The Android platform is designed to facilitate inter-app integration and communication, so that apps can reuse functionalities implemented by other apps by resorting to delegation. Though this feature is usually mentioned to be the main reason for the popularity of Android, it also poses security risks to the end user. Malicious unprivileged apps can exploit the delegation model to access privileged tasks that are exposed by vulnerable apps.In this paper, we present a particularly dangerous case of delegation, that we call the Android Wicked Delegation (AWiDe). Moreover, we compare two distinct approaches to automatically detect inadequate message validation, respectively based on static analysis and on dynamic analysis. We empirically validate our approaches on more than three hundred popular apps. Vulnerabilities detected by us lead to the implementation of successful proof-of-concept attacks, and the app developers have confirmed one of them.

Identifying Android Inter App Communication Vulnerabilities Using Static and Dynamic Analysis

Ceccato, M;
2016-01-01

Abstract

The Android platform is designed to facilitate inter-app integration and communication, so that apps can reuse functionalities implemented by other apps by resorting to delegation. Though this feature is usually mentioned to be the main reason for the popularity of Android, it also poses security risks to the end user. Malicious unprivileged apps can exploit the delegation model to access privileged tasks that are exposed by vulnerable apps.In this paper, we present a particularly dangerous case of delegation, that we call the Android Wicked Delegation (AWiDe). Moreover, we compare two distinct approaches to automatically detect inadequate message validation, respectively based on static analysis and on dynamic analysis. We empirically validate our approaches on more than three hundred popular apps. Vulnerabilities detected by us lead to the implementation of successful proof-of-concept attacks, and the app developers have confirmed one of them.
2016
9781450341783
no
File in questo prodotto:
File Dimensione Formato  
main.pdf

solo utenti autorizzati

Tipologia: Documento in Post-print
Licenza: Accesso ristretto
Dimensione 461.63 kB
Formato Adobe PDF
461.63 kB Adobe PDF   Visualizza/Apri   Richiedi una copia

I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.

Utilizza questo identificativo per citare o creare un link a questo documento: https://hdl.handle.net/11562/1031726
Citazioni
  • ???jsp.display-item.citation.pmc??? ND
  • Scopus 17
  • ???jsp.display-item.citation.isi??? 14
social impact