Transcript Analyzing Inter-Application Communication in Android
Erika Chin Adrienne Porter Felt Kate Greenwood David Wagner University of California Berkeley MobiSys 2011
ANALYZING INTER-APPLICATION COMMUNICATION IN ANDROID
Outline Introduction Android Overview Intent-based Attack Surfaces ComDroid Evaluation Other mobile Platforms
Introduction
Introduction Android’s message passing system can become an attack surface if used incorrectly Intent Intents can be used for both intra application communication and inter ComDroid A tool analyzes Android applications to detect potential instances of vulnerabilities Personal data loss, corruption, phishing…
Android Overview
Android Overview Android’s security model differs significantly from the standard desktop security model The complexity of Android’s message passing system implies it has the largest attack surface
Android Overview Threat Model Isolation (mem, file..) Isolation (mem, file..)
Android Overview
Activity Service BroadcastReceiver
Intent
Activity Service BroadcastReceiver
Intent Malicious
Activity
Intent
Service
Fake System Intent
BroadcastReceiver
System Intent
Android Overview www.bank.com
Activity
attacker.com
?
Android Overview This paper do not consider attacks on the OS Just focus on securing applications from each other
Android Overview Intents [link] System broadcast Intents Only can be sent by the OS Explicit or implicit
Explicit Intents Yelp Name: MapActivity Map App To: MapActivity Only the specified destination receives this message 12
Implicit Intents Handles Action: VIEW Map App Yelp Implicit Intent Action: VIEW Handles Action: DISPLAYTIME Clock App 13
Implicit Intents Handles Action: VIEW Map App Yelp Implicit Intent Action: VIEW Handles Action: VIEW Browser App 14
Android Overview Activities Services Broadcast Receivers Content Providers
Android Overview Activity Display on screen Advanced Defense Laboratory 2009/12/8 16
Android Overview Service Background process Advanced Defense Laboratory 2009/12/8 17
Android Overview Broadcast Receiver Asynchronous event notification Advanced Defense Laboratory 2009/12/8 18
Android Overview Content Provider Share data between applications Do not use Intents Use URI (Uniform Resource Identifier) Advanced Defense Laboratory 2009/12/8 19
Android Overview Component Declaration AndroidManifest.xml
To receive Intents… Service and Activity must be declared in the manifest Broadcast Receivers can be declared at runtime or in the manifest
Android Overview Exported Components EXPORTED flag (in AndroidManifest.xml) Includes at least one Intent filter Intent filter Action, category, data, extra data…
Android Overview A sender can assign any action, type, or category (certain actions that it only the system can send)
Android Overview Permission Normal Dangerous Signature SignatureOrSystem
Intent-based Attack Surfaces
Common Developer Pattern: Unique Action Strings
IMDb App
Handles Actions: willUpdateShowtimes,
showtimesNoLocationError
Showtime Search Results UI Implicit Intent Action:
willUpdateShowtimes
25
26
Common Developer Pattern: Unique Action Strings
IMDb App
Handles Actions: willUpdateShowtimes,
showtimesNoLocationError
Showtime Search Results UI Implicit Intent Action:
willUpdateShowtimes
27
ATTACK #1: Eavesdropping
IMDb App Eavesdropping App
Handles Action: willUpdateShowtimes,
showtimesNoLocationError
Showtime Search Malicious Receiver Implicit Intent Action:
willUpdateShowtimes
Sending Implicit Intents makes communication public 28
ATTACK #2: Intent Spoofing
Malicious Injection App IMDb App
Handles Action: willUpdateShowtimes,
showtimesNoLocationError
Malicious Component Results UI Action:
showtimesNoLocationError
Receiving Implicit Intents makes the component public 29
Typical case Attack case 30
ATTACK #3: Man in the Middle
IMDb App
Handles Action: willUpdateShowtimes,
showtimesNoLocation Error
Man-in-the-Middle App
Handles Action: willUpdateShowtimes,
showtimesNoLocationError
Showtime Search Results UI Malicious Receiver Action:
willUpdateShowtimes
Action: showtimesNoLocation
Error
31
ATTACK #4: System Intent Spoofing Background – System Broadcast Event notifications sent by the system Some can only be sent by the system Receivers become accessible to all applications when listening for system broadcast 32
App 1 System Broadcast Component System Notifier Action:
BootCompleted
Handles Action: BootCompleted App 2 Component Handles Action: BootCompleted App 3 Component Handles Action: BootCompleted 33
System Intent Spoofing: Failed Attack
Malicious App App 1
Handles Action: BootCompleted Malicious Component Component Action: BootCompleted 34
System Intent Spoofing: Successful Attack
Malicious App App 1
Handles Action: BootCompleted Malicious Component Component To: App1.Component
35
Real World Example: ICE App ICE App: Allows doctors access to medical information on phones Contains a component that listens for the BootCompleted system broadcast On receipt of the Intent, it exits the application and locks the screen 36
Real World Example: ICE 37
ComDroid
ComDroid Disassemble application DEX files using Dedexer tool Parses the disassembled output and logs potential component and Intent vulnerabilities
ComDroid
ComDroid Permission Normal and Dangerous Intent Analysis Intents, IntentFilters, registers, sinks (e.g., sendBroadcast(), startActivity(), etc.) and components
ComDroid Intent Whether it has been made explicit Whether it has an action Whether it has any flags set Whether it has any extra data Sinks Implicit or not?
ComDroid Component Analysis Public or not?
Main, launching Activity is public but is less likely to be attackable registerReceiver() With data / without data System broadcast Intent.getAction() Misuse
ComDroid Limitation and discussion Do not distinguish between paths through if and switch statements False negatives Pending Intent Future work
Evaluation
Evaluation
Evaluation
Evaluation
Evaluation
Evaluation