1 / 53

Analyzing Inter-Application Communication in Android

Erika Chin Adrienne Porter Felt Kate Greenwood David Wagner University of California Berkeley MobiSys 2011. Analyzing Inter-Application Communication in Android. Outline. Introduction Android Overview Intent-based Attack Surfaces ComDroid Evaluation Other mobile Platforms.

caia
Download Presentation

Analyzing Inter-Application Communication in Android

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Erika Chin Adrienne Porter Felt Kate Greenwood David Wagner University of California Berkeley MobiSys2011 Analyzing Inter-Application Communication in Android

  2. Outline • Introduction • Android Overview • Intent-based Attack Surfaces • ComDroid • Evaluation • Other mobile Platforms

  3. Introduction

  4. Introduction • Android’s message passing system can become an attack surface if used incorrectly • Intent • Intents can be used for both intra- and inter-application communication • ComDroid • A tool analyzes Android applications to detect potential instances of vulnerabilities • Personal data loss, corruption, phishing…

  5. Android Overview

  6. Android Overview • Android’s security model differs significantly from the standard desktop security model • The complexity of Android’s message passing system implies it has the largest attack surface

  7. Android Overview • Threat Model Isolation (mem, file..) Isolation (mem, file..)

  8. Android Overview Malicious Intent Activity Activity Activity Intent Intent Intent Service Service Service Fake System Intent BroadcastReceiver BroadcastReceiver BroadcastReceiver System Intent

  9. Android Overview Activity www.bank.com attacker.com ?

  10. Android Overview • This paper do not consider attacks on the OS • Just focus on securing applications from each other

  11. Android Overview • Intents [link] • System broadcast Intents • Only can be sent by the OS • Explicit or implicit

  12. Explicit Intents Name: MapActivity Map App Yelp To: MapActivity Only the specified destination receives this message

  13. Implicit Intents Handles Action: VIEW Map App Yelp Handles Action: DISPLAYTIME Clock App Implicit Intent Action: VIEW

  14. Implicit Intents Handles Action: VIEW Map App Yelp Handles Action: VIEW Browser App Implicit Intent Action: VIEW

  15. Android Overview • Activities • Services • Broadcast Receivers • Content Providers

  16. Android Overview • Activity • Display on screen Advanced Defense Laboratory

  17. Android Overview • Service • Background process Advanced Defense Laboratory

  18. Android Overview • Broadcast Receiver • Asynchronous event notification Advanced Defense Laboratory

  19. Android Overview • Content Provider • Share data between applications • Do not use Intents • Use URI (Uniform Resource Identifier) Advanced Defense Laboratory

  20. Android Overview • Component Declaration • AndroidManifest.xml • To receive Intents… • Service and Activity must be declared in the manifest • Broadcast Receivers can be declared at runtime or in the manifest

  21. Android Overview • Exported Components • EXPORTED flag (in AndroidManifest.xml) • Includes at least one Intent filter • Intent filter • Action, category, data, extra data…

  22. Android Overview • A sender can assign any action, type, or category (certain actions that it only the system can send)

  23. Android Overview • Permission • Normal • Dangerous • Signature • SignatureOrSystem

  24. Intent-based Attack Surfaces

  25. Common Developer Pattern:Unique Action Strings IMDb App Handles Actions: willUpdateShowtimes, showtimesNoLocationError Showtime Search Results UI Implicit Intent Action: willUpdateShowtimes

  26. Common Developer Pattern:Unique Action Strings IMDb App Handles Actions: willUpdateShowtimes, showtimesNoLocationError Showtime Search Results UI Implicit Intent Action: willUpdateShowtimes

  27. ATTACK #1: Eavesdropping IMDb App Eavesdropping App Handles Action: willUpdateShowtimes, showtimesNoLocationError Showtime Search Malicious Receiver Implicit Intent Action: willUpdateShowtimes Sending Implicit Intents makes communication public

  28. ATTACK #2: Intent Spoofing Malicious Injection App IMDb App Handles Action: willUpdateShowtimes, showtimesNoLocationError Malicious Component Results UI Action: showtimesNoLocationError Receiving Implicit Intents makes the component public

  29. Typical case Attack case

  30. ATTACK #3: Man in the Middle IMDb App Man-in-the-Middle App Handles Action: willUpdateShowtimes, showtimesNoLocation Error Handles Action: willUpdateShowtimes, showtimesNoLocationError Showtime Search Results UI Malicious Receiver Action: willUpdateShowtimes Action: showtimesNoLocation Error

  31. ATTACK #4: System Intent Spoofing • Background – System Broadcast • Event notifications sent by the system • Some can only be sent by the system • Receivers become accessible to all applications when listening for system broadcast

  32. App 1 System Broadcast Component Handles Action: BootCompleted System Notifier App 2 Component Handles Action: BootCompleted Action: BootCompleted App 3 Component Handles Action: BootCompleted

  33. System Intent Spoofing: Failed Attack Malicious App App 1 Handles Action: BootCompleted Malicious Component Component Action: BootCompleted

  34. System Intent Spoofing: Successful Attack Malicious App App 1 Handles Action: BootCompleted Malicious Component Component To: App1.Component

  35. Real World Example: ICE App ICE App: Allows doctors access to medical information on phones Contains a component that listens for the BootCompleted system broadcast On receipt of the Intent, it exits the application and locks the screen

  36. Real World Example: ICE

  37. ComDroid

  38. ComDroid • Disassemble application DEX files using Dedexer tool • Parses the disassembled output and logs potential component and Intent vulnerabilities

  39. ComDroid

  40. ComDroid • Permission • Normaland Dangerous • Intent Analysis • Intents, IntentFilters, registers, sinks (e.g., sendBroadcast(), startActivity(), etc.) and components

  41. ComDroid • Intent • Whether it has been made explicit • Whether it has an action • Whether it has any flags set • Whether it has any extra data • Sinks • Implicit or not?

  42. ComDroid • Component Analysis • Public or not? • Main, launching Activity is public but is less likely to be attackable • registerReceiver() • With data / without data • System broadcast • Intent.getAction() • Misuse

  43. ComDroid • Limitation and discussion • Do not distinguish between paths through if and switch statements • False negatives • Pending Intent • Future work

  44. Evaluation

  45. Evaluation

  46. Evaluation

  47. Evaluation

  48. Evaluation

  49. Evaluation

More Related