Abstract
Android apps interact and exchange data with other apps through so-called app components. Previous research has shown that app components can cause application-level vulnerabilities, for example leading to data leakage across apps. Alternatively, apps can (intentionally or accidentally) expose their permissions (e.g. for camera and microphone) to other apps that lack these privileges. This causes a confused deputy situation, where a less privileged app exposes its app components, which use these permissions, to the victim app. While previous research mainly focused on these issues, less attention has been paid to how app components can affect the security and privacy guarantees of Android OS. In this paper, we demonstrate two according vulnerabilities, affecting recent Android versions. First, we show how app components can be used to leak data from and, in some cases, take full control of other Android user profiles, bypassing the dedicated lock screen. We demonstrate the impact of this vulnerability on major Android vendors (Samsung, Huawei, Google and Xiaomi). Secondly, we found that app components can be abused by spyware to access sensors like the camera and the microphone in the background up to Android 10, bypassing mitigations specifically designed to prevent this behaviour. Using a two-app setup, we find that app components can be invoked stealthily to e.g. periodically take pictures and audio recordings in the background. Finally, we present Four Gates Inspector, our open-source static analysis tool to systematically detect such issues for a large number of apps with complex codebases. Our tool successfully identified exposed components issues in 34 out 5,783 apps with average analysis runtime of 4.3 s per app and, detected both known malware samples and unknown samples downloaded from the F-Droid repository. We responsibly disclosed all vulnerabilities presented in this paper to the affected vendors, leading to several CVE records and a currently unresolved high-severity issue in Android 10 and earlier.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
References
Android: ActivityManager.RunningAppProcessInfo. https://developer.android.com/reference/android/app/ActivityManager.RunningAppProcessInfo (2020). Accessed 17 Sept 2020
Android: Behavior changes: all apps. https://developer.android.com/about/versions/pie/android-9.0-changes-all (2020). Accessed 13 Sept 2020
Android: Gatekeeper. https://source.android.com/security/authentication/gatekeeper (2020). Accessed 11 Jan 2020
Android: Supporting multiple users. https://source.android.com/devices/tech/admin/multi-user/ (2020). Accessed 11 Jan 2020
Android: Application Fundamentals – Android Developers, May 2021. https://developer.android.com/guide/components/fundamentals. Accessed 05 May 2021
Android: Building multiuser-aware apps, May 2021. https://source.android.com/devices/tech/admin/multiuser-apps. Accessed 05 May 2021
Android: Data and file storage overview – Android developers, June 2021. https://developer.android.com/training/data-storage. Accessed 25 Jun 2021
Android: Permission – Android developers, May 2021. https://developer.android.com/guide/topics/manifest/permission-element. Accessed 05 May 2021
Android: Permissions updates in Android 11 – Android developers, September 2021. https://developer.android.com/about/versions/11/privacy/permissions. Accessed 19 Sept 2021
Android: App-ops, April 2022. https://android.googlesource.com/platform/frameworks/base/+/refs/heads/android11-d1-b-release/core/java/android/app/AppOps.md#foreground. Accessed 27 Apr 2022
Android: Foreground services – Android developers, April 2022. https://developer.android.com/guide/components/foreground-services. Accessed 14 Apr 2022
Apktool: Apktool–a tool for reverse engineering 3rd party, closed, binary Android apps, May 2021. https://ibotpeaches.github.io/Apktool/. Accessed 05 May 2021
Arzt, S., et al.: FlowDroid: precise context, flow, field, object-sensitive and lifecycle-aware taint analysis for Android apps. ACM SIGPLAN Not. 49(6), 259–269 (2014)
Bugiel, S., Davi, L., Dmitrienko, A., Fischer, T., Sadeghi, A.R., Shastry, B.: Towards taming privilege-escalation attacks on Android. In: NDSS, San Diego, California, USA, vol. 17, p. 19 (2012)
Davi, L., Dmitrienko, A., Sadeghi, A.-R., Winandy, M.: Privilege escalation attacks on Android. In: Burmester, M., Tsudik, G., Magliveras, S., Ilić, I. (eds.) ISC 2010. LNCS, vol. 6531, pp. 346–360. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-18178-8_30
Elsabagh, M., Johnson, R., Stavrou, A., Zuo, C., Zhao, Q., Lin, Z.: \(\{\)FIRMSCOPE\(\}\): automatic uncovering of \(\{\)Privilege-Escalation\(\}\) vulnerabilities in \(\{\)Pre-Installed\(\}\) apps in android firmware. In: 29th USENIX Security Symposium, USENIX Security 2020, pp. 2379–2396 (2020)
Enck, W., et al.: TaintDroid: an information-flow tracking system for realtime privacy monitoring on smartphones. ACM Trans. Comput. Syst. (TOCS) 32(2), 1–29 (2014)
F-Droid: F-Droid - free and open source Android app repository. https://f-droid.org/. Accessed 05 Nov 2022
F-secure Labs: Xiaomi Redmi 5 Plus second space password bypass, May 2021. https://labs.f-secure.com/advisories/xiaomi-second-space/. Accessed 05 May 2021
Felt, A.P., Wang, H.J., Moshchuk, A., Hanna, S., Chin, E.: Permission re-delegation: attacks and defenses. In: USENIX Security Symposium, San Francisco, CA, USA, vol. 30, p. 88. USENIX (2011)
Google: IActivityManager source code, May 2021. https://android.googlesource.com/platform/frameworks/native/+/refs/heads/android10-c2f2-release/libs/binder/IActivityManager.cpp#82. Accessed 16 May 2022
Hardy, N.: The confused deputy (or why capabilities might have been invented). ACM SIGOPS Operating Syst. Rev. 22(4), 36–38 (1988)
Heuser, S., Negro, M., Pendyala, P.K., Sadeghi, A.-R.: DroidAuditor: forensic analysis of application-layer privilege escalation attacks on Android (short paper). In: Grossklags, J., Preneel, B. (eds.) FC 2016. LNCS, vol. 9603, pp. 260–268. Springer, Heidelberg (2017). https://doi.org/10.1007/978-3-662-54970-4_15
Kanonov, U., Wool, A.: Secure containers in Android: the Samsung Knox case study. In: Proceedings of the 6th Workshop on Security and Privacy in Smartphones and Mobile Devices, Vienna, Austria, pp. 3–12. ACM (2016)
Li, R., Diao, W., Li, Z., Du, J., Guo, S.: Android custom permissions demystified: from privilege escalation to design shortcomings. In: 2021 IEEE Symposium on Security and Privacy (SP), pp. 70–86. IEEE (2021)
Lu, L., Li, Z., Wu, Z., Lee, W., Jiang, G.: CHEX: statically vetting android apps for component hijacking vulnerabilities. In: Proceedings of the 2012 ACM Conference on Computer and Communications Security, pp. 229–240 (2012)
Ratazzi, P., Aafer, Y., Ahlawat, A., Hao, H., Wang, Y., Du, W.: A systematic security evaluation of Android’s multi-user framework. arXiv preprint arXiv:1410.7752 1(1), 1–10 (2014)
Reardon, J., Feal, Á., Wijesekera, P., On, A.E.B., Vallina-Rodriguez, N., Egelman, S.: 50 ways to leak your data: an exploration of apps’ circumvention of the Android permissions system. In: 28th USENIX Security Symposium, USENIX Security 2019, Santa Clara, CA, USA, pp. 603–620. USENIX (2019)
Samsung Knox: Root of trust, May 2021. https://docs.samsungknox.com/admin/whitepaper/kpe/hardware-backed-root-of-trust.htm. Accessed 06 May 2021
Samsung Knox: Secure folder – Samsung Knox, May 2021. https://www.samsungknox.com/en/solutions/personal-apps/secure-folder. Accessed 06 May 2021
Stats, S.G.: Mobile & tablet Android version market share worldwide – statcounter global stats. https://gs.statcounter.com/android-version-market-share/mobile-tablet/worldwide/#monthly-202006-202009. Accessed 20 Aug 2021
Sutter, T., Tellenbach, B.: Simple spyware: Androids invisible foreground services and how to (ab)use them. In: Black Hat Europe, London, 2–5 Dezemeber 2019, p. 27. Black Hat Europe, London, UK (2019)
Tuncay, G.S., Demetriou, S., Ganju, K., Gunter, C.: Resolving the predicament of android custom permissions. In: Network and Distributed System Security Symposium, vol. 1, no. 1, pp. 1–15 (2018)
Xing, L., Pan, X., Wang, R., Yuan, K., Wang, X.: Upgrading your Android, elevating my malware: privilege escalation through mobile OS updating. In: 2014 IEEE Symposium on Security and Privacy, Berkeley, CA, USA, pp. 393–408. IEEE (2014)
Xu, Y., Wang, G., Ren, J., Zhang, Y.: An adaptive and configurable protection framework against android privilege escalation threats. Futur. Gener. Comput. Syst. 92, 210–224 (2019)
Zhang, M., Yin, H.: AppSealer: automatic generation of vulnerability-specific patches for preventing component hijacking attacks in Android applications. In: NDSS (2014)
Zhong, X., Zeng, F., Cheng, Z., Xie, N., Qin, X., Guo, S.: Privilege escalation detecting in android applications. In: 2017 3rd International Conference on Big Data Computing and Communications (BIGCOM), pp. 39–44. IEEE (2017)
Zhou, Y., Jiang, X.: Detecting passive content leaks and pollution in android applications. In: Proceedings of the 20th Network and Distributed System Security Symposium (NDSS), Bangalore India, pp. 1–16. Association for Computing Machinery, New York (2013)
Acknowledgemen
We thank Ali Darwish, ElMuthana Mohamed, Hamad Salmeen, Abdulla Subah and Zhuang Xu for participating in mobile testing.
This research was partially funded by the Engineering and Physical Sciences Research Council (EPSRC) under grants EP/R012598/1 and EP/V000454/1. Abdulla Aldoseri is supported by a stipend from the University of Bahrain.
Author information
Authors and Affiliations
Corresponding authors
Editor information
Editors and Affiliations
A 9 Appendix
A 9 Appendix
Rights and permissions
Copyright information
© 2022 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this paper
Cite this paper
Aldoseri, A., Oswald, D., Chiper, R. (2022). A Tale of Four Gates. In: Atluri, V., Di Pietro, R., Jensen, C.D., Meng, W. (eds) Computer Security – ESORICS 2022. ESORICS 2022. Lecture Notes in Computer Science, vol 13555. Springer, Cham. https://doi.org/10.1007/978-3-031-17146-8_12
Download citation
DOI: https://doi.org/10.1007/978-3-031-17146-8_12
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-17145-1
Online ISBN: 978-3-031-17146-8
eBook Packages: Computer ScienceComputer Science (R0)