Skip to main content
SpringerLink
Log in

A Tale of Four Gates

Privilege Escalation and Permission Bypasses on Android Through App Components

  • Conference paper
  • First Online:
Computer Security – ESORICS 2022 (ESORICS 2022)

Part of the book series: Lecture Notes in Computer Science ((LNCS,volume 13555))

Included in the following conference series:

Abstract

Android apps interact and exchange data with other apps through so-called app components. Previous research has shown that app components can cause application-level vulnerabilities, for example leading to data leakage across apps. Alternatively, apps can (intentionally or accidentally) expose their permissions (e.g. for camera and microphone) to other apps that lack these privileges. This causes a confused deputy situation, where a less privileged app exposes its app components, which use these permissions, to the victim app. While previous research mainly focused on these issues, less attention has been paid to how app components can affect the security and privacy guarantees of Android OS. In this paper, we demonstrate two according vulnerabilities, affecting recent Android versions. First, we show how app components can be used to leak data from and, in some cases, take full control of other Android user profiles, bypassing the dedicated lock screen. We demonstrate the impact of this vulnerability on major Android vendors (Samsung, Huawei, Google and Xiaomi). Secondly, we found that app components can be abused by spyware to access sensors like the camera and the microphone in the background up to Android 10, bypassing mitigations specifically designed to prevent this behaviour. Using a two-app setup, we find that app components can be invoked stealthily to e.g. periodically take pictures and audio recordings in the background. Finally, we present Four Gates Inspector, our open-source static analysis tool to systematically detect such issues for a large number of apps with complex codebases. Our tool successfully identified exposed components issues in 34 out 5,783 apps with average analysis runtime of 4.3 s per app and, detected both known malware samples and unknown samples downloaded from the F-Droid repository. We responsibly disclosed all vulnerabilities presented in this paper to the affected vendors, leading to several CVE records and a currently unresolved high-severity issue in Android 10 and earlier.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Similar content being viewed by others

References

  1. Android: ActivityManager.RunningAppProcessInfo. https://developer.android.com/reference/android/app/ActivityManager.RunningAppProcessInfo (2020). Accessed 17 Sept 2020

  2. Android: Behavior changes: all apps. https://developer.android.com/about/versions/pie/android-9.0-changes-all (2020). Accessed 13 Sept 2020

  3. Android: Gatekeeper. https://source.android.com/security/authentication/gatekeeper (2020). Accessed 11 Jan 2020

  4. Android: Supporting multiple users. https://source.android.com/devices/tech/admin/multi-user/ (2020). Accessed 11 Jan 2020

  5. Android: Application Fundamentals – Android Developers, May 2021. https://developer.android.com/guide/components/fundamentals. Accessed 05 May 2021

  6. Android: Building multiuser-aware apps, May 2021. https://source.android.com/devices/tech/admin/multiuser-apps. Accessed 05 May 2021

  7. Android: Data and file storage overview – Android developers, June 2021. https://developer.android.com/training/data-storage. Accessed 25 Jun 2021

  8. Android: Permission – Android developers, May 2021. https://developer.android.com/guide/topics/manifest/permission-element. Accessed 05 May 2021

  9. Android: Permissions updates in Android 11 – Android developers, September 2021. https://developer.android.com/about/versions/11/privacy/permissions. Accessed 19 Sept 2021

  10. Android: App-ops, April 2022. https://android.googlesource.com/platform/frameworks/base/+/refs/heads/android11-d1-b-release/core/java/android/app/AppOps.md#foreground. Accessed 27 Apr 2022

  11. Android: Foreground services – Android developers, April 2022. https://developer.android.com/guide/components/foreground-services. Accessed 14 Apr 2022

  12. Apktool: Apktool–a tool for reverse engineering 3rd party, closed, binary Android apps, May 2021. https://ibotpeaches.github.io/Apktool/. Accessed 05 May 2021

  13. Arzt, S., et al.: FlowDroid: precise context, flow, field, object-sensitive and lifecycle-aware taint analysis for Android apps. ACM SIGPLAN Not. 49(6), 259–269 (2014)

    Article  Google Scholar 

  14. Bugiel, S., Davi, L., Dmitrienko, A., Fischer, T., Sadeghi, A.R., Shastry, B.: Towards taming privilege-escalation attacks on Android. In: NDSS, San Diego, California, USA, vol. 17, p. 19 (2012)

    Google Scholar 

  15. Davi, L., Dmitrienko, A., Sadeghi, A.-R., Winandy, M.: Privilege escalation attacks on Android. In: Burmester, M., Tsudik, G., Magliveras, S., Ilić, I. (eds.) ISC 2010. LNCS, vol. 6531, pp. 346–360. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-18178-8_30

    Chapter  Google Scholar 

  16. Elsabagh, M., Johnson, R., Stavrou, A., Zuo, C., Zhao, Q., Lin, Z.: \(\{\)FIRMSCOPE\(\}\): automatic uncovering of \(\{\)Privilege-Escalation\(\}\) vulnerabilities in \(\{\)Pre-Installed\(\}\) apps in android firmware. In: 29th USENIX Security Symposium, USENIX Security 2020, pp. 2379–2396 (2020)

    Google Scholar 

  17. Enck, W., et al.: TaintDroid: an information-flow tracking system for realtime privacy monitoring on smartphones. ACM Trans. Comput. Syst. (TOCS) 32(2), 1–29 (2014)

    Article  Google Scholar 

  18. F-Droid: F-Droid - free and open source Android app repository. https://f-droid.org/. Accessed 05 Nov 2022

  19. F-secure Labs: Xiaomi Redmi 5 Plus second space password bypass, May 2021. https://labs.f-secure.com/advisories/xiaomi-second-space/. Accessed 05 May 2021

  20. Felt, A.P., Wang, H.J., Moshchuk, A., Hanna, S., Chin, E.: Permission re-delegation: attacks and defenses. In: USENIX Security Symposium, San Francisco, CA, USA, vol. 30, p. 88. USENIX (2011)

    Google Scholar 

  21. Google: IActivityManager source code, May 2021. https://android.googlesource.com/platform/frameworks/native/+/refs/heads/android10-c2f2-release/libs/binder/IActivityManager.cpp#82. Accessed 16 May 2022

  22. Hardy, N.: The confused deputy (or why capabilities might have been invented). ACM SIGOPS Operating Syst. Rev. 22(4), 36–38 (1988)

    Article  Google Scholar 

  23. Heuser, S., Negro, M., Pendyala, P.K., Sadeghi, A.-R.: DroidAuditor: forensic analysis of application-layer privilege escalation attacks on Android (short paper). In: Grossklags, J., Preneel, B. (eds.) FC 2016. LNCS, vol. 9603, pp. 260–268. Springer, Heidelberg (2017). https://doi.org/10.1007/978-3-662-54970-4_15

    Chapter  Google Scholar 

  24. Kanonov, U., Wool, A.: Secure containers in Android: the Samsung Knox case study. In: Proceedings of the 6th Workshop on Security and Privacy in Smartphones and Mobile Devices, Vienna, Austria, pp. 3–12. ACM (2016)

    Google Scholar 

  25. Li, R., Diao, W., Li, Z., Du, J., Guo, S.: Android custom permissions demystified: from privilege escalation to design shortcomings. In: 2021 IEEE Symposium on Security and Privacy (SP), pp. 70–86. IEEE (2021)

    Google Scholar 

  26. Lu, L., Li, Z., Wu, Z., Lee, W., Jiang, G.: CHEX: statically vetting android apps for component hijacking vulnerabilities. In: Proceedings of the 2012 ACM Conference on Computer and Communications Security, pp. 229–240 (2012)

    Google Scholar 

  27. Ratazzi, P., Aafer, Y., Ahlawat, A., Hao, H., Wang, Y., Du, W.: A systematic security evaluation of Android’s multi-user framework. arXiv preprint arXiv:1410.7752 1(1), 1–10 (2014)

  28. Reardon, J., Feal, Á., Wijesekera, P., On, A.E.B., Vallina-Rodriguez, N., Egelman, S.: 50 ways to leak your data: an exploration of apps’ circumvention of the Android permissions system. In: 28th USENIX Security Symposium, USENIX Security 2019, Santa Clara, CA, USA, pp. 603–620. USENIX (2019)

    Google Scholar 

  29. Samsung Knox: Root of trust, May 2021. https://docs.samsungknox.com/admin/whitepaper/kpe/hardware-backed-root-of-trust.htm. Accessed 06 May 2021

  30. Samsung Knox: Secure folder – Samsung Knox, May 2021. https://www.samsungknox.com/en/solutions/personal-apps/secure-folder. Accessed 06 May 2021

  31. Stats, S.G.: Mobile & tablet Android version market share worldwide – statcounter global stats. https://gs.statcounter.com/android-version-market-share/mobile-tablet/worldwide/#monthly-202006-202009. Accessed 20 Aug 2021

  32. Sutter, T., Tellenbach, B.: Simple spyware: Androids invisible foreground services and how to (ab)use them. In: Black Hat Europe, London, 2–5 Dezemeber 2019, p. 27. Black Hat Europe, London, UK (2019)

    Google Scholar 

  33. Tuncay, G.S., Demetriou, S., Ganju, K., Gunter, C.: Resolving the predicament of android custom permissions. In: Network and Distributed System Security Symposium, vol. 1, no. 1, pp. 1–15 (2018)

    Google Scholar 

  34. Xing, L., Pan, X., Wang, R., Yuan, K., Wang, X.: Upgrading your Android, elevating my malware: privilege escalation through mobile OS updating. In: 2014 IEEE Symposium on Security and Privacy, Berkeley, CA, USA, pp. 393–408. IEEE (2014)

    Google Scholar 

  35. Xu, Y., Wang, G., Ren, J., Zhang, Y.: An adaptive and configurable protection framework against android privilege escalation threats. Futur. Gener. Comput. Syst. 92, 210–224 (2019)

    Article  Google Scholar 

  36. Zhang, M., Yin, H.: AppSealer: automatic generation of vulnerability-specific patches for preventing component hijacking attacks in Android applications. In: NDSS (2014)

    Google Scholar 

  37. Zhong, X., Zeng, F., Cheng, Z., Xie, N., Qin, X., Guo, S.: Privilege escalation detecting in android applications. In: 2017 3rd International Conference on Big Data Computing and Communications (BIGCOM), pp. 39–44. IEEE (2017)

    Google Scholar 

  38. Zhou, Y., Jiang, X.: Detecting passive content leaks and pollution in android applications. In: Proceedings of the 20th Network and Distributed System Security Symposium (NDSS), Bangalore India, pp. 1–16. Association for Computing Machinery, New York (2013)

    Google Scholar 

Download references

Acknowledgemen

We thank Ali Darwish, ElMuthana Mohamed, Hamad Salmeen, Abdulla Subah and Zhuang Xu for participating in mobile testing.

This research was partially funded by the Engineering and Physical Sciences Research Council (EPSRC) under grants EP/R012598/1 and EP/V000454/1. Abdulla Aldoseri is supported by a stipend from the University of Bahrain.

Author information

Authors and Affiliations

  1. University of Birmingham, Birmingham, UK

    Abdulla Aldoseri, David Oswald & Robert Chiper

Authors
  1. Abdulla Aldoseri
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. David Oswald
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Robert Chiper
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding authors

Correspondence to Abdulla Aldoseri , David Oswald or Robert Chiper .

Editor information

Editors and Affiliations

  1. Rutgers University, Newark, NJ, USA

    Vijayalakshmi Atluri

  2. Hamad Bin Khalifa University, Doha, Qatar

    Roberto Di Pietro

  3. Technical University of Denmark, Kongens Lyngby, Denmark

    Christian D. Jensen

  4. Technical University of Denmark, Kongens Lyngby, Denmark

    Weizhi Meng

A 9 Appendix

A 9 Appendix

Table 1. MU attacks across vendor implementation. (\(\CIRCLE \)) exploited; (\(\Circle \)) N/A; (\(\LEFTcircle \)) untested
Full size table

Rights and permissions

Reprints and permissions

Copyright information

© 2022 The Author(s), under exclusive license to Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Aldoseri, A., Oswald, D., Chiper, R. (2022). A Tale of Four Gates. In: Atluri, V., Di Pietro, R., Jensen, C.D., Meng, W. (eds) Computer Security – ESORICS 2022. ESORICS 2022. Lecture Notes in Computer Science, vol 13555. Springer, Cham. https://doi.org/10.1007/978-3-031-17146-8_12

Download citation

  • DOI: https://doi.org/10.1007/978-3-031-17146-8_12

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-031-17145-1

  • Online ISBN: 978-3-031-17146-8

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation