Detecting file:// and exposed component vulnerabilities in Android apps

Abstract

In only a few years, smartphones have already become indispensable tools for many people to manage their daily lives. However, our privacy and security are constantly threatened by mobile malwares and vulnerable mobile apps. Detecting these malwares and uncovering vulnerable apps is therefore one of the most pressing problems confronting the security research community. This thesis considers two main security problems in Android platform, the most popular mobile operating system to date. First, we identify four types of attacks in Android browsers, collectively known as FileCross that exploits the vulnerable file:// interfaces to obtain user’s private files, such as cookies, bookmarks, and browsing histories. We design an automated system to dynamically test 115 browser apps collected from Google Play and find that 64 of them being vulnerable to the attacks. They include the popular Firefox, Baidu and Maxthon browsers, and the more application-specific ones, including UC Browser HD for tablet users, Wikipedia Browser, and Kids Safe Browser. A detailed analysis of these browsers further shows that 26 browsers (23%) expose their browsing interfaces unintentionally. In response to our reports, the developers concerned promptly patched their browsers by forbidding file:// access to private file zones, disabling JavaScript execution in file:// URLs, or even blocking external file:// URLs. We employ the same system to validate the ten patches received from the developers and find one still failing to block the vulnerability. The second problem is related to the fundamental feature of Androidthe component-based communicationin which apps can utilize other apps' exported components for flexible coding and data sharing. In return for this convenience, the exported components, if not well designed, will run into serious security risks. In this study, we consider a general class of vulnerabilities occurred in exported components, named exposed component vulnerability (ECV), which exposes privileged capabilities or private resources to other unauthorized apps. To detect these ECVs, the prior works use a set of sinks pertaining to the ECVs under detection. We argue that a more comprehensive and effective approach should start from a systematic selection and classification of vulnerability-specific sinks (VSinks). The set of VSinks employed in our study is much larger than those used in the previous works. Based on these VSinks, our sink-driven approach can detect different kinds of ECVs in an app in two steps. First, the VSinks and their categories are identified through a typical forward reachability analysis. Second, based on each VSink{174}s category, a corresponding detection method is used to identify the ECV via a customized backward dataflow analysis. We also design a semi-automated guided analysis and validation for system-only broadcast checking to remove some false positives. We implement our sink-driven approach in a tool called ECVDetector and evaluate it with the top 1K Android apps. We use ECVDetector to successfully identify a total of 49 vulnerable apps across all four ECV categories we have defined. To our knowledge, most of them are previously undisclosed, such as the very popular Go SMS Pro and Clean Master. Moreover, the performance of ECVDetector is high, requiring only 9.257 seconds on average to process each component.