Enhancement and formal verification of the ICC mechanism with a sandbox approach in android system
Authors: 
Jiaqi Yin, Sini Chen, Yixiao Lv, Huibiao ZhuAuthors Info & Claims
Jiaqi Yin, Sini Chen, Yixiao Lv, Huibiao ZhuAuthors Info & ClaimsPages 1175 - 1202
Abstract
Inter-Component Communication (ICC) plays a crucial role in facilitating information exchange and functionality integration within the complex ecosystem of Android systems. However, the security and safety implications arising from ICC interactions pose significant challenges. This paper is an extended work building upon our previously published research that focuses on the verification of safety properties in the ICC mechanism. We address the previously observed issues of data leakage and privilege escalation by incorporating a sandbox mechanism and permission control. The sandbox mechanism provides an isolated and controlled environment in which ICC components can operate while permission control mechanisms are introduced to enforce fine-grained access controls, ensuring that only authorized entities have access to sensitive resources. We further leverage formal methods, specifically communicating sequential processes (CSP), to verify several properties of the enhanced ICC mechanism. By employing CSP, we aim to systematically model and analyze the flow of information, the behavior of components, and the potential vulnerabilities associated with the enhanced ICC mechanism. The verification results highlight the effectiveness of our approach in enhancing the security and reliability of ICC mechanisms, ultimately contributing to the development of safer and more trustworthy Android Systems.
References
[1]
Almomani IM and Al Khayer A A comprehensive analysis of the android permissions system IEEE access 2020 8 216671-216688
[2]
Au, K. W. Y., Zhou, Y. F., Huang, Z., & Lie, D. (2012). Pscout: Analyzing the android permission specification. In Proceedings of the 2012 ACM conference on Computer and communications security (pp. 217–228).
[3]
Bhandari S, Jaballah WB, Jain V, Laxmi V, Zemmari A, Gaur MS, Mosbah M, and Conti M Android inter-app communication threats and detection techniques Computers & Security 2017 70 392-421
[4]
Biswas, S., Sohel, M., Sajal, M. M., Afrin, T., Bhuiyan, T., & Hassan, M. M. (2018). A study on remote code execution vulnerability in web applications. In International Conference on Cyber Security and Computer Science (ICONCS 2018) (pp. 50–57).
[5]
Bugiel S, Davi L, Dmitrienko A, Fischer T, Sadeghi AR, and Shastry B Towards taming privilege-escalation attacks on android In NDSS 2012 17 19
[6]
Chin, E., Felt, A. P., Greenwood, K., Wagner, D. (2011). Analyzing inter-application communication in android. In Proceedings of the 9th international conference on Mobile systems, applications, and services (pp. 239–252).
[7]
da Costa, F. H., Medeiros, I., Menezes, T., da Silva, J. V., da Silva, I. L., Bonifácio, R., Narasimhan, K., & Ribeiro, M. (2022). Exploring the use of static and dynamic analysis to improve the performance of the mining sandbox approach for android malware identification. Journal of Systems and Software,183, 111092.
[8]
Developers A. Developer guides: Intents and intent filters. https://developer.android.com/guide/components/intents-filters.html. Accessed in 2023.
[9]
DiMarzio, J. F. (2008). Android™ A Programmer’s Guide.
[10]
Fang Z, Han W, and Li Y Permission based android security: Issues and countermeasures Computers & Security 2014 43 205-218
[11]
Gadient P, Ghafari M, Frischknecht P, and Nierstrasz O Security code smells in android icc Empirical Software Engineering 2019 24 5 3046-3076
[12]
Hoare CAR Communicating Sequential Processes 1985 Prentice-Hall
[13]
Lowe G and Roscoe B Using csp to detect errors in the tmn protocol IEEE Transactions on Software Engineering 1997 23 10 659-669
[14]
Lv, Y., Yin, J., Chen, S., & Zhu, H. (2023). Formalization and verification of the icc mechanism in android system using csp. In 2023 IEEE 34th International Symposium on Software Reliability Engineering Workshops (ISSREW) (pp. 89–95). IEEE.
[15]
Neuner, S., Vander Veen, V., Lindorfer, M., Huber, M., Merzdovnik, G., Mulazzani, M., & Weippl, E. (2014). Enter sandbox: Android sandbox comparison. Preprint retrieved from http://arxiv.org/abs/1410.7749
[16]
Samhi, J., Bartel, A., Bissyandé, T. F., & Klein, J. (2021). Raicc: Revealing atypical inter-component communication in android apps. In IEEE/ACM 43rd International Conference on Software Engineering (ICSE) (pp. 1398–1409).
[17]
Sammler M, Garg D, Dreyer D, and Litak T The high-level benefits of low-level sandboxing Proceedings of the ACM on Programming Languages 2019 4 POPL 1-32
[18]
Vasilescu, M., Gheorghe, L., & Tapus, N. (2014). Practical malware analysis based on sandboxing. In 2014 RoEduNet Conference 13th Edition: Networking in Education and Research Joint Event RENAM 8th Conference (pp. 1–6). IEEE.
[19]
Xu, J., Yin, J., Zhu, H., & Xiao, L. (2021). Modeling and verifying producer-consumer communication in kafka using CSP. 7th Conference on the Engineering of Computer Based Systems.
[20]
Zhou, X., Demetriou, S., He, D., Naveed, M., Pan, X., Wang, X., Gunter, C.A., & Nahrstedt, K. (2013) Identity, location, disease and more: Inferring your secrets from android public resources. In Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security (pp. 1017–1028)
Recommendations
Web access monitoring mechanism for Android webview
ACSW '18: Proceedings of the Australasian Computer Science Week MulticonferenceIn addition to conventional web browsers, WebView is used to display web content on Android. WebView is a component that enables the display of web content in mobile applications, and is extensively used. As WebView displays web content without having ...
Android: Changing the Mobile Landscape
The mobile phone landscape changed last year with the introduction of smart phones running Android, a platform marketed by Google. Android phones are the first credible threat to the iPhone market. Not only did Google target the same consumers as iPhone,...
Android permissions demystified
CCS '11: Proceedings of the 18th ACM conference on Computer and communications securityAndroid provides third-party applications with an extensive API that includes access to phone hardware, settings, and user data. Access to privacy- and security-relevant parts of the API is controlled with an install-time application permission system. ...
Comments
Information & Contributors
Information
Published In
© The Author(s), under exclusive licence to Springer Science+Business Media, LLC, part of Springer Nature 2024. Springer Nature or its licensor (e.g. a society or other partner) holds exclusive rights to this article under a publishing agreement with the author(s) or other rightsholder(s); author self-archiving of the accepted manuscript version of this article is solely governed by the terms of such publishing agreement and applicable law.
Publisher
Kluwer Academic Publishers
United States
Publication History
Published: 27 June 2024
Accepted: 30 May 2024
Author Tags
Qualifiers
- Research-article
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 0Total Downloads
- Downloads (Last 12 months)0
- Downloads (Last 6 weeks)0
Reflects downloads up to 26 Jan 2025