Lintent: Towards Security Type-Checking of Android Applications

Bugliesi, Michele; Calzavara, Stefano; Spanò, Alvise

doi:10.1007/978-3-642-38592-6_20

Lintent: Towards Security Type-Checking of Android Applications

Michele Bugliesi¹⁸,
Stefano Calzavara¹⁸ &
Alvise Spanò¹⁸

Conference paper

850 Accesses
15 Citations

Part of the Lecture Notes in Computer Science book series (LNPSE,volume 7892)

Abstract

The widespread adoption of Android devices has attracted the attention of a growing computer security audience. Fundamental weaknesses and subtle design flaws of the Android architecture have been identified, studied and fixed, mostly through techniques from data-flow analysis, runtime protection mechanisms, or changes to the operating system. This paper complements this research by developing a framework for the analysis of Android applications based on typing techniques. We introduce a formal calculus for reasoning on the Android inter-component communication API and a type-and-effect system to statically prevent privilege escalation attacks on well-typed components. Drawing on our abstract framework, we develop a prototype implementation of Lintent, a security type-checker for Android applications integrated with the Android Development Tools suite. We finally discuss preliminary experiences with our tool, which highlight real attacks on existing applications.

Keywords

Android Application
Android Platform
Reduction Semantic
Real Attack
Malicious Application

These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.

Download conference paper PDF

References

Armando, A., Costa, G., Merlo, A.: Formal modeling and verification of the Android security framework. In: TGC (2012)
Google Scholar
Bugiel, S., Davi, L., Dmitrienko, A., Fischer, T., Sadeghi, A.R., Shastry, B.: Towards taming privilege-escalation attacks on Android. In: NDSS (2012)
Google Scholar
Chaudhuri, A.: Language-based security on Android. In: PLAS, pp. 1–7 (2009)
Google Scholar
Chin, E., Felt, A.P., Greenwood, K., Wagner, D.: Analyzing inter-application communication in Android. In: MobiSys, pp. 239–252 (2011)
Google Scholar
Davi, L., Dmitrienko, A., Sadeghi, A.-R., Winandy, M.: Privilege escalation attacks on android. In: Burmester, M., Tsudik, G., Magliveras, S., Ilić, I. (eds.) ISC 2010. LNCS, vol. 6531, pp. 346–360. Springer, Heidelberg (2011)
CrossRef Google Scholar
Enck, W.: Defending users against smartphone apps: Techniques and future directions. In: Jajodia, S., Mazumdar, C. (eds.) ICISS 2011. LNCS, vol. 7093, pp. 49–70. Springer, Heidelberg (2011)
CrossRef Google Scholar
Enck, W., Gilbert, P., gon Chun, B., Cox, L.P., Jung, J., McDaniel, P., Sheth, A.: Taintdroid: An information-flow tracking system for realtime privacy monitoring on smartphones. In: OSDI, pp. 393–407 (2010)
Google Scholar
Enck, W., Octeau, D., McDaniel, P., Chaudhuri, S.: A study of Android application security. In: USENIX Security Symposium (2011)
Google Scholar
Enck, W., Ongtang, M., McDaniel, P.D.: Understanding Android security. IEEE Security & Privacy 7(1), 50–57 (2009)
CrossRef Google Scholar
Felt, A.P., Chin, E., Hanna, S., Song, D., Wagner, D.: Android permissions demystified. In: CCS, pp. 627–638 (2011), http://www.android-permissions.org/
Felt, A.P., Wang, H.J., Moshchuk, A., Hanna, S., Chin, E.: Permission re-delegation: Attacks and defenses. In: USENIX Security Symposium (2011)
Google Scholar
Fragkaki, E., Bauer, L., Jia, L., Swasey, D.: Modeling and enhancing Android’s permission system. In: Foresti, S., Yung, M., Martinelli, F. (eds.) ESORICS 2012. LNCS, vol. 7459, pp. 1–18. Springer, Heidelberg (2012)
CrossRef Google Scholar
Fuchs, A.P., Chaudhuri, A., Foster, J.S.: Scandroid: Automated security certification of Android applications, Technical report, University of Maryland (2009)
Google Scholar
Gagnon, E.M., Hendren, L., Marceau, G.: Efficient inference of static types for java bytecode. In: SAS 2000. LNCS, vol. 1824, pp. 199–220. Springer, Heidelberg (2000)
CrossRef Google Scholar
Google Inc: Reference documentation for android.app.PendingIntent, http://developer.android.com/reference/android/app/PendingIntent.html
Maji, A.K., Arshad, F.A., Bagchi, S., Rellermeyer, J.S.: An empirical study of the robustness of inter-component communication in Android. In: DSN (2012)
Google Scholar

Download references

Author information

Authors and Affiliations

Università Ca’ Foscari Venezia, Italy
Michele Bugliesi, Stefano Calzavara & Alvise Spanò

Authors

Michele Bugliesi
View author publications
You can also search for this author in PubMed Google Scholar
Stefano Calzavara
View author publications
You can also search for this author in PubMed Google Scholar
Alvise Spanò
View author publications
You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

Department of Computer Science and Mathematics, University of Passau, Innstraße 31, 94034, Passau, Germany
Dirk Beyer
Dipartimento di Sistemi e Informatica, Università di Firenze, Viale Morgagni, 65, 50134, Florence, Italy
Michele Boreale

Rights and permissions

Reprints and Permissions

Copyright information

About this paper

Cite this paper

Bugliesi, M., Calzavara, S., Spanò, A. (2013). Lintent: Towards Security Type-Checking of Android Applications. In: Beyer, D., Boreale, M. (eds) Formal Techniques for Distributed Systems. FMOODS FORTE 2013 2013. Lecture Notes in Computer Science, vol 7892. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-38592-6_20

Download citation

DOI: https://doi.org/10.1007/978-3-642-38592-6_20
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-38591-9
Online ISBN: 978-3-642-38592-6
eBook Packages: Computer ScienceComputer Science (R0)