Skip to main content
SpringerLink
Log in

CoChecker: Detecting Capability and Sensitive Data Leaks from Component Chains in Android

  • Conference paper
Information Security and Privacy (ACISP 2014)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 8544))

Included in the following conference series:

Abstract

Studies show that malicious applications can obtain sensitive data from and perform protected operations in a mobile phone using an authorised yet vulnerable application as a deputy (referred to as privilege escalation attack). Thus it is desirable to have a checker that can help developers check whether their applications are vulnerable to these attacks. In this paper, we introduce our tool, CoChecker, to identify the leak paths (chains of components) that would lead to privilege escalation attacks using static taint analysis. We propose to build a call graph to model the execution of multiple entry points in a component and eliminate the false negatives due to the Android‘s event-driven programming paradigm. We further carry out inter-component communication through intent-tracing and formulate the call graph of the analyzed app. The evaluation of CoChecker on the state-of-the-art test suit DroidBench and randomly downloaded apps shows that it is both efficient and effective.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Android and iOS Continue to Dominate the Worldwide Smartphone Market with Android Shipments Just Shy of 800 Million in 2013, According to IDC, http://www.idc.com/getdoc.jsp?containerId=prUS24676414

  2. Davi, L., Dmitrienko, A., Sadeghi, A.-R., Winandy, M.: Privilege escalation attacks on android. In: Burmester, M., Tsudik, G., Magliveras, S., Ilić, I. (eds.) ISC 2010. LNCS, vol. 6531, pp. 346–360. Springer, Heidelberg (2011)

    Chapter  Google Scholar 

  3. Enck, W., Gilbert, P., Chun, B.-G., Cox, L.P., Jung, J., McDaniel, P., Sheth, A.N.: TaintDroid: an information-flow tracking system for realtime privacy monitoring on smartphones. In: Proceedings of the 9th USENIX Conference on Operating Systems Design and Implementation (2010)

    Google Scholar 

  4. Felt, A.P., Wang, H.J., Moshchuk, A., Hanna, S., Chin, E.: Permission Re-delegation: Attacks and Defenses. In: Proceedings of the 20th USENIX Conference on Security, SEC 2011, San Francisco, CA (2011)

    Google Scholar 

  5. Bugiel, S., Davi, L., Dmitrienko, A., Fischer, T., Sadeghi, A.R., Shastry, B.: Towards Taming Privilege-Escalation Attacks on Android. In: 19th Annual Network and Distributed System Security Symposium (NDSS) (2012)

    Google Scholar 

  6. Fuchs, A.P., Chaudhuri, A., Foster, J.S.: SCanDroid: Automated security certification of Android applications. Univ. of Maryland (2009) (manuscript), http://www.cs.umd.edu/~avik/projects/scandroidascaa

  7. Chan, P.P., Hui, L.C., Yiu, S.-M.: Droidchecker: analyzing android applications for capability leak. In: Proceedings of the Fifth ACM Conference on Security and Privacy in Wireless and Mobile Networks, pp. 125–136 (2012)

    Google Scholar 

  8. Felt, A.P., Chin, E., Hanna, S., Song, D., Wagner, D.: Chex: Statically vetting android apps for component hijacking vulnerabilities. In: Proceedings of the 2012 ACM Conference on Computer and Communications Security, CCS 2012, NY, USA (2012)

    Google Scholar 

  9. Christian, F., Steven, A., Siegfried, R., Eric, B., Alexandre, B., Jacques, K., Yves le, T., Damien, O., Patrick, M.: Highly Precise Taint Analysis for Android Applications. Ec spride technical report tud-cs-2013-0113 (2013)

    Google Scholar 

  10. Octeau, D., McDaniel, P., Jha, S., Bartel, A., Bodden, E., Klein, J., Le Traon, Y.: Effective inter-component communication mapping in android with epicc: An essential step towards holistic security analysis. In: Proceedings of the 22nd USENIX Security Symposium (2013)

    Google Scholar 

  11. DroidBench, EC SPRIDE, https://github.com/secure-software-engineering/DroidBench

  12. Freeware Lover, Best and Free software for Android mobile platform, http://www.freewarelovers.com/android

Download references

Author information

Authors and Affiliations

  1. Department of Computer Science, The University of Hong Kong, Pokfulam, Hong Kong

    Xingmin Cui, Patrick Chan, Lucas C. K. Hui & S. M. Yiu

  2. School of Software and Microelectronics, Peking University, Beijing, China

    Da Yu & Sihan Qing

Authors
  1. Xingmin Cui
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Da Yu
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Patrick Chan
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Lucas C. K. Hui
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. S. M. Yiu
    View author publications

    You can also search for this author in PubMed Google Scholar

  6. Sihan Qing
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Centre for Computer and Information Security Research, School of Computer Science and Software Engineering, University of Wollongong, Northfields Avenue, 2522, Wollongong, NSW, Australia

    Willy Susilo  & Yi Mu  & 

Rights and permissions

Reprints and permissions

Copyright information

© 2014 Springer International Publishing Switzerland

About this paper

Cite this paper

Cui, X., Yu, D., Chan, P., Hui, L.C.K., Yiu, S.M., Qing, S. (2014). CoChecker: Detecting Capability and Sensitive Data Leaks from Component Chains in Android. In: Susilo, W., Mu, Y. (eds) Information Security and Privacy. ACISP 2014. Lecture Notes in Computer Science, vol 8544. Springer, Cham. https://doi.org/10.1007/978-3-319-08344-5_31

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-08344-5_31

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-08343-8

  • Online ISBN: 978-3-319-08344-5

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation