research-article

Towards Analyzing the Input Validation Vulnerabilities associated with Android System Services

Authors:

Ji XiangAuthors Info & Claims

ACSAC '15: Proceedings of the 31st Annual Computer Security Applications Conference

Pages 361 - 370

https://doi.org/10.1145/2818000.2818033

Published: 07 December 2015 Publication History

Abstract

Although the input validation vulnerabilities play a critical role in web application security, such vulnerabilities are so far largely neglected in the Android security research community. We found that due to the unique Framework Code layer, Android devices do need specific input validation vulnerability analysis in system services. In this work, we take the first steps to analyze Android specific input validation vulnerabilities. In particular, a) we take the first steps towards measuring the corresponding attack surface and reporting the current input validation status of Android system services. b) We developed a new input validation vulnerability scanner for Android devices. This tool fuzzes all the Android system services by sending requests with malformed arguments to them. Through comprehensive evaluation of Android system with over 90 system services and over 1,900 system service methods, we identified 16 vulnerabilities in Android system services. We have reported all the issues to Google and Google has confirmed them.

References

[1]

Android aidl guide. http://developer.android.com/guide/components/aidl.html.

[2]

Android init language. https://android.googlesource.com/platform/system/core-/+/master/init/readme.txt.

[3]

Android init.rc file. https://android.googlesource.com/platform/system/core-/+/master/rootdir/init.rc.

[4]

Android open source project. https://android.googlesource.com/.

[5]

Android shipments in 2014. http://www.cnet.com/news/android-shipments-exceed-1-billion-for-first-time-in-2014/.

[6]

Factory images for nexus devices. https://developers.google.com/android/nexus/images.

[7]

Intent fuzzer. https://www.isecpartners.com/tools/mobile-security/intent-fuzzer.aspx.

[8]

Symantec's threat report. http://know.symantec.com/LP=1123.

[9]

Trinity - a linux system call fuzz tester. http://codemonkey.org.uk/projects/trinity/.

[10]

M. A. Alkhalaf. Automatic Detection and Repair of Input Validation and Sanitization Bugs. PhD thesis, UNIVERSITY OF CALIFORNIA Santa Barbara, 2014.

[11]

S. Arzt, S. Rasthofer, C. Fritz, E. Bodden, A. Bartel, J. Klein, Y. Le Traon, D. Octeau, and P. McDaniel. Flowdroid: Precise context, flow, field, object-sensitive and lifecycle-aware taint analysis for android apps. In PLDI. ACM, 2014.

Digital Library

[12]

A. Barth, C. Jackson, and J. C. Mitchell. Robust defenses for cross-site request forgery. In CCS. ACM, 2008.

Digital Library

[13]

R. Bhoraskar, S. Han, J. Jeon, T. Azim, S. Chen, J. Jung, S. Nath, R. Wang, and D. Wetherall. Brahmastra: driving apps to test the security of third-party components. In USENIX Security Symposium. USENIX Association, 2014.

Digital Library

[14]

S. Bugiel, L. Davi, A. Dmitrienko, T. Fischer, and A.-R. Sadeghi. Xmandroid: A new android evolution to mitigate privilege escalation attacks. Technische Universität Darmstadt, Technical Report TR-2011-04, 2011.

[15]

S. Bugiel, L. Davi, A. Dmitrienko, T. Fischer, A.-R. Sadeghi, and B. Shastry. Towards taming privilege-escalation attacks on android. In NDSS, 2012.

[16]

G. Chen, H. Jin, D. Zou, B. B. Zhou, Z. Liang, W. Zheng, and X. Shi. Safestack: automatically patching stack-based buffer overflow vulnerabilities. Dependable and Secure Computing, IEEE Transactions on, 2013.

Digital Library

[17]

Q. A. Chen, Z. Qian, and Z. M. Mao. Peeking into your app without actually seeing it: Ui state inference and novel android attacks. In USENIX Security Symposium. USENIX Association, 2014.

Digital Library

[18]

L. Davi, A. Dmitrienko, A.-R. Sadeghi, and M. Winandy. Privilege escalation attacks on android. In Information Security. Springer, 2011.

Digital Library

[19]

W. Enck, P. Gilbert, S. Han, V. Tendulkar, B.-G. Chun, L. P. Cox, J. Jung, P. McDaniel, and A. N. Sheth. Taintdroid: an information-flow tracking system for realtime privacy monitoring on smartphones. ACM TOCS, 2014.

Digital Library

[20]

M. Georgiev, S. Jana, and V. Shmatikov. Breaking and fixing origin-based access control in hybrid web/mobile application frameworks. In NDSS, 2014.

[21]

M. C. Grace, Y. Zhou, Z. Wang, and X. Jiang. Systematic detection of capability leaks in stock android smartphones. In NDSS, 2012.

[22]

S. Hanna, L. Huang, E. Wu, S. Li, C. Chen, and D. Song. Juxtapp: A scalable system for detecting code reuse among android applications. In DIMVA. Springer, 2013.

Digital Library

[23]

J. Kim, Y. Yoon, K. Yi, J. Shin, and S. Center. Scandal: Static analyzer for detecting privacy leaks in android applications. MoST, 2012.

[24]

Y. Kosuga, K. Kono, M. Hanaoka, M. Hishiyama, and Y. Takahama. Sania: Syntactic and semantic analysis for automated testing against sql injection. In ACSAC, 2007.

[25]

T. Li, X. Zhou, L. Xing, Y. Lee, M. Naveed, X. Wang, and X. Han. Mayhem in the push clouds: Understanding and mitigating security hazards in mobile push-messaging services. In CCS. ACM, 2014.

Digital Library

[26]

M. T. Louw and V. Venkatakrishnan. Blueprint: Robust prevention of cross-site scripting attacks for existing browsers. In Security and Privacy. IEEE, 2009.

Digital Library

[27]

L. Lu, Z. Li, Z. Wu, W. Lee, and G. Jiang. Chex: statically vetting android apps for component hijacking vulnerabilities. In CCS. ACM, 2012.

Digital Library

[28]

A. K. Maji, F. A. Arshad, S. Bagchi, and J. S. Rellermeyer. An empirical study of the robustness of inter-component communication in android. In DSN. IEEE, 2012.

Digital Library

[29]

Y. Nadji, P. Saxena, and D. Song. Document structure integrity: A robust basis for cross-site scripting defense. In NDSS, 2009.

[30]

T. Scholte, D. Balzarotti, and E. Kirda. Have things changed now? an empirical study on input validation vulnerabilities in web applications. Computers & Security, 2012.

Digital Library

[31]

S. Shekhar, M. Dietz, and D. S. Wallach. Adsplit: Separating smartphone advertising from applications. In USENIX Security Symposium. USENIX Association, 2012.

Digital Library

[32]

L. Wu, M. Grace, Y. Zhou, C. Wu, and X. Jiang. The impact of vendor customizations on android security. In CCS. ACM, 2013.

Digital Library

[33]

L. Xing, X. Pan, R. Wang, K. Yuan, and X. Wang. Upgrading your android, elevating my malware: Privilege escalation through mobile os updating. In Security and Privacy (SP). IEEE, 2014.

Digital Library

[34]

L.-K. Yan and H. Yin. Droidscope: Seamlessly reconstructing the os and dalvik semantic views for dynamic android malware analysis. In USENIX Security. USENIX Association, 2012.

Digital Library

[35]

H. Ye, S. Cheng, L. Zhang, and F. Jiang. Droidfuzzer: Fuzzing the android apps with intent-filter tag. In MoMM. ACM, 2013.

Digital Library

[36]

F. Zhang, H. Huang, S. Zhu, D. Wu, and P. Liu. Viewdroid: Towards obfuscation-resilient mobile application repackaging detection. In WiSec 2014. Citeseer, 2014.

Digital Library

[37]

W. Zhou, Y. Zhou, X. Jiang, and P. Ning. Detecting repackaged smartphone applications in third-party android marketplaces. In CODASPY. ACM, 2012.

Digital Library

[38]

X. Zhou, Y. Lee, N. Zhang, M. Naveed, and X. Wang. The peril of fragmentation: Security hazards in android device driver customizations. In Security and Privacy (SP). IEEE, 2014.

Digital Library

[39]

Y. Zhou and X. Jiang. Dissecting android malware: Characterization and evolution. In Security and Privacy (SP). IEEE, 2012.

Digital Library

Cited By

He YGu YSu PSun KZhou YWang ZLi Q(2023)A Systematic Study of Android Non-SDK (Hidden) Service API SecurityIEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2022.316087220:2(1609-1623)Online publication date: 1-Mar-2023
https://doi.org/10.1109/TDSC.2022.3160872
Faisal Fadlalla FElshoush H(2023)Input Validation Vulnerabilities in Web Applications: Systematic Review, Classification, and Analysis of the Current State-of-the-ArtIEEE Access10.1109/ACCESS.2023.326638511(40128-40161)Online publication date: 2023
https://doi.org/10.1109/ACCESS.2023.3266385
Carboni FConti MDonadel DSciacco M(2023)If You’re Scanning This, It’s Too Late! A QR Code-Based Fuzzing Methodology to Identify Input Vulnerabilities in Mobile AppsApplied Cryptography and Network Security Workshops10.1007/978-3-031-41181-6_30(553-570)Online publication date: 4-Oct-2023
https://doi.org/10.1007/978-3-031-41181-6_30
Show More Cited By

Recommendations

Towards Understanding Android System Vulnerabilities: Techniques and Insights
Asia CCS '19: Proceedings of the 2019 ACM Asia Conference on Computer and Communications Security

As a common platform for pervasive devices, Android has been targeted by numerous attacks that exploit vulnerabilities in its apps and the operating system. Compared to app vulnerabilities, system-level vulnerabilities in Android, however, were much ...
Dynodroid: an input generation system for Android apps
ESEC/FSE 2013: Proceedings of the 2013 9th Joint Meeting on Foundations of Software Engineering

We present a system Dynodroid for generating relevant inputs to unmodified Android apps. Dynodroid views an app as an event-driven program that interacts with its environment by means of a sequence of events through the Android framework. By ...
From System Services Freezing to System Server Shutdown in Android: All You Need Is a Loop in an App
CCS '15: Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security

The Android OS not only dominates 78.6% of the worldwide smartphone market in 2014, but importantly has been widely used for mission critical tasks (e.g., medical devices, auto/aircraft navigators, embedded in satellite project). The core of Android, ...

Comments

Information & Contributors

Information

Published In

cover image ACM Other conferences

ACSAC '15: Proceedings of the 31st Annual Computer Security Applications Conference

December 2015

489 pages

ISBN:9781450336826

DOI:10.1145/2818000

Copyright © 2015 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

In-Cooperation

ACSA: Applied Computing Security Assoc

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 07 December 2015

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Qualifiers

Research-article
Research
Refereed limited

Conference

ACSAC 2015

ACSAC 2015: 2015 Annual Computer Security Applications Conference

December 7 - 11, 2015

CA, Los Angeles, USA

Acceptance Rates

Overall Acceptance Rate 104 of 497 submissions, 21%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

31
Total Citations
View Citations
719
Total Downloads

Downloads (Last 12 months)36
Downloads (Last 6 weeks)2

Reflects downloads up to 25 Feb 2025

Other Metrics

View Author Metrics

Citations

Cited By

He YGu YSu PSun KZhou YWang ZLi Q(2023)A Systematic Study of Android Non-SDK (Hidden) Service API SecurityIEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2022.316087220:2(1609-1623)Online publication date: 1-Mar-2023
https://doi.org/10.1109/TDSC.2022.3160872
Faisal Fadlalla FElshoush H(2023)Input Validation Vulnerabilities in Web Applications: Systematic Review, Classification, and Analysis of the Current State-of-the-ArtIEEE Access10.1109/ACCESS.2023.326638511(40128-40161)Online publication date: 2023
https://doi.org/10.1109/ACCESS.2023.3266385
Carboni FConti MDonadel DSciacco M(2023)If You’re Scanning This, It’s Too Late! A QR Code-Based Fuzzing Methodology to Identify Input Vulnerabilities in Mobile AppsApplied Cryptography and Network Security Workshops10.1007/978-3-031-41181-6_30(553-570)Online publication date: 4-Oct-2023
https://doi.org/10.1007/978-3-031-41181-6_30
Wang YHu YXiao XGu D(2022)iService: Detecting and Evaluating the Impact of Confused Deputy Problem in AppleOSProceedings of the 38th Annual Computer Security Applications Conference10.1145/3564625.3568001(964-977)Online publication date: 5-Dec-2022
https://dl.acm.org/doi/10.1145/3564625.3568001
He YZhou YZhou YLi QSun KGu YJiang Y(2022)JNI Global References Are Still Vulnerable: Attacks and DefensesIEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2020.299554219:1(607-619)Online publication date: 1-Jan-2022
https://dl.acm.org/doi/10.1109/TDSC.2020.2995542
Elgharabawy MKojusner BMannan MButler KWilliams BYoussef A(2022)SAUSAGE: Security Analysis of Unix domain Socket usAGE in Android2022 IEEE 7th European Symposium on Security and Privacy (EuroS&P)10.1109/EuroSP53844.2022.00042(572-586)Online publication date: Jun-2022
https://doi.org/10.1109/EuroSP53844.2022.00042
Garg SBaliyan N(2022)Android Stack Vulnerabilities: Security Analysis of a DecadeProceedings of the International Conference on Paradigms of Communication, Computing and Data Sciences10.1007/978-981-16-5747-4_10(111-122)Online publication date: 1-Jan-2022
https://doi.org/10.1007/978-981-16-5747-4_10
Cai HRyder B(2021)A Longitudinal Study of Application Structure and Behaviors in AndroidIEEE Transactions on Software Engineering10.1109/TSE.2020.297517647:12(2934-2955)Online publication date: 1-Dec-2021
https://doi.org/10.1109/TSE.2020.2975176
Gao JLi LKong PBissyande TKlein J(2021)Understanding the Evolution of Android App VulnerabilitiesIEEE Transactions on Reliability10.1109/TR.2019.295669070:1(212-230)Online publication date: Mar-2021
https://doi.org/10.1109/TR.2019.2956690
Zhang YWeng JWeng JHou LYang ALi MXiang YDeng R(2021)Looking Back! Using Early Versions of Android Apps as Attack VectorsIEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2019.291420218:2(652-666)Online publication date: 1-Mar-2021
https://dl.acm.org/doi/10.1109/TDSC.2019.2914202
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Figures

Tables

Media

View Table of Conten