Measuring the Insecurity of Mobile Deep Links of Android

Mobile deep links are URIs that point to specific locations within apps, which are instrumental to web-to-app communications. Existing “scheme URLs” are known to have hijacking vulnerabilities where one app can freely register another app’s schemes to hijack the communication. Recently, Android introduced two new methods “App links” and “Intent URLs” which were designed with security features, to replace scheme URLs. While the new mechanisms are secure in theory, little is known about how effective they are in practice. In this paper, we conduct the first empirical measurement on various mobile deep links across apps and websites. Our analysis is based on the deep links extracted from two snapshots of 160,000+ top Android apps from Google Play (2014 and 2016), and 1 million webpages from Alexa top domains. We find that the new linking methods (particularly App links) not only failed to deliver the security benefits as designed, but significantly worsen the situation. First, App links apply link verification to prevent hijacking. However, only 194 apps (2.2% out of 8,878 apps with App links) can pass the verification due to incorrect (or no) implementations. Second, we identify a new vulnerability in App link’s preference setting, which allows a malicious app to intercept arbitrary HTTPS URLs in the browser without raising any alerts. Third, we identify more hijacking cases on App links than existing scheme URLs among both apps and websites. Many of them are targeting popular sites such as online social networks. Finally, Intent URLs have little impact in mitigating hijacking risks due to a low adoption rate on the web.

[1]  Gang Wang,et al.  Collusive Data Leak and More: Large-scale Threat Analysis of Inter-app Communications , 2017, AsiaCCS.

[2]  Jeff H. Perkins,et al.  Information Flow Analysis of Android Applications in DroidSafe , 2015, NDSS.

[3]  Nick Nikiforakis,et al.  Are You Sure You Want to Contact Us? Quantifying the Leakage of PII via Website Contact Forms , 2016, Proc. Priv. Enhancing Technol..

[4]  Lujo Bauer,et al.  Android taint flow analysis for app sets , 2014, SOAP '14.

[5]  Yuan Zhang,et al.  AppIntent: analyzing sensitive data transmission in android for privacy leakage detection , 2013, CCS.

[6]  David L. Black,et al.  Black Request for Comments : 4088 EMC Corporation Category : Standards Track K , 2005 .

[7]  Vivek Sarkar,et al.  Automatic detection of inter-application permission leaks in Android applications , 2013, IBM J. Res. Dev..

[8]  Adam Doupé,et al.  Checking Intent-based Communication in Android with Intent Space Analysis , 2016, AsiaCCS.

[9]  Ahmad-Reza Sadeghi,et al.  Privilege Escalation Attacks on Android , 2010, ISC.

[10]  Jacques Klein,et al.  Combining static analysis with probabilistic models to enable market-scale Android inter-component analysis , 2016, POPL.

[11]  C. Kruegel,et al.  A Large-Scale Study of Mobile Web App Security , 2015 .

[12]  Carl A. Gunter,et al.  Draco: A System for Uniform and Fine-grained Access Control for Web Code on Android , 2016, CCS.

[13]  Min Wu,et al.  Do security toolbars actually prevent phishing attacks? , 2006, CHI.

[14]  Suman Nath,et al.  uLink: Enabling User-Defined Deep Linking to App Content , 2016, MobiSys.

[15]  Gang Wang,et al.  MR-Droid: A Scalable and Prioritized Analysis of Inter-App Communication Risks , 2017, 2017 IEEE Security and Privacy Workshops (SPW).

[16]  Kun Yang,et al.  IntentFuzzer: detecting capability leaks of android applications , 2014, AsiaCCS.

[17]  Xuanzhe Liu,et al.  DroidLink: Automated Generation of Deep Links for Android Apps , 2016, ArXiv.

[18]  Yuan Zhang,et al.  FineDroid: Enforcing Permissions with System-Wide Application Execution Context , 2015, SecureComm.

[19]  Wenke Lee,et al.  CHEX: statically vetting Android apps for component hijacking vulnerabilities , 2012, CCS.

[20]  Lorrie Faith Cranor,et al.  You've been warned: an empirical study of the effectiveness of web browser phishing warnings , 2008, CHI.

[21]  Karim O. Elish,et al.  On the Need of Precise Inter-App ICC Classification for Detecting Android , 2015 .

[22]  Ahmad-Reza Sadeghi,et al.  Flexible and Fine-grained Mandatory Access Control on Android for Diverse Security and Privacy Policies , 2013, USENIX Security Symposium.

[23]  Xue Liu,et al.  Effective Real-Time Android Application Auditing , 2015, 2015 IEEE Symposium on Security and Privacy.

[24]  Laurence Moroney Firebase App Indexing , 2017 .

[25]  Jacques Klein,et al.  Effective Inter-Component Communication Mapping in Android: An Essential Step Towards Holistic Security Analysis , 2013, USENIX Security Symposium.

[26]  Heng Yin,et al.  Attacks on WebView in the Android system , 2011, ACSAC '11.

[27]  Aaron Tomb,et al.  Multi-App Security Analysis with FUSE: Statically Detecting Android App Collusion , 2014, PPREW-4.

[28]  Yuan Tian,et al.  OAuth Demystified for Mobile Application Developers , 2014, CCS.

[29]  William K. Robertson,et al.  PatchDroid: scalable third-party security patches for Android devices , 2013, ACSAC.

[30]  Apu Kapadia,et al.  Soundcomber: A Stealthy and Context-Aware Sound Trojan for Smartphones , 2011, NDSS.

[31]  Arvind Narayanan,et al.  Online Tracking: A 1-million-site Measurement and Analysis , 2016, CCS.

[32]  Ahmad-Reza Sadeghi,et al.  XManDroid: A New Android Evolution to Mitigate Privilege Escalation Attacks , 2011 .

[33]  Alireza Sadeghi,et al.  COVERT: Compositional Analysis of Android Inter-App Permission Leakage , 2015, IEEE Transactions on Software Engineering.

[34]  Jacques Klein,et al.  Effective inter-component communication mapping in Android with Epicc: an essential step towards holistic security analysis , 2013 .

[35]  Mu Zhang,et al.  AppSealer: Automatic Generation of Vulnerability-Specific Patches for Preventing Component Hijacking Attacks in Android Applications , 2014, NDSS.

[36]  David A. Wagner,et al.  Analyzing inter-application communication in Android , 2011, MobiSys '11.

[37]  David A. Wagner,et al.  Reducing attack surfaces for intra-application communication in android , 2012, SPSM '12.

[38]  Mario Baldi,et al.  Identifying Personal Information in Internet Traffic , 2015, COSN.

[39]  Byung-Gon Chun,et al.  TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones , 2010, OSDI.

[40]  Rui Wang,et al.  Unauthorized origin crossing on mobile platforms: threats and mitigation , 2013, CCS.

[41]  Marco Pistoia,et al.  Dynamic detection of inter-application communication vulnerabilities in Android , 2015, ISSTA.

[42]  David A. Wagner,et al.  Bifocals: Analyzing WebView Vulnerabilities in Android Applications , 2013, WISA.

[43]  Adrienne Porter Felt,et al.  Alice in Warningland: A Large-Scale Field Study of Browser Security Warning Effectiveness , 2013, USENIX Security Symposium.

[44]  Shi-Min Hu,et al.  Cracking App Isolation on Apple: Unauthorized Cross-App Resource Access on MAC OS~X and iOS , 2015, CCS.

[45]  Jacques Klein,et al.  IccTA: Detecting Inter-Component Privacy Leaks in Android Apps , 2015, 2015 IEEE/ACM 37th IEEE International Conference on Software Engineering.