Semi-Automated Discovery of Server-Based Information Oversharing Vulnerabilities in Android Applications
Modern applications are often split into separate client and server tiers that communicate via message passing over the network. One well-understood threat to privacy for such applications is the leakage of sensitive user information either in transit or at the server. In response, an array of defensive techniques have been developed to identify or block unintended or malicious information leakage. However, prior work has primarily considered privacy leaks originating at the client directed at the server, while leakage in the reverse direction – from the server to the client – is comparatively under-studied. The question of whether and to what degree this leakage constitutes a threat remains an open question. We answer this question in the affirmative with Hush, a technique for semi-automatically identifying Server-based InFormation OvershariNg (SIFON) vulnerabilities in multi-tier applications. In particular, the technique detects SIFON vulnerabilities using a heuristic that overshared sensitive information from server-side APIs will not be displayed by the application’s user interface. The technique first performs a scalable static program analysis to screen applications for potential vulnerabilities, and then attempts to confirm these candidates as true vulnerabilities with a partially-automated dynamic analysis. Our evaluation over a large corpus of Android applications demonstrates the effectiveness of the technique by discovering several previously-unknown SIFON vulnerabilities in eight applications.
Tue 11 JulDisplayed time zone: Tijuana, Baja California change
13:20 - 15:00 | Dynamic AnalysisTechnical Papers at Bren 1414 Chair(s): Tao Xie University of Illinois at Urbana-Champaign | ||
13:20 25mTalk | Effective Online Software Anomaly Detection Technical Papers Yizhen Chen SUNY Albany, USA, Ming Ying SUNY Albany, USA, Daren Liu SUNY Albany, USA, Adil Alim SUNY Albany, USA, Feng Chen SUNY Albany, USA, Mei-Hwa Chen SUNY Albany, USA DOI | ||
13:45 25mTalk | Semi-Automated Discovery of Server-Based Information Oversharing Vulnerabilities in Android Applications Technical Papers William Koch Boston University, USA, Abdelberi Chaabane Northeastern University, USA, Manuel Egele Boston University, USA, William Robertson Northeastern University, USA, Engin Kirda Northeastern University, USA DOI | ||
14:10 25mTalk | CPR: Cross Platform Binary Code Reuse via Platform Independent Trace Program Technical Papers Yonghwi Kwon Purdue University, Weihang Wang Purdue University, Yunhui Zheng IBM Research, Xiangyu Zhang Purdue University, Dongyan Xu Purdue University, USA DOI | ||
14:35 25mTalk | An Actionable Performance Profiler for Optimizing the Order of Evaluations Technical Papers Marija Selakovic TU Darmstadt, Germany, Thomas Glaser TU Darmstadt, Germany, Michael Pradel TU Darmstadt DOI |