Abstract
Input validation vulnerability in Android inter-component communication is a kind of severe vulnerabilities in Android apps. Malicious attacks can exploit the vulnerability to bypass Android security mechanism and compromise the integrity, confidentiality and availability of Android devices. However, so far there is not a sound approach at source code level designed for app developers to detect such vulnerabilities. In this paper we propose a novel approach aiming at detecting input validation flaws in Android apps and implement a prototype named IVDroid, which provides practical static analysis of Java source code. IVDroid leverages backward program slicing to abstract application logic from Java source code. On slice level, IVDroid detects flaws of known pattern by security rule matching and detects flaws of unknown pattern by duplicate validation behavior mining. Then IVDroid semi-automatically confirms the suspicious rule violations and report the confirmed ones as vulnerabilities. We evaluate IVDroid on 3 versions of Android spanning from version 2.2 to 4.4.2 and it detects 37 vulnerabilities including confused deputy and denial of service attack. Our results prove that IVDroid can provide a practical defence solution for app developers.
This research is supported in part by National Information Security Special Projects of National Development and Reform Commission of China under grant (2012)1424, National Natural Science Foundation of China under grants 61272481 and 61303239.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Category:input validation on owasp, https://www.owasp.org/index.php/Category:Input_Validation
Grace, M., Zhou, Y., Wang, Z., et al.: Systematic detection of capability leaks in stock Android smartphones. In: NDSS (2012)
Felt, A.P., Wang, H.J., Moshchuk, A., et al.: Permission Re-Delegation: Attacks and Defenses. USENIX Security Symposium (2011)
Zhou, Y., Jiang, X.: Detecting Passive Content Leaks and Pollution in Android Applications. In: NDSS (2013)
Lu, L., Li, Z., Wu, Z., et al.: Chex: statically vetting android apps for component hijacking vulnerabilities. In: Proceedings of the 2012 ACM Conference on Computer and Communications Security, pp. 229–240 (2012)
Zhang, M., Yin, H.: AppSealer: Automatic Generation of Vulnerability-Specific Patches for Preventing Component Hijacking Attacks in Android Applications. In: Proceedings of the 21th Annual Network and Distributed System Security Symposium, NDSS 2014 (2014)
Enck, W., Octeau, D., McDaniel, P., et al.: A Study of Android Application Security. In: USENIX security symposium (2011)
SDL Process: Implementation, http://www.microsoft.com/security/sdl/process/implementation.aspx
Yang, K., Zhuge, J., Wang, Y., et al.: IntentFuzzer: detecting capability leaks of android applications. In: Proceedings of the 9th ACM Symposium on Information, Computer and Communications Security, pp. 531–536. ACM (2014)
CVE-2013-6271: Security Advisory Curesec Research Team, http://dl.packetstormsecurity.net/1311-advisories/CURE-2013-1011.txt
Fuchs, A.P., Chaudhuri, A., Foster, J.S.: SCanDroid: Automated security certification of Android applications Manuscript, Univ. of Maryland. Citeseer (2009), http://www.cs.umd.edu/avik/projects/scandroidascaa
Mustafa, T., Sohr, K.: Understanding the Implemented Access Control Policy of Android System Services with Slicing and Extended Static Checking. Technical report, University of Bremen (2012)
Enck, W., Ongtang, M., McDaniel, P.: On lightweight mobile phone application certification. In: Proceedings of the 16th ACM Conference on Computer and Communications Security, pp. 235–245 (2009)
Fang, Z., Zhang, Y., Kong, Y., et al.: Static detection of logic vulnerabilities in Java web applications Security and Communication Networks. Security and Communication Networks 7(3), 519–531 (2014)
Enck, W., Ongtang, M., McDaniel, P.: Understanding android security. IEEE Security & Privacy 7, 50–57 (2009)
Au, K.W.Y., Zhou, Y.F., Huang, Z., et al.: Pscout: analyzing the android permission specification. In: Proceedings of the 2012 ACM Conference on Computer and Communications Security, pp. 217–228 (2012)
Felt, A.P., Chin, E., Hanna, S., et al.: Android permissions demystified. In: Proceedings of the 18th ACM Conference on Computer and Communications Security, pp. 627–638 (2011)
Berger, B.J., Sohr, K., Koschke, R.: Extracting and Analyzing the Implemented Security Architecture of Business Applications. In: 17th European Conference on Software Maintenance and Reengineering (CSMR), pp. 285–294 (2013)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2015 Springer International Publishing Switzerland
About this paper
Cite this paper
Fang, Z., Liu, Q., Zhang, Y., Wang, K., Wang, Z. (2015). IVDroid: Static Detection for Input Validation Vulnerability in Android Inter-component Communication. In: Lopez, J., Wu, Y. (eds) Information Security Practice and Experience. ISPEC 2015. Lecture Notes in Computer Science(), vol 9065. Springer, Cham. https://doi.org/10.1007/978-3-319-17533-1_26
Download citation
DOI: https://doi.org/10.1007/978-3-319-17533-1_26
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-17532-4
Online ISBN: 978-3-319-17533-1
eBook Packages: Computer ScienceComputer Science (R0)