Dazed Droids: A Longitudinal Study of Android Inter-App Vulnerabilities

Android devices are an integral part of modern life from phone to media boxes to smart home appliances and cameras. With 38.9% of market share, Android is now the most used operating system not just in terms of mobile devices but considering all OSes. As applications' complexity and features increased, Android relied more heavily on code and data sharing among apps for faster response times and richer user experience. To achieve that, Android apps reuse functionality and data by means of inter-app message passing where each app defines the messages it expects to receive. In this paper, we analyze the proliferation of exploitable inter-app communication vulnerabilities using a rich corpus of 1) a representative sample of 32 Android devices, 2) 59 official Google Android versions, and 3) the top 18,583 apps from 2016 to 2017. This corpus covers $91$ Android builds from version 4.4 to present. To the best of our knowledge, ours is the first longitudinal study looking into the propagation of vulnerabilities across AOSP builds, between AOSP and a diverse set of devices, and across app versions over a period of 13 months. To identify inter-app vulnerabilities, we developed Daze as a swift and fully-automated framework for extracting app components and fuzzing all app interfaces. Daze needs only about three hours for full-device analysis or two minutes per app on average. We identified 14,413 vulnerabilities and quantified their exposure time and the number of versions affected. Our findings revealed that $51.7%$ of Android devices and $49%$ of the top $300$ apps on Google Play contained at least one critical inter-app vulnerability. We found that about $15%$ of fixed vulnerabilities lived for more than $100$ days before being patched, more than $20%$ of unpatched vulnerabilities have existed for at least $180$ days, and $45%$ of unpatched vulnerabilities persisted through the latest two to four consecutive app versions in our dataset.

[1]  Bogdan Carbunar,et al.  A longitudinal study of the Google app market , 2015, 2015 IEEE/ACM International Conference on Advances in Social Networks Analysis and Mining (ASONAM).

[2]  Adam Doupé,et al.  Target Fragmentation in Android Apps , 2016, 2016 IEEE Security and Privacy Workshops (SPW).

[3]  Alessandro Armando,et al.  Would You Mind Forking This Process? A Denial of Service Attack on Android (and Some Countermeasures) , 2012, SEC.

[4]  Soner Yıldırım,et al.  A growing fear , 2016 .

[5]  Jan S. Rellermeyer,et al.  An empirical study of the robustness of Inter-component Communication in Android , 2012, IEEE/IFIP International Conference on Dependable Systems and Networks (DSN 2012).

[6]  Xiao Zhang,et al.  Hare Hunting in the Wild Android: A Study on the Threat of Hanging Attribute References , 2015, CCS.

[7]  Hui Ye,et al.  DroidFuzzer: Fuzzing the Android Apps with Intent-Filter Tag , 2013, MoMM '13.

[8]  Ivan Martinovic,et al.  To Update or Not to Update: Insights From a Two-Year Study of Android App Evolution , 2017, AsiaCCS.

[9]  Pierre Déchelotte,et al.  Problematic use of mobile phone and nomophobia among French college students , 2015 .

[10]  Helen J. Wang,et al.  Permission Re-Delegation: Attacks and Defenses , 2011, USENIX Security Symposium.

[11]  Yi He,et al.  CrashFuzzer: Detecting input processing related crash bugs in android applications , 2016, 2016 IEEE 35th International Performance Computing and Communications Conference (IPCCC).

[12]  Norman Hardy,et al.  The Confused Deputy: (or why capabilities might have been invented) , 1988, OPSR.

[13]  Sam Malek,et al.  Automatic generation of inter-component communication exploits for Android applications , 2017, ESEC/SIGSOFT FSE.

[14]  Yajin Zhou,et al.  The impact of vendor customizations on android security , 2013, CCS.

[15]  Kun Yang,et al.  IntentFuzzer: detecting capability leaks of android applications , 2014, AsiaCCS.

[16]  Kai Chen,et al.  From System Services Freezing to System Server Shutdown in Android: All You Need Is a Loop in an App , 2015, CCS.

[17]  S. Machado,et al.  “Nomophobia”: Impact of Cell Phone Use Interfering with Symptoms and Emotions of Individuals with Panic Disorder Compared with a Control Group , 2014, Clinical practice and epidemiology in mental health : CP & EMH.

[18]  Ahmad-Reza Sadeghi,et al.  Towards Taming Privilege-Escalation Attacks on Android , 2012, NDSS.

[19]  Dan S. Wallach,et al.  Longitudinal Analysis of Android Ad Library Permissions , 2013, ArXiv.

[20]  John Regehr,et al.  Intent fuzzer: crafting intents of death , 2014, WODA+PERTEA 2014.

[21]  Marco Pistoia,et al.  Dynamic detection of inter-application communication vulnerabilities in Android , 2015, ISSTA.

[22]  David A. Wagner,et al.  Analyzing inter-application communication in Android , 2011, MobiSys '11.

[23]  Angelos Stavrou,et al.  Why Software DoS Is Hard to Fix: Denying Access in Embedded Android Platforms , 2016, ACNS.

[24]  Nan Zhang,et al.  The Peril of Fragmentation: Security Hazards in Android Device Driver Customizations , 2014, 2014 IEEE Symposium on Security and Privacy.

[25]  Angelos Stavrou,et al.  Targeted DoS on android: how to disable android in 10 seconds or less , 2015, 2015 10th International Conference on Malicious and Unwanted Software (MALWARE).

[26]  Yajin Zhou,et al.  Systematic Detection of Capability Leaks in Stock Android Smartphones , 2012, NDSS.