Write a Blog >>
MOBILESoft 2020
Mon 13 - Wed 15 July 2020
co-located with ICSE 2020
Mon 13 Jul 2020 16:00 - 16:15 at MobileSoft - Software Quality Chair(s): Christine Julien

In Android, inter-app communication is a cornerstone feature where apps exchange special messages called Intents in order to integrate with each other and deliver a rich end-user experience. In particular, in case an app is granted special permission, it can dispatch privileged Intents to request sensitive tasks to system components.

However, a malicious app might hijack a defective privileged app and exploit it as a proxy, to forward attacking Intents to system components. We call this threat “Second Order Permission Re-delegation” vulnerability.

In this paper, we present (i) a detailed description of this novel vulnerability and (ii) our approach based on static analysis and automated test cases generation to detect (and document) instances of this vulnerability. We empirically evaluated our approach on a large set of top Google Play apps. Results suggest that this novel vulnerability is neglected by state of the art, but that it is common even among popular apps. In fact, our approach found 27 real vulnerabilities with fast analysis time, while a state-of-the-art static analysis tool could find none of them.

Mon 13 Jul
Times are displayed in time zone: (UTC) Coordinated Universal Time change

16:00 - 16:15
Security Testing of Second Order Permission Re-delegation Vulnerabilities in Android AppsTechnical Papers
Technical Papers
Biniam Fisseha DemissieFondazione Bruno Kessler, Mariano CeccatoUniversity of Verona
Media Attached
16:15 - 16:25
DFarm: Massive-Scaling Dynamic Android App Analysis on Real HardwareTool Demos and Mobile Apps
Tool Demos and Mobile Apps
Marc MiltenbergerFraunhofer SIT, Julien GerdingFraunhofer SIT, Jens GuthmannFraunhofer SIT, Steven ArztFraunhofer SIT
16:25 - 16:35
Making Android Apps Monkey-FriendlyVisions
Samad PaydarFerdowsi University of Mashhad
16:35 - 16:40
Doctoral symposium paper
Improving App Quality Despite Flawed Mobile AnalyticsStudent Research Competition
Student Research Competition
Julian HartyCommercetest Limited
Link to publication
16:40 - 17:00
Q&A - Software Quality
Paper Presentations
17:00 - 17:30
Discussion with Authors / Attendees
Paper Presentations