposition.