Springer Nature is making Coronavirus research free. View research | View latest news | Sign up for updates

A static technique for detecting input validation vulnerabilities in Android apps

基于静态分析的Android应用软件输入验证漏洞挖掘技术

  • 335 Accesses

  • 3 Citations

Abstract

Input validation vulnerabilities are common in Android apps, especially in inter-component communications. Malicious attacks can exploit this kind of vulnerability to bypass Android security mechanism and compromise the integrity, confidentiality and availability of Android devices. However, so far there is not a sound approach at the source code level for app developers aiming to detect input validation vulnerabilities in Android apps. In this paper, we propose a novel approach for detecting input validation flaws in Android apps and we implement a prototype named EasyIVD, which provides practical static analysis of Java source code. EasyIVD leverages backward program slicing to extract transaction and constraint slices from Java source code. Then EasyIVD validates these slices with predefined security rules to detect vulnerabilities in a known pattern. To detect vulnerabilities in an unknown pattern, EasyIVD extracts implicit security specifications as frequent patterns from the duplicated slices and verifies them. Then EasyIVD semi-automatically confirms the suspicious rule violations and reports the confirmed ones as vulnerabilities. We evaluate EasyIVD on four versions of original Android apps spanning from version 2.2 to 5.0. It detects 58 vulnerabilities including confused deputy attacks and denial of service attacks. Our results prove that EasyIVD can provide a practical defensive solution for app developers.

创新点

为了检测在Android应用软件中较为普遍的输入验证漏洞, 本文提出了一种基于静态分析的挖掘方法并实现了一个原型系统EasyIVD。本文首先利用后向程序切片技术从Java源码中提取事务切片和约束切片, 再利用预定义的安全规则检测已知模式的输入验证漏洞。对于未知模式的输入验证漏洞, 本文从相似切片中提取频繁模式, 将之作为隐式安全规范来挖掘漏洞。本文将该系统应用在四个版本的Android系统原生应用上, 共挖掘出58个输入验证漏洞。

This is a preview of subscription content, log in to check access.

References

  1. 1

    Category: input validation on owasp. https://www.owasp.org/index.php/Category:Input Validation

  2. 2

    Grace M, Zhou Y J, Wang Z, et al. Systematic detection of capability leaks in stock Android smartphones. In: Proceedings of the 19th Annual Symposium on Network and Distributed System Security (NDSS’12), San Diego, 2012

  3. 3

    Felt A P, Wang H J, Moshchuk A, et al. Permission re-delegation: attacks and defenses. In: Proceedings of the 20th USENIX Conference on Security (Sec’11), San Francisco, 2011. 22–38

  4. 4

    Zhou Y J, Jiang X X. Detecting passive content leaks and pollution in Android applications. In: Proceedings of the 20th Network and Distributed System Security Symposium (NDSS’13), San Diego, 2013

  5. 5

    Lu L, Li Z C, Wu Z Y, et al. Chex: statically vetting android apps for component hijacking vulnerabilities. In: Proceedings of the 2012 ACM Conference on Computer and Communications Security (CCS’12), Raleigh, 2012. 229–240

  6. 6

    Zhang M, Yin H. AppSealer: automatic generation of vulnerability-specific patches for preventing component hijacking attacks in Android applications. In: Proceedings of the 21th Annual Network and Distributed System Security Symposium (NDSS’14), San Diego, 2014

  7. 7

    Yang K, Zhuge JW, Wang Y K, et al. IntentFuzzer: detecting capability leaks of Android applications. In: Proceedings of the 9th ACM Symposium on Information, Computer and Communications Security (ASIA CCS 2014), Kyoto, 2014. 531–536

  8. 8

    Fuchs A P, Chaudhuri A, Foster J S. SCanDroid: automated security certification of Android applications. Technical Report CS-TR-4991. 2009

  9. 9

    Mustafa T, Sohr K. Understanding the implemented access control policy of Android system services with slicing and extended static checking. Int J Inf Secur, 2012, 14: 347–366

  10. 10

    Enck W, Ongtang M, McDaniel P. On lightweight mobile phone application certification. In: Proceedings of the 16th ACM Conference on Computer and Communications Security (CCS’09), Chicago, 2009. 235–245

  11. 11

    Jiang X X. Smishing vulnerability in multiple Android platforms (including Gingerbread, Ice Cream Sandwich, and Jelly Bean). http://www.csc.ncsu.edu/faculty/jiang/smishing.html, 2012

  12. 12

    Thomascannon. Android sms spoofer. https://github.com/thomascannon/android-sms-spoof, 2012

  13. 13

    Fang Z J, Zhang Y Q, Kong Y, et al. Static detection of logic vulnerabilities in Java web applications. Secur Commun Netw, 2014, 7: 519–531

  14. 14

    Enck W, Ongtang M, Mc Daniel P. Understanding Android security. IEEE Secur Priv, 2009, 7: 50–57

  15. 15

    Au K W Y, Zhou Y F, Huang Z, et al. Pscout: analyzing the Android permission specification. In: Proceedings of the 2012 ACM Conference on Computer and Communications Security (CCS’12), Raleigh, 2012. 217–228

  16. 16

    Enck W, Octeau D, McDaniel P, et al. A study of Android application security. In: Proceedings of the 20th USENIX Conference on Security (SEC’11), San Francisco, 2011. 21–37

  17. 17

    Felt A P, Chin E, Hanna S, et al. Android permissions demystified. In: Proceedings of the 18th ACM Conference on Computer and Communications Security (CCS’11), Chicago, 2011. 627–638

  18. 18

    Enck W, Ongtang M, Mc Daniel P. On lightweight mobile phone application certification. In: Proceedings of the 16th ACM Conference on Computer and Communications Security (CCS’09), Chicago, 2009. 235–245

  19. 19

    Berger B J, Sohr K, Koschke R. Extracting and analyzing the implemented security architecture of business applications. In: Proceedings of 17th European Conference on Software Maintenance and Reengineering (CSMR’13), Genova, 2013. 285–294

  20. 20

    Zhang Y Q, Liu Q X, Luo Q H, et al. XAS: Cross-API scripting attacks in social ecosystems. Sci China Inf Sci, 2014, 58: 012101

Download references

Author information

Correspondence to Yuqing Zhang.

Rights and permissions

Reprints and Permissions

About this article

Verify currency and authenticity via CrossMark

Cite this article

Fang, Z., Liu, Q., Zhang, Y. et al. A static technique for detecting input validation vulnerabilities in Android apps. Sci. China Inf. Sci. 60, 052111 (2017). https://doi.org/10.1007/s11432-015-5422-7

Download citation

Keywords

  • input validation
  • static analysis
  • program slicing
  • vulnerability detection
  • Android security
  • 052111

关键词

  • 输入验证
  • 静态分析
  • 程序切片
  • 漏洞挖掘
  • Android安全