Prison Break of Android Reflection Restriction and Defense

Java reflection technique is pervasively used in the Android system. To reduce the risk of reflection abuse, Android restricts the use of reflection at the Android Runtime (ART) to hide potentially dangerous methods/fields. We perform the first comprehensive study of the reflection restrictions and have discovered three novel approaches to bypass the reflection restrictions. Novel reflection-based attacks are also presented, including the password stealing attack. To mitigate the threats, we analyze these restriction bypassing approaches and find three techniques crucial to these approaches, i.e., double reflection, memory manipulation, and inline hook. We propose a defense mechanism that consists of classloader double checker, ART variable protector, and ART method protector, to prohibit the reflection restriction bypassing. Finally, we design and implement an automatic reflection detection framework and have discovered 5,531 reflection powered apps out of 100,000 downloaded apps, which are installed on our defense enabled Android system of a Google Pixel 2 to evaluate the effectiveness and efficiency of our defense mechanism. Extensive empirical experiment results demonstrate that our defense enabled system can accurately obstruct the malicious reflection attempts.

[1]  吉田 則裕,et al.  Android Open Source Projectを対象としたパッチレビュー活動の調査 , 2012 .

[2]  Yanick Fratantonio,et al.  Cloak and Dagger: From Two Permissions to Complete Control of the UI Feedback Loop , 2017, 2017 IEEE Symposium on Security and Privacy (SP).

[3]  Xinwen Fu,et al.  Breaking Secure Pairing of Bluetooth Low Energy Using Downgrade Attacks , 2020, USENIX Security Symposium.

[4]  Jacques Klein,et al.  AndroZoo: Collecting Millions of Android Apps for the Research Community , 2016, 2016 IEEE/ACM 13th Working Conference on Mining Software Repositories (MSR).

[5]  Silva Filho,et al.  Static analysis of implicit control flow: resolving Java reflection and Android intents , 2016 .

[6]  William K. Robertson,et al.  VirtualSwindle: an automated attack against in-app billing on android , 2014, AsiaCCS.

[7]  Wenliang Du,et al.  On the effectiveness of API-level access control using bytecode rewriting in Android , 2013, ASIA CCS '13.

[8]  Valerio Costamagna,et al.  ARTDroid: A Virtual-Method Hooking Framework on Android ART Runtime , 2016, IMPS@ESSoS.

[9]  Witawas Srisa-an,et al.  DINA: Detecting Hidden Android Inter-App Communication in Dynamic Loaded Code , 2020, IEEE Transactions on Information Forensics and Security.

[10]  Sheng Liang,et al.  Java Native Interface: Programmer's Guide and Specification , 1999 .

[11]  Jacques Klein,et al.  Reflection-aware static analysis of Android apps , 2016, 2016 31st IEEE/ACM International Conference on Automated Software Engineering (ASE).

[12]  Nickolai Zeldovich,et al.  Making Linux Protection Mechanisms Egalitarian with UserFS , 2010, USENIX Security Symposium.

[13]  Xuxian Jiang,et al.  DroidChameleon: evaluating Android anti-malware against transformation attacks , 2013, ASIA CCS '13.

[14]  Jacques Klein,et al.  DroidRA: taming reflection to support whole-program analysis of Android apps , 2016, ISSTA.

[15]  Eric Bodden,et al.  Harvesting Runtime Values in Android Applications That Feature Anti-Analysis Techniques , 2016, NDSS.

[16]  Jun Sun,et al.  Auditing Anti-Malware Tools by Evolving Android Malware and Dynamic Loading Technique , 2017, IEEE Transactions on Information Forensics and Security.

[17]  Sunil K. Muttoo,et al.  Evading android anti-malware by hiding malicious application inside images , 2018, Int. J. Syst. Assur. Eng. Manag..

[18]  Yingjiu Li,et al.  Attacking Android smartphone systems without permissions , 2016, 2016 14th Annual Conference on Privacy, Security and Trust (PST).