research-article

CHEX: statically vetting Android apps for component hijacking vulnerabilities

Authors:

Guofei JiangAuthors Info & Claims

CCS '12: Proceedings of the 2012 ACM conference on Computer and communications security

Pages 229 - 240

https://doi.org/10.1145/2382196.2382223

Published: 16 October 2012 Publication History

Abstract

An enormous number of apps have been developed for Android in recent years, making it one of the most popular mobile operating systems. However, the quality of the booming apps can be a concern [4]. Poorly engineered apps may contain security vulnerabilities that can severally undermine users' security and privacy. In this paper, we study a general category of vulnerabilities found in Android apps, namely the component hijacking vulnerabilities. Several types of previously reported app vulnerabilities, such as permission leakage, unauthorized data access, intent spoofing, and etc., belong to this category.

We propose CHEX, a static analysis method to automatically vet Android apps for component hijacking vulnerabilities. Modeling these vulnerabilities from a data-flow analysis perspective, CHEX analyzes Android apps and detects possible hijack-enabling flows by conducting low-overhead reachability tests on customized system dependence graphs. To tackle analysis challenges imposed by Android's special programming paradigm, we employ a novel technique to discover component entry points in their completeness and introduce app splitting to model the asynchronous executions of multiple entry points in an app.

We prototyped CHEX based on Dalysis, a generic static analysis framework that we built to support many types of analysis on Android app bytecode. We evaluated CHEX with 5,486 real Android apps and found 254 potential component hijacking vulnerabilities. The median execution time of CHEX on an app is 37.02 seconds, which is fast enough to be used in very high volume app vetting and testing scenarios.

References

[1]

Android and security. http://googlemobile.blogspot.com/2012/02/android-and-security.html.

[2]

Baksmali: a disassembler for Android's dex format. http://code.google.com/p/smali/.

[3]

Google's 10 billion android app downloads. www.wired.com/gadgetlab/2011/12/10-billion-apps-detailed/.

[4]

Quality of Android market apps is pathetically low. http://www.huffingtonpost.com/2011/06/20/android-market-quality_n_880478.html.

[5]

WALA: T.J. Watson libraries for analysis. http://wala.sourceforge.netl.

[6]

Android application components. http://developer.android.com/guide/topics/fundamentals.html#Components, 2012.

[7]

BANDHAKAVI, S., KING, S. T., MADHUSUDAN, P., AND WINSLETT, M. Vex: vetting browser extensions for security vulnerabilities. In Proceedings of the 19th USENIX Security Symposium (2010).

Digital Library

[8]

BUGIEL, S., DAVI, L., DMITRIENKO, A., FISCHER, T., AND SADEGHI, A.-R. Xmandroid: A new android evolution to mitigate privilege escalation attacks. Tech. Rep. TR-2011-04, Technische Universitat Darmstadt, 2011.

[9]

CHEN, H., AND WAGNER, D. Mops: an infrastructure for examining security properties of software. In Proceedings of the 9th ACM CCS (2002).

Digital Library

[10]

CHIN, E., FELT, A. P., GREENWOOD, K., AND WAGNER, D. Analyzing inter-application communication in android. In Proceedings of the 9th MobiSys (2011).

Digital Library

[11]

DAVI, L., DMITRIENKO, A., SADEGHI, A.-R., AND WINANDY, M. Privilege escalation attacks on android. In Proceedings of the 13th ISC (2010).

Digital Library

[12]

DIETZ, M., SHEKHAR, S., PISETSKY, Y., SHU, A., AND WALLACH, D. S. Quire: Lightweight provenance for smart phone operating systems. In Proceedings of the 20th USENIX Security Symposium (2011).

Digital Library

[13]

EFSTATHOPOULOS, P., KROHN, M., VANDEBOGART, S., FREY, C., ZIEGLER, D., KOHLER, E., MAZIÈRES, D., KAASHOEK, F., AND MORRIS, R. Labels and event processes in the asbestos operating system. In Proceedings of the 20th ACM SOSP (2005).

Digital Library

[14]

EGELE, M., KRUEGEL, C., KIRDA, E., AND VIGNA, G. Pios: Detecting privacy leaks in ios applications. In Proceedings of the 19th NDSS (2011).

[15]

ENCK, W., GILBERT, P., CHUN, B.-G., COX, L. P., JUNG, J., MCDANIEL, P., AND SHETH, A. N. Taintdroid: an information-flow tracking system for realtime privacy monitoring on smartphones. In Proceedings of the 9th USENIX OSDI (2010).

Digital Library

[16]

ENCK, W., OCTEAU, D., MCDANIEL, P., AND CHAUDHURI, S. A study of android application security. In Proceedings of the 20th USENIX Security Symposium (2011).

Digital Library

[17]

ENCK, W., ONGTANG, M., AND MCDANIEL, P. On lightweight mobile phone application certification. In Proceedings of the 16th ACM CCS (2009).

Digital Library

[18]

FELMETSGER, V., CAVEDON, L., KRUEGEL, C., AND VIGNA, G. Toward automated detection of logic vulnerabilities in web applications. In Proceedings of the 19th USENIX Security Symposium (2010).

Digital Library

[19]

FELT, A. P., CHIN, E., HANNA, S., SONG, D., AND WAGNER, D. Android permissions demystified. In Proceedings of the 18th ACM CCS (2011).

Digital Library

[20]

FELT, A. P., WANG, H. J., MOSHCHUK, A., HANNA, S., AND CHIN, E. Permission re-delegation: attacks and defenses. In Proceedings of the 20th USENIX Security Symposium (2011).

Digital Library

[21]

GRACE, M., ZHOU, Y., WANG, Z., AND JIANG, X. Systematic detection of capability leaks in stock Android smartphones. In Proceedings of the 19th NDSS (2012).

[22]

GUNDOTRA, V., AND BARRA, H. Android: Momentum, mobile and more at Google I/O. http://www.google.com/events/io/2011/.

[23]

HARDY, N. The confused deputy: (or why capabilities might have been invented). SIGOPS Oper. Syst. Rev. 22, 4 (1988), 36--38.

Digital Library

[24]

HORNYACK, P., HAN, S., JUNG, J., SCHECHTER, S., AND WETHERALL, D. These aren't the droids you're looking for: retrofitting android to protect data from imperious applications. In Proceedings of the 18th ACM CCS (2011).

Digital Library

[25]

HORWITZ, S., REPS, T., AND BINKLEY, D. Interprocedural slicing using dependence graphs. SIGPLAN Not. 23, 7 (1988), 35--46.

Digital Library

[26]

JOVANOVIC, N., KRUEGEL, C., AND KIRDA, E. Pixy: A static analysis tool for detecting web application vulnerabilities (short paper). In Proceedings of the IEEE S&P'06 (2006).

Digital Library

[27]

LINEBERRY, A., RICHARDSON, D. L., AND WYATT, T. These aren't permissions you're looking for. In Proceedings of the Blackhat'10 (2010).

[28]

LIVSHITS, V. B., AND LAM, M. S. Finding security vulnerabilities in java applications with static analysis. In Proceedings of the 14th USENIX Security Symposium (2005).

Digital Library

[29]

MYERS, A. C. Jflow: practical mostly-static information flow control. In Proceedings of the 26th ACM POPL (1999).

Digital Library

[30]

STAIGER, S. Reverse engineering of graphical user interfaces using static analyses. In Proceedings of the 14th IEEE WCRE (2007).

Digital Library

[31]

STAIGER, S. Static analysis of programs with graphical user interface. In Proceedings of the 11th IEEE CSMR (2007).

Digital Library

[32]

TRIPP, O., PISTOIA, M., FINK, S. J., SRIDHARAN, M., AND WEISMAN, O. TAJ: effective taint analysis of web applications. In Proceedings of the ACM PLDI '09 (2009).

Digital Library

[33]

WASSERMANN, G., AND SU, Z. Static detection of cross-site scripting vulnerabilities. In Proceedings of the 30th ACM ICSE (2008).

Digital Library

[34]

ZELDOVICH, N., BOYD-WICKIZER, S., KOHLER, E., AND MAZIÈRES, D. Making information flow explicit in histar. In Proceedings of the 7th USENIX OSDI (2006).

Digital Library

[35]

ZHOU, W., ZHOU, Y., JIANG, X., AND NING, P. DroidMOSS: Detecting repackaged smartphone applications in third-party android. In Proceedings of ACM CODASPY'12 (2012).

Digital Library

[36]

ZHOU, Y., AND JIANG, X. Dissecting android malware: Characterization and evolution. In Proceedings of the IEEE Symposium on S&P'12 (2012).

Digital Library

[37]

ZHOU, Y., WANG, Z., ZHOU, W., AND JIANG, X. Hey, you, get off of my market: Detecting malicious apps in official and alternative android markets. In Proceedings of the 20th NDSS (2012).

Cited By

Shi CGuan Y(2025)Forensic Analysis of Third-Party Cloud Software Development Kits for Android AppsAdvances in Digital Forensics XX10.1007/978-3-031-71025-4_3(43-62)Online publication date: 7-Jan-2025
https://doi.org/10.1007/978-3-031-71025-4_3
Liu YZhang YLiu BDuan HLi QLiu MLi RYao JBalzarotti DXu W(2024)Tickets or privacy? understand the ecosystem of chinese ticket grabbing appsProceedings of the 33rd USENIX Conference on Security Symposium10.5555/3698900.3699186(5107-5124)Online publication date: 14-Aug-2024
https://dl.acm.org/doi/10.5555/3698900.3699186
Li ALu SNath SPadhye RSekar VVanbever LZhang I(2024)EXCHAINProceedings of the 21st USENIX Symposium on Networked Systems Design and Implementation10.5555/3691825.3691937(2047-2062)Online publication date: 16-Apr-2024
https://dl.acm.org/doi/10.5555/3691825.3691937
Show More Cited By

Index Terms

CHEX: statically vetting Android apps for component hijacking vulnerabilities
1. General and reference
  1. Cross-computing tools and techniques
    1. Validation
2. Software and its engineering
  1. Software creation and management
    1. Software verification and validation
      1. Empirical software validation
      2. Process validation
        Walkthroughs

Recommendations

HybriDroid: static analysis framework for Android hybrid applications
ASE '16: Proceedings of the 31st IEEE/ACM International Conference on Automated Software Engineering

Mobile applications (apps) have long invaded the realm of desktop apps, and hybrid apps become a promising solution for supporting multiple mobile platforms. Providing both platform-specific functionalities via native code like native apps and user ...
Code Injection Attacks on HTML5-based Mobile Apps: Characterization, Detection and Mitigation
CCS '14: Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security

Due to the portability advantage, HTML5-based mobile apps are getting more and more popular.Unfortunately, the web technology used by HTML5-based mobile apps has a dangerous feature, which allows data and code to be mixed together, making code injection ...
COVERT: Compositional Analysis of Android Inter-App Permission Leakage
Android is the most popular platform for mobile devices. It facilitates sharing of data and services among applications using a rich inter-app communication system. While access to resources can be controlled by the Android permission system, enforcing ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

CCS '12: Proceedings of the 2012 ACM conference on Computer and communications security

October 2012

1088 pages

ISBN:9781450316514

DOI:10.1145/2382196

General Chair:
Ting Yu
North Carolina State University, USA
,
Program Chairs:
George Danezis
Microsoft Research Cambridge, UK
,
Virgil Gligor
Carnegie Mellon University, USA

Copyright © 2012 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 16 October 2012

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

CCS'12

Sponsor:

SIGSAC

CCS'12: the ACM Conference on Computer and Communications Security

October 16 - 18, 2012

North Carolina, Raleigh, USA

Acceptance Rates

Overall Acceptance Rate 1,261 of 6,999 submissions, 18%

Upcoming Conference

CCS '25

Sponsor:
sigsac

ACM SIGSAC Conference on Computer and Communications Security

October 13 - 17, 2025

Taipei , Taiwan

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

437
Total Citations
View Citations
2,857
Total Downloads

Downloads (Last 12 months)90
Downloads (Last 6 weeks)10

Reflects downloads up to 14 Jan 2025

Other Metrics

View Author Metrics

Citations

Cited By

Shi CGuan Y(2025)Forensic Analysis of Third-Party Cloud Software Development Kits for Android AppsAdvances in Digital Forensics XX10.1007/978-3-031-71025-4_3(43-62)Online publication date: 7-Jan-2025
https://doi.org/10.1007/978-3-031-71025-4_3
Liu YZhang YLiu BDuan HLi QLiu MLi RYao JBalzarotti DXu W(2024)Tickets or privacy? understand the ecosystem of chinese ticket grabbing appsProceedings of the 33rd USENIX Conference on Security Symposium10.5555/3698900.3699186(5107-5124)Online publication date: 14-Aug-2024
https://dl.acm.org/doi/10.5555/3698900.3699186
Li ALu SNath SPadhye RSekar VVanbever LZhang I(2024)EXCHAINProceedings of the 21st USENIX Symposium on Networked Systems Design and Implementation10.5555/3691825.3691937(2047-2062)Online publication date: 16-Apr-2024
https://dl.acm.org/doi/10.5555/3691825.3691937
Hu YKuang WZhe JLi WLi KZhang JHu Q(2024)SIAT: A systematic inter-component communication real-time analysis technique for detecting data leak threats on AndroidJournal of Computer Security10.3233/JCS-22004432:3(291-317)Online publication date: 17-Jun-2024
https://doi.org/10.3233/JCS-220044
Miltenberger MArzt S(2024)Precisely Extracting Complex Variable Values from Android AppsACM Transactions on Software Engineering and Methodology10.1145/364959133:5(1-56)Online publication date: 4-Jun-2024
https://dl.acm.org/doi/10.1145/3649591
Lian KZhang LYang GMao SWang XZhang YYang M(2024)Component Security Ten Years Later: An Empirical Study of Cross-Layer Threats in Real-World Mobile ApplicationsProceedings of the ACM on Software Engineering10.1145/36437301:FSE(70-91)Online publication date: 12-Jul-2024
https://dl.acm.org/doi/10.1145/3643730
Wu RHe YHuang JWang CTang WShi QXiao XZhang CRoychoudhury APaiva AAbreu RStorey M(2024)LibAlchemy: A Two-Layer Persistent Summary Design for Taming Third-Party Libraries in Static Bug-Finding SystemsProceedings of the IEEE/ACM 46th International Conference on Software Engineering10.1145/3597503.3639132(1-13)Online publication date: 20-May-2024
https://dl.acm.org/doi/10.1145/3597503.3639132
Cao JGuo FQu Y(2024)JNFuzz-Droid: A Lightweight Fuzzing and Taint Analysis Framework for Android Native Code2024 IEEE International Conference on Software Analysis, Evolution and Reengineering (SANER)10.1109/SANER60148.2024.00033(255-266)Online publication date: 12-Mar-2024
https://doi.org/10.1109/SANER60148.2024.00033
Nirumand AZamani BLadani B(2024)A comprehensive framework for inter-app ICC security analysis of Android appsAutomated Software Engineering10.1007/s10515-024-00439-831:2Online publication date: 4-Jun-2024
https://doi.org/10.1007/s10515-024-00439-8
Vyas PWaheed AAafer YAsokan NCalandrino JTroncoso C(2023)Auditing framework APIs via inferred app-side security specificationsProceedings of the 32nd USENIX Conference on Security Symposium10.5555/3620237.3620576(6061-6077)Online publication date: 9-Aug-2023
https://dl.acm.org/doi/10.5555/3620237.3620576
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents