Do not let Next-Intent Vulnerability be your next nightmare: type system-based approach to detect it in Android apps

Abstract

Android is currently the most widespread operating system (OS) worldwide, but also the most prone to attacks. Despite the challenges faced by Industry and Academia to improve the Android OS security, it still has several vulnerabilities. Among those, the severity of the Next-Intent Vulnerability (NIV) can be immediately grasped. Android apps are made of components, which by default are private and cannot be targeted by other apps on the same phone. However, NIV allows any app to access the private components of a different app, eventually generating a crash or stealing sensitive data. NIV occurs when there is a chain of calls among different components based on the Intent messaging model and there is no control over the reliability of the first component triggering the call. NIV was first detected in 2013, but it is still an open issue. In this paper, we present Next-Intent Vulnerability Detector (\(\mathcal {N}\hbox {I}\mathcal {V}\hbox {D}\)), a novel approach to detect NIV in Android apps by relying on type systems. \(\mathcal {N}\hbox {I}\mathcal {V}\hbox {D}\) applies the inference rules of its type system to the app execution paths containing a sequence of calls to three NIV-related Android APIs. Compared to the state-of-the-art, \(\mathcal {N}\hbox {I}\mathcal {V}\hbox {D}\) is faster and more efficient, without losing precision in detecting NIV. Finally, through \(\mathcal {N}\hbox {I}\mathcal {V}\hbox {D}\) Google Photos was found to be vulnerable, and we disclosed the finding on the Google official bug report website (issue number 124342801).

This is a preview of subscription content, log in to check access.

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8

Notes

  1. 1.

    https://bughunter.withgoogle.com/profile/ee300894-5b51-4be6-810f-bcaad8fd73d0.

  2. 2.

    https://scholar.cu.edu.eg/sites/default/files/maelzawawy/files/NIVDResults.rar.

References

  1. 1.

    G DATA Blog: Some 343 new android malware samples every hour in 2017. https://www.gdatasoftware.com/blog/2018/02/30491-some-343-new-android-malware-samples-every-hour-in-2017. Accessed Mar 2019

  2. 2.

    Özkan, S.: CVE details: the ultimate security vulnerabilities datasource. https://www.cvedetails.com/index.php. Accessed 4 2019

  3. 3.

    Parnika, P., Dutta, K.: A survey on various threats and current state of security in android platform. ACM Comput. Surv. 52(1), 21 (2019)

    Google Scholar 

  4. 4.

    Wang, R., Xing, L., FengWang, X., Chen, S.: Unauthorized origin crossing on mobile platforms: threats and mitigation. In: Proceedings of the 2013 ACM SIGSAC Conference on Computer and Communications Security, pp. 635–646. ACM (2013)

  5. 5.

    Tang, J., Cui, X., Zhao, Z., Guo, S., Xu, X., Hu, C., Ban, T., Mao, B.: Nivanalyzer: a tool for automatically detecting and verifying next-intent vulnerabilities in android apps. In: IEEE International Conference on Software Testing, Verification and Validation, pp. 492–499 (2017)

  6. 6.

    Chin, E., Porter Felt, A., Greenwood, K., Wagner, D.: Analyzing inter-application communication in android. In: Proceedings of the 9th International Conference on Mobile Systems, Applications, and Services, pp. 239–252. ACM (2011)

  7. 7.

    Arzt, S., Rasthofer, S., Fritz, C., Bodden, E., Bartel, A., Klein, J., Le Traon, Y., Octeau, D., McDaniel, P.: Flowdroid: precise context, flow, field, object-sensitive and lifecycle-aware taint analysis for android apps. Acm Sigplan Not. 49(6), 259–269 (2014)

    Article  Google Scholar 

  8. 8.

    Enck, W., Gilbert, P., Han, S., Tendulkar, V., Chun, B., Cox, L., Jung, J., McDaniel, P., Sheth, A.: TaintDroid: an information-flow tracking system for realtime privacy monitoring on smartphones. ACM Trans. Comput. Syst. (TOCS) 32(2), 1–29 (2014)

    Article  Google Scholar 

  9. 9.

    Feng, Y., Anand, S., Dillig, I., Aiken, A.: Apposcopy: semantics-based detection of android malware through static analysis. In: ACM SIGSOFT International Symposium on Foundations of Software Engineering, pp. 576–587 (2014)

  10. 10.

    Android Developers: Developer guides: intents and intent filters. https://developer.android.com/guide/components/intents-filters.html. Accessed in 2018

  11. 11.

    Desnos, A.: Android-androguard: a full python tool to play with android files (2011). https://github.com/androguard/androguard/. Accessed in 2018

  12. 12.

    Configure an Android Device: Dalvik bytecode. https://source.android.com/devices/tech/dalvik/dalvik-bytecode. Accessed in 2019

  13. 13.

    Wei, F., Roy, S., Ou, X.: Amandroid: a precise and general inter-component data flow analysis framework for security vetting of android apps. ACM Trans. Privacy Secur. (TOPS) 21(3), 14 (2018)

    Google Scholar 

  14. 14.

    Xiong, B., Xiang, G., Du, T., He, J.S., Ji, S.: Static taint analysis method for intent injection vulnerability in android applications. In: International Symposium on Cyberspace Safety and Security, pp. 16–31 (2017)

    Google Scholar 

  15. 15.

    Meng, X., Qian, K., Lo, D., Bhattachrya, P.: Detectors for intent ICC security vulnerability with android IDE. In: International Conference on Ubiquitous and Future Networks, pp. 355–357 (2018)

  16. 16.

    Joshi, J., Parekh, C.: Android smartphone vulnerabilities: a survey. In: International Conference on Advances in Computing, Communication, and Automation, pp. 1–5 (2016)

  17. 17.

    Davi, L., Dmitrienko, A., Sadeghi, A., Winandy, M.: Privilege escalation attacks on android. In: International Conference on Information Security, pp. 346–360 (2010)

    Google Scholar 

  18. 18.

    Lu, L., Li, Z., Wu, Z., Lee, W., Jiang, G.: Chex: statically vetting android apps for component hijacking vulnerabilities. In: ACM Conference on Computer and Communications Security, pp. 229–240 (2012)

  19. 19.

    Li, L., Bartel, A., Bissyandé, T., Klein, J., Traon, Y., Arzt, S., Rasthofer, S., Bodden, E., Octeau, D., McDaniel, P.: Iccta: detecting inter-component privacy leaks in android apps. In: The 37th International Conference on Software Engineering-Volume 1, pp. 280–291 . IEEE Press (2015)

  20. 20.

    Zhang, M., Yin, H.: Appsealer: automatic generation of vulnerability-specific patches for preventing component hijacking attacks in android applications. IN: Network and Distributed System Security Symposium (2014)

  21. 21.

    Ahmad, M., Costamagna, V., Crispo, B., Bergadano, F.: Teicc: targeted execution of inter-component communications in android. In: ACM Symposium on Applied Computing, pp. 1747–1752 (2017)

  22. 22.

    Gallingani, D., Gjomemo, R., Venkatakrishnan, V., Zanero, S.: Practical exploit generation for intent message vulnerabilities in android. In: ACM Conference on Data and Application Security and Privacy, pp. 155–157 (2015)

  23. 23.

    Wu, S., Zhang, Y., Jin, B., Cao, W.: Practical static analysis of detecting intent-based permission leakage in android application. In: IEEE 17th International Conference on Communication Technology, pp. 1953–1957 (2017)

  24. 24.

    Zhang, J., Yao, Y., Li, X., Xie, J., Wu, G.: An android vulnerability detection system. In: International Conference on Network and System Security, pp. 169–183 (2017)

    Google Scholar 

  25. 25.

    Salva, S., Zafimiharisoa, S.: Apset, an android application security testing tool for detecting intent-based vulnerabilities. Int. J. Softw. Tools Technol. Transf. 17(2), 201–221 (2015)

    Article  Google Scholar 

Download references

Funding

This work was supported by the European Commission under the Horizon 2020 Programme (H2020), as part of the LOCARD project (Grant Agreement No. 832735).

Author information

Affiliations

Authors

Corresponding author

Correspondence to Mohamed A. El-Zawawy.

Ethics declarations

Conflict of interest

All authors declare that they have no conflict of interest.

Ethical approval

This article does not contain any studies with human participants or animals performed by any of the authors.

Additional information

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Appendices

Sample applications

Table 7 lists the 100 apps downloaded from the Google Play Store and used to evaluate \(\mathcal {N}\hbox {I}\mathcal {V}\hbox {D}\).

Table 7 List of apps used for \(\mathcal {N}\hbox {I}\mathcal {V}\hbox {D}\) evaluation

Result details

Table 8 presents the meaning of each column of Tables 9 and 10 which present the complete analysis undertaken by \(\mathcal {N} \hbox {I}\mathcal {V}\hbox {D}\) over the set of 100 apps.

Table 8 Notation used for the statistics collected during the \(\mathcal {N}\hbox {I}\mathcal {V}\hbox {D}\) evaluation
Table 9 Results obtained after running \(\mathcal {N}\hbox {I}\mathcal {V}\hbox {D}\) over the apps 1–50
Table 10 Results obtained after running \(\mathcal {N}\hbox {I}\mathcal {V}\hbox {D}\) over the apps 51–100

Rights and permissions

Reprints and Permissions

About this article

Verify currency and authenticity via CrossMark

Cite this article

El-Zawawy, M.A., Losiouk, E. & Conti, M. Do not let Next-Intent Vulnerability be your next nightmare: type system-based approach to detect it in Android apps. Int. J. Inf. Secur. (2020). https://doi.org/10.1007/s10207-020-00491-x

Download citation

Keywords

  • Next-Intent Vulnerabilities
  • Android
  • Security
  • Type systems
  • Program analysis