Security Testing of Second Order Permission Re-delegation Vulnerabilities in Android Apps
In Android, inter-app communication is a cornerstone feature where apps exchange special messages called Intents in order to integrate with each other and deliver a rich end-user experience. In particular, in case an app is granted special permission, it can dispatch privileged Intents to request sensitive tasks to system components.
However, a malicious app might hijack a defective privileged app and exploit it as a proxy, to forward attacking Intents to system components. We call this threat “Second Order Permission Re-delegation” vulnerability.
In this paper, we present (i) a detailed description of this novel vulnerability and (ii) our approach based on static analysis and automated test cases generation to detect (and document) instances of this vulnerability. We empirically evaluated our approach on a large set of top Google Play apps. Results suggest that this novel vulnerability is neglected by state of the art, but that it is common even among popular apps. In fact, our approach found 27 real vulnerabilities with fast analysis time, while a state-of-the-art static analysis tool could find none of them.
Conference DayMon 13 JulDisplayed time zone: (UTC) Coordinated Universal Time change
16:00 - 17:30
|Security Testing of Second Order Permission Re-delegation Vulnerabilities in Android AppsTechnical Papers|
Technical PapersMedia Attached
|DFarm: Massive-Scaling Dynamic Android App Analysis on Real HardwareTool Demos and Mobile Apps|
Tool Demos and Mobile Apps
|Making Android Apps Monkey-FriendlyVisions|
Samad PaydarFerdowsi University of Mashhad
Doctoral symposium paper
|Improving App Quality Despite Flawed Mobile AnalyticsStudent Research Competition|
Student Research Competition
Julian HartyCommercetest LimitedLink to publication
|Q&A - Software Quality|
|Discussion with Authors / Attendees|