Advertisement

IVDroid: Static Detection for Input Validation Vulnerability in Android Inter-component Communication

  • Zhejun FangEmail author
  • Qixu Liu
  • Yuqing Zhang
  • Kai Wang
  • Zhiqiang Wang
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9065)

Abstract

Input validation vulnerability in Android inter-component communication is a kind of severe vulnerabilities in Android apps. Malicious attacks can exploit the vulnerability to bypass Android security mechanism and compromise the integrity, confidentiality and availability of Android devices. However, so far there is not a sound approach at source code level designed for app developers to detect such vulnerabilities. In this paper we propose a novel approach aiming at detecting input validation flaws in Android apps and implement a prototype named IVDroid, which provides practical static analysis of Java source code. IVDroid leverages backward program slicing to abstract application logic from Java source code. On slice level, IVDroid detects flaws of known pattern by security rule matching and detects flaws of unknown pattern by duplicate validation behavior mining. Then IVDroid semi-automatically confirms the suspicious rule violations and report the confirmed ones as vulnerabilities. We evaluate IVDroid on 3 versions of Android spanning from version 2.2 to 4.4.2 and it detects 37 vulnerabilities including confused deputy and denial of service attack. Our results prove that IVDroid can provide a practical defence solution for app developers.

Keywords

Input Validation Vulnerability Static Analysis Program Slicing Vulnerability Detection Android Security 

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. 1.
  2. 2.
    Grace, M., Zhou, Y., Wang, Z., et al.: Systematic detection of capability leaks in stock Android smartphones. In: NDSS (2012)Google Scholar
  3. 3.
    Felt, A.P., Wang, H.J., Moshchuk, A., et al.: Permission Re-Delegation: Attacks and Defenses. USENIX Security Symposium (2011)Google Scholar
  4. 4.
    Zhou, Y., Jiang, X.: Detecting Passive Content Leaks and Pollution in Android Applications. In: NDSS (2013)Google Scholar
  5. 5.
    Lu, L., Li, Z., Wu, Z., et al.: Chex: statically vetting android apps for component hijacking vulnerabilities. In: Proceedings of the 2012 ACM Conference on Computer and Communications Security, pp. 229–240 (2012)Google Scholar
  6. 6.
    Zhang, M., Yin, H.: AppSealer: Automatic Generation of Vulnerability-Specific Patches for Preventing Component Hijacking Attacks in Android Applications. In: Proceedings of the 21th Annual Network and Distributed System Security Symposium, NDSS 2014 (2014)Google Scholar
  7. 7.
    Enck, W., Octeau, D., McDaniel, P., et al.: A Study of Android Application Security. In: USENIX security symposium (2011)Google Scholar
  8. 8.
  9. 9.
    Yang, K., Zhuge, J., Wang, Y., et al.: IntentFuzzer: detecting capability leaks of android applications. In: Proceedings of the 9th ACM Symposium on Information, Computer and Communications Security, pp. 531–536. ACM (2014)Google Scholar
  10. 10.
    CVE-2013-6271: Security Advisory Curesec Research Team, http://dl.packetstormsecurity.net/1311-advisories/CURE-2013-1011.txt
  11. 11.
    Fuchs, A.P., Chaudhuri, A., Foster, J.S.: SCanDroid: Automated security certification of Android applications Manuscript, Univ. of Maryland. Citeseer (2009), http://www.cs.umd.edu/avik/projects/scandroidascaa
  12. 12.
    Mustafa, T., Sohr, K.: Understanding the Implemented Access Control Policy of Android System Services with Slicing and Extended Static Checking. Technical report, University of Bremen (2012)Google Scholar
  13. 13.
    Enck, W., Ongtang, M., McDaniel, P.: On lightweight mobile phone application certification. In: Proceedings of the 16th ACM Conference on Computer and Communications Security, pp. 235–245 (2009)Google Scholar
  14. 14.
    Fang, Z., Zhang, Y., Kong, Y., et al.: Static detection of logic vulnerabilities in Java web applications Security and Communication Networks. Security and Communication Networks 7(3), 519–531 (2014)CrossRefGoogle Scholar
  15. 15.
    Enck, W., Ongtang, M., McDaniel, P.: Understanding android security. IEEE Security & Privacy 7, 50–57 (2009)CrossRefGoogle Scholar
  16. 16.
    Au, K.W.Y., Zhou, Y.F., Huang, Z., et al.: Pscout: analyzing the android permission specification. In: Proceedings of the 2012 ACM Conference on Computer and Communications Security, pp. 217–228 (2012)Google Scholar
  17. 17.
    Felt, A.P., Chin, E., Hanna, S., et al.: Android permissions demystified. In: Proceedings of the 18th ACM Conference on Computer and Communications Security, pp. 627–638 (2011)Google Scholar
  18. 18.
    Berger, B.J., Sohr, K., Koschke, R.: Extracting and Analyzing the Implemented Security Architecture of Business Applications. In: 17th European Conference on Software Maintenance and Reengineering (CSMR), pp. 285–294 (2013)Google Scholar

Copyright information

© Springer International Publishing Switzerland 2015

Authors and Affiliations

  • Zhejun Fang
    • 1
    Email author
  • Qixu Liu
    • 1
  • Yuqing Zhang
    • 1
  • Kai Wang
    • 1
  • Zhiqiang Wang
    • 1
  1. 1.National Computer Network Intrusion Protection CenterUniversity of Chinese Academy of SciencesBeijingChina

Personalised recommendations