Abstract
Studies show that malicious applications can obtain sensitive data from and perform protected operations in a mobile phone using an authorised yet vulnerable application as a deputy (referred to as privilege escalation attack). Thus it is desirable to have a checker that can help developers check whether their applications are vulnerable to these attacks. In this paper, we introduce our tool, CoChecker, to identify the leak paths (chains of components) that would lead to privilege escalation attacks using static taint analysis. We propose to build a call graph to model the execution of multiple entry points in a component and eliminate the false negatives due to the Android‘s event-driven programming paradigm. We further carry out inter-component communication through intent-tracing and formulate the call graph of the analyzed app. The evaluation of CoChecker on the state-of-the-art test suit DroidBench and randomly downloaded apps shows that it is both efficient and effective.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Android and iOS Continue to Dominate the Worldwide Smartphone Market with Android Shipments Just Shy of 800 Million in 2013, According to IDC, http://www.idc.com/getdoc.jsp?containerId=prUS24676414
Davi, L., Dmitrienko, A., Sadeghi, A.-R., Winandy, M.: Privilege escalation attacks on android. In: Burmester, M., Tsudik, G., Magliveras, S., Ilić, I. (eds.) ISC 2010. LNCS, vol. 6531, pp. 346–360. Springer, Heidelberg (2011)
Enck, W., Gilbert, P., Chun, B.-G., Cox, L.P., Jung, J., McDaniel, P., Sheth, A.N.: TaintDroid: an information-flow tracking system for realtime privacy monitoring on smartphones. In: Proceedings of the 9th USENIX Conference on Operating Systems Design and Implementation (2010)
Felt, A.P., Wang, H.J., Moshchuk, A., Hanna, S., Chin, E.: Permission Re-delegation: Attacks and Defenses. In: Proceedings of the 20th USENIX Conference on Security, SEC 2011, San Francisco, CA (2011)
Bugiel, S., Davi, L., Dmitrienko, A., Fischer, T., Sadeghi, A.R., Shastry, B.: Towards Taming Privilege-Escalation Attacks on Android. In: 19th Annual Network and Distributed System Security Symposium (NDSS) (2012)
Fuchs, A.P., Chaudhuri, A., Foster, J.S.: SCanDroid: Automated security certification of Android applications. Univ. of Maryland (2009) (manuscript), http://www.cs.umd.edu/~avik/projects/scandroidascaa
Chan, P.P., Hui, L.C., Yiu, S.-M.: Droidchecker: analyzing android applications for capability leak. In: Proceedings of the Fifth ACM Conference on Security and Privacy in Wireless and Mobile Networks, pp. 125–136 (2012)
Felt, A.P., Chin, E., Hanna, S., Song, D., Wagner, D.: Chex: Statically vetting android apps for component hijacking vulnerabilities. In: Proceedings of the 2012 ACM Conference on Computer and Communications Security, CCS 2012, NY, USA (2012)
Christian, F., Steven, A., Siegfried, R., Eric, B., Alexandre, B., Jacques, K., Yves le, T., Damien, O., Patrick, M.: Highly Precise Taint Analysis for Android Applications. Ec spride technical report tud-cs-2013-0113 (2013)
Octeau, D., McDaniel, P., Jha, S., Bartel, A., Bodden, E., Klein, J., Le Traon, Y.: Effective inter-component communication mapping in android with epicc: An essential step towards holistic security analysis. In: Proceedings of the 22nd USENIX Security Symposium (2013)
DroidBench, EC SPRIDE, https://github.com/secure-software-engineering/DroidBench
Freeware Lover, Best and Free software for Android mobile platform, http://www.freewarelovers.com/android
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2014 Springer International Publishing Switzerland
About this paper
Cite this paper
Cui, X., Yu, D., Chan, P., Hui, L.C.K., Yiu, S.M., Qing, S. (2014). CoChecker: Detecting Capability and Sensitive Data Leaks from Component Chains in Android. In: Susilo, W., Mu, Y. (eds) Information Security and Privacy. ACISP 2014. Lecture Notes in Computer Science, vol 8544. Springer, Cham. https://doi.org/10.1007/978-3-319-08344-5_31
Download citation
DOI: https://doi.org/10.1007/978-3-319-08344-5_31
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-08343-8
Online ISBN: 978-3-319-08344-5
eBook Packages: Computer ScienceComputer Science (R0)