Abstract
Android is currently the most widespread operating system (OS) worldwide, but also the most prone to attacks. Despite the challenges faced by Industry and Academia to improve the Android OS security, it still has several vulnerabilities. Among those, the severity of the Next-Intent Vulnerability (NIV) can be immediately grasped. Android apps are made of components, which by default are private and cannot be targeted by other apps on the same phone. However, NIV allows any app to access the private components of a different app, eventually generating a crash or stealing sensitive data. NIV occurs when there is a chain of calls among different components based on the Intent messaging model and there is no control over the reliability of the first component triggering the call. NIV was first detected in 2013, but it is still an open issue. In this paper, we present Next-Intent Vulnerability Detector (\(\mathcal {N}\hbox {I}\mathcal {V}\hbox {D}\)), a novel approach to detect NIV in Android apps by relying on type systems. \(\mathcal {N}\hbox {I}\mathcal {V}\hbox {D}\) applies the inference rules of its type system to the app execution paths containing a sequence of calls to three NIV-related Android APIs. Compared to the state-of-the-art, \(\mathcal {N}\hbox {I}\mathcal {V}\hbox {D}\) is faster and more efficient, without losing precision in detecting NIV. Finally, through \(\mathcal {N}\hbox {I}\mathcal {V}\hbox {D}\) Google Photos was found to be vulnerable, and we disclosed the finding on the Google official bug report website (issue number 124342801).
Similar content being viewed by others
References
G DATA Blog: Some 343 new android malware samples every hour in 2017. https://www.gdatasoftware.com/blog/2018/02/30491-some-343-new-android-malware-samples-every-hour-in-2017. Accessed Mar 2019
Özkan, S.: CVE details: the ultimate security vulnerabilities datasource. https://www.cvedetails.com/index.php. Accessed 4 2019
Parnika, P., Dutta, K.: A survey on various threats and current state of security in android platform. ACM Comput. Surv. 52(1), 21 (2019)
Wang, R., Xing, L., FengWang, X., Chen, S.: Unauthorized origin crossing on mobile platforms: threats and mitigation. In: Proceedings of the 2013 ACM SIGSAC Conference on Computer and Communications Security, pp. 635–646. ACM (2013)
Tang, J., Cui, X., Zhao, Z., Guo, S., Xu, X., Hu, C., Ban, T., Mao, B.: Nivanalyzer: a tool for automatically detecting and verifying next-intent vulnerabilities in android apps. In: IEEE International Conference on Software Testing, Verification and Validation, pp. 492–499 (2017)
Chin, E., Porter Felt, A., Greenwood, K., Wagner, D.: Analyzing inter-application communication in android. In: Proceedings of the 9th International Conference on Mobile Systems, Applications, and Services, pp. 239–252. ACM (2011)
Arzt, S., Rasthofer, S., Fritz, C., Bodden, E., Bartel, A., Klein, J., Le Traon, Y., Octeau, D., McDaniel, P.: Flowdroid: precise context, flow, field, object-sensitive and lifecycle-aware taint analysis for android apps. Acm Sigplan Not. 49(6), 259–269 (2014)
Enck, W., Gilbert, P., Han, S., Tendulkar, V., Chun, B., Cox, L., Jung, J., McDaniel, P., Sheth, A.: TaintDroid: an information-flow tracking system for realtime privacy monitoring on smartphones. ACM Trans. Comput. Syst. (TOCS) 32(2), 1–29 (2014)
Feng, Y., Anand, S., Dillig, I., Aiken, A.: Apposcopy: semantics-based detection of android malware through static analysis. In: ACM SIGSOFT International Symposium on Foundations of Software Engineering, pp. 576–587 (2014)
Android Developers: Developer guides: intents and intent filters. https://developer.android.com/guide/components/intents-filters.html. Accessed in 2018
Desnos, A.: Android-androguard: a full python tool to play with android files (2011). https://github.com/androguard/androguard/. Accessed in 2018
Configure an Android Device: Dalvik bytecode. https://source.android.com/devices/tech/dalvik/dalvik-bytecode. Accessed in 2019
Wei, F., Roy, S., Ou, X.: Amandroid: a precise and general inter-component data flow analysis framework for security vetting of android apps. ACM Trans. Privacy Secur. (TOPS) 21(3), 14 (2018)
Xiong, B., Xiang, G., Du, T., He, J.S., Ji, S.: Static taint analysis method for intent injection vulnerability in android applications. In: International Symposium on Cyberspace Safety and Security, pp. 16–31 (2017)
Meng, X., Qian, K., Lo, D., Bhattachrya, P.: Detectors for intent ICC security vulnerability with android IDE. In: International Conference on Ubiquitous and Future Networks, pp. 355–357 (2018)
Joshi, J., Parekh, C.: Android smartphone vulnerabilities: a survey. In: International Conference on Advances in Computing, Communication, and Automation, pp. 1–5 (2016)
Davi, L., Dmitrienko, A., Sadeghi, A., Winandy, M.: Privilege escalation attacks on android. In: International Conference on Information Security, pp. 346–360 (2010)
Lu, L., Li, Z., Wu, Z., Lee, W., Jiang, G.: Chex: statically vetting android apps for component hijacking vulnerabilities. In: ACM Conference on Computer and Communications Security, pp. 229–240 (2012)
Li, L., Bartel, A., Bissyandé, T., Klein, J., Traon, Y., Arzt, S., Rasthofer, S., Bodden, E., Octeau, D., McDaniel, P.: Iccta: detecting inter-component privacy leaks in android apps. In: The 37th International Conference on Software Engineering-Volume 1, pp. 280–291 . IEEE Press (2015)
Zhang, M., Yin, H.: Appsealer: automatic generation of vulnerability-specific patches for preventing component hijacking attacks in android applications. IN: Network and Distributed System Security Symposium (2014)
Ahmad, M., Costamagna, V., Crispo, B., Bergadano, F.: Teicc: targeted execution of inter-component communications in android. In: ACM Symposium on Applied Computing, pp. 1747–1752 (2017)
Gallingani, D., Gjomemo, R., Venkatakrishnan, V., Zanero, S.: Practical exploit generation for intent message vulnerabilities in android. In: ACM Conference on Data and Application Security and Privacy, pp. 155–157 (2015)
Wu, S., Zhang, Y., Jin, B., Cao, W.: Practical static analysis of detecting intent-based permission leakage in android application. In: IEEE 17th International Conference on Communication Technology, pp. 1953–1957 (2017)
Zhang, J., Yao, Y., Li, X., Xie, J., Wu, G.: An android vulnerability detection system. In: International Conference on Network and System Security, pp. 169–183 (2017)
Salva, S., Zafimiharisoa, S.: Apset, an android application security testing tool for detecting intent-based vulnerabilities. Int. J. Softw. Tools Technol. Transf. 17(2), 201–221 (2015)
Funding
This work was supported by the European Commission under the Horizon 2020 Programme (H2020), as part of the LOCARD project (Grant Agreement No. 832735).
Author information
Authors and Affiliations
Corresponding author
Ethics declarations
Conflict of interest
All authors declare that they have no conflict of interest.
Ethical approval
This article does not contain any studies with human participants or animals performed by any of the authors.
Additional information
Publisher's Note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
Appendices
Sample applications
Table 7 lists the 100 apps downloaded from the Google Play Store and used to evaluate \(\mathcal {N}\hbox {I}\mathcal {V}\hbox {D}\).
Result details
Table 8 presents the meaning of each column of Tables 9 and 10 which present the complete analysis undertaken by \(\mathcal {N} \hbox {I}\mathcal {V}\hbox {D}\) over the set of 100 apps.
Rights and permissions
About this article
Cite this article
El-Zawawy, M.A., Losiouk, E. & Conti, M. Do not let Next-Intent Vulnerability be your next nightmare: type system-based approach to detect it in Android apps. Int. J. Inf. Secur. 20, 39–58 (2021). https://doi.org/10.1007/s10207-020-00491-x
Published:
Issue Date:
DOI: https://doi.org/10.1007/s10207-020-00491-x