Detecting file:// and exposed component vulnerabilities in Android apps

Pao Yue-kong Library Electronic Theses Database

Detecting file:// and exposed component vulnerabilities in Android apps


Author: Wu, Daoyuan
Title: Detecting file:// and exposed component vulnerabilities in Android apps
Degree: M.Phil.
Year: 2015
Subject: Application software -- Development.
Mobile computing.
Hong Kong Polytechnic University -- Dissertations
Department: Dept. of Computing
Pages: ix, 68 pages : illustrations ; 30 cm
Language: English
InnoPac Record:
Abstract: In only a few years, smartphones have already become indispensable tools for many people to manage their daily lives. However, our privacy and security are constantly threatened by mobile malwares and vulnerable mobile apps. Detecting these malwares and uncovering vulnerable apps is therefore one of the most pressing problems confronting the security research community. This thesis considers two main security problems in Android platform, the most popular mobile operating system to date. First, we identify four types of attacks in Android browsers, collectively known as FileCross that exploits the vulnerable file:// interfaces to obtain user’s private files, such as cookies, bookmarks, and browsing histories. We design an automated system to dynamically test 115 browser apps collected from Google Play and find that 64 of them being vulnerable to the attacks. They include the popular Firefox, Baidu and Maxthon browsers, and the more application-specific ones, including UC Browser HD for tablet users, Wikipedia Browser, and Kids Safe Browser. A detailed analysis of these browsers further shows that 26 browsers (23%) expose their browsing interfaces unintentionally. In response to our reports, the developers concerned promptly patched their browsers by forbidding file:// access to private file zones, disabling JavaScript execution in file:// URLs, or even blocking external file:// URLs. We employ the same system to validate the ten patches received from the developers and find one still failing to block the vulnerability.
The second problem is related to the fundamental feature of Androidthe component-based communicationin which apps can utilize other apps' exported components for flexible coding and data sharing. In return for this convenience, the exported components, if not well designed, will run into serious security risks. In this study, we consider a general class of vulnerabilities occurred in exported components, named exposed component vulnerability (ECV), which exposes privileged capabilities or private resources to other unauthorized apps. To detect these ECVs, the prior works use a set of sinks pertaining to the ECVs under detection. We argue that a more comprehensive and effective approach should start from a systematic selection and classification of vulnerability-specific sinks (VSinks). The set of VSinks employed in our study is much larger than those used in the previous works. Based on these VSinks, our sink-driven approach can detect different kinds of ECVs in an app in two steps. First, the VSinks and their categories are identified through a typical forward reachability analysis. Second, based on each VSink{174}s category, a corresponding detection method is used to identify the ECV via a customized backward dataflow analysis. We also design a semi-automated guided analysis and validation for system-only broadcast checking to remove some false positives. We implement our sink-driven approach in a tool called ECVDetector and evaluate it with the top 1K Android apps. We use ECVDetector to successfully identify a total of 49 vulnerable apps across all four ECV categories we have defined. To our knowledge, most of them are previously undisclosed, such as the very popular Go SMS Pro and Clean Master. Moreover, the performance of ECVDetector is high, requiring only 9.257 seconds on average to process each component.

Files in this item

Files Size Format
b28068646.pdf 2.431Mb PDF
Copyright Undertaking
As a bona fide Library user, I declare that:
  1. I will abide by the rules and legal ordinances governing copyright regarding the use of the Database.
  2. I will use the Database for the purpose of my research or private study only and not for circulation or further reproduction or any other purpose.
  3. I agree to indemnify and hold the University harmless from and against any loss, damage, cost, liability or expenses arising from copyright infringement or unauthorized usage.
By downloading any item(s) listed above, you acknowledge that you have read and understood the copyright undertaking as stated above, and agree to be bound by all of its terms.


Quick Search


More Information