Design and implementation of capability leak detection for Android applications

doi:10.7523/j.issn.2095-6134.2015.01.021

Abstract

Abstract:

Capability leak vulnerability on Android platform may lead to permission elevation and privacy disclosure, and it is often exploited by malicious applications to bypass Android security mechanism. However, so far there is no approach aiming at Android capability leak detection on the source code level comprehensively. In this paper, we propose a novel approach named CLDroid, which uses backward program slicing to abstract application logic from the Java source code, detects pattern violations based on predefined security rules, and reports the violations as capability leak vulnerability. Results show that our approach is effective in detecting capability leak vulnerability and has better scalability.

Key words: capability leak vulnerability, static analysis, program slicing, Android security

CLC Number:

TP393.08

FANG Zhejun, LIU Qixu, ZHANG Yuqing. Design and implementation of capability leak detection for Android applications[J]. , 2015, 32(1): 127-135.

References

[1] Gartner. Worldwide smartphone sales in Q₃ 2013[EB/OL]. [2014-1-22]. http://www.gartner.com/newsroom/id/2623415.

[2] AppBrain. Number of available Android applications[EB/OL]. [2014-1-22]. http://www.appbrain.com/stats/.

[3] Roman Unuchek. Obad.a trojan now being distributed via mobile botnets[EB/OL]. [2014-01-22]. http://www.securelist.com/en/blog/8131/Obad_a_Trojan_now_being_distributed_via_mobile_botnets

[4] Chinese 3C Products Sales Promotion. Android, KungFu series variants depth analysis and complete clean-up methods[EB/OL]. [2014-01-22]. http://www.aicuxiao.org/2012/01/17/20403.html

[5] Jiang X X. Smishing vulnerability in multiple Android platforms (including gingerbread, ice cream sandwich, and jelly bean)[EB/OL]. [2014-01-22]. http://www.csc.ncsu.edu/faculty/jiang/smishing.html.

[6] Grace M, Zhou Y, Wang Z, et al. Systematic detection of capability leaks in stock Android smartphones[C]//Proceedings of the 19th Annual Symposium on Network and Distributed System Security. 2012.

[7] Chan P P F, Hui L C K, Yiu S M. Droidchecker: analyzing Android applications for capability leak[C]//Proceedings of the Fifth ACM Conference on Security and Privacy in Wireless and Mobile Networks. ACM, 2012: 125-136.

[8] Davi L, Dmitrienko A, Sadeghi A R, et al. Privilege escalation attacks on Android[C]//Information Security. Springer Berlin Heidelberg, 2011: 346-360.

[9] Felt A P, Wang H J, Moshchuk A, et al. Permission re-delegation: attacks and defenses[C]//USENIX Security Symposium. 2011.

[10] Enck W, Octeau D, McDaniel P, et al. A study of Android application security[C]//USENIX Security Symposium. 2011.

[11] Enck W, Gilbert P, Chun B G, et al. TaintDroid: An information-flow tracking system for realtime privacy monitoring on smartphones[C]//OSDI. 2010, 10: 255-270.

[12] Gibler C, Crussell J, Erickson J, et al. AndroidLeaks: automatically detecting potential privacy leaks in Android applications on a large scale[C]//Trust and Trustworthy Computing. Springer Berlin Heidelberg, 2012: 291-307.

[13] Kim J, Yoon Y, Yi K, et al. ScanDal: Static analyzer for detecting privacy leaks in Android applications[C]//Proceedings of the Workshop on Mobile Security Technologies (MoST), in Conjunction with the IEEE Symposium on Security and Privacy. 2012.

[14] Yang Z, Yang M, Zhang Y, et al. Appintent: Analyzing sensitive data transmission in Android for privacy leakage detection[C]//Proceedings of the 2013 ACM SIGSAC Conference on Computer & Communications Security. ACM, 2013: 1043-1054.

[15] Felt A P, Chin E, Hanna S, et al. Android permissions demystified[C]//Proceedings of the 18th ACM Conference on Computer and Communications Security. ACM, 2011: 627-638.

[16] Egele M, Brumley D, Fratantonio Y, et al. An empirical study of cryptographic misuse in Android applications[C]//Proceedings of the 2013 ACM SIGSAC Conference on Computer & Communications Security. ACM, 2013: 73-84.

[17] Fuchs A P, Chaudhuri A, Foster J S. SCanDroid: automated security certification of Android applications[EB/OL]. [2014-01-22]. http://www. cs. umd. edu/~avik/projects/scandroidascaa.

[18] Enck W, Ongtang M, McDaniel P. On lightweight mobile phone application certification[C]//Proceedings of the 16th ACM Conference on Computer and Communications Security. ACM, 2009: 235-245.

[19] Mustafa T, Sohr K. Understanding the implemented access control policy of Android system services with slicing and extended static checking[EB/OL]. [2014-01-22]. http://www.informatik.uni-bremen.de/~sohr/papers/Report.pdf.

[20] Berger B J, Sohr K, Koschke R. Extracting and analyzing the implemented security architecture of business applications[C]//Software Maintenance and Reengineering (CSMR), 2013 17th European Conference on. IEEE, 2013: 285-294.

[21] Weiser M. Program slicing[C]//Proceedings of the 5th lnternational Conference on Software Engineering. IEEE Press, 1981: 439-449.

[22] Enck W, Ongtang M, McDaniel P. Understanding Android security[J]. Security & Privacy, IEEE, 2009, 7(1): 50-57.

[23] Jesse Burns. Developing secure mobile applications for Android [EB/OL]. [2014-01-22]. https://www.isecpartners.com/media/11991/isec_securing_android_apps.pdf.

[24] Jgesser. Javaparser: a Java 1.5 parser with AST generation and visitor support[EB/OL]. [2014-01-22]. https://code.google.com/p/javaparser/.

[25] Android Open Source Project. Application fundamentals[EB/OL]. [2014-01-22]. http://developer.android.com/guide/components/fundamentals.html

[26] Fang Z, Zhang Y, Kong Y, et al. Static detection of logic vulnerabilities in Java web applications[J/OL]. Security and Communication Networks, 2013. doi: 10.1002/sec.747, http://onlinelibrary.wiley.com/doi/10.1002/sec.747/abstract.