logo

SCIENCE CHINA Information Sciences, Volume 60, Issue 5: 052111(2017) https://doi.org/10.1007/s11432-015-5422-7

A static technique for detecting input validation vulnerabilities in Android apps

More info
  • ReceivedApr 7, 2016
  • AcceptedJun 3, 2016
  • PublishedSep 12, 2016

Abstract

Input validation vulnerabilities are common in Android apps, especially in inter-component communications. Malicious attacks can exploit this kind of vulnerability to bypass Android security mechanism and compromise the integrity, confidentiality and availability of Android devices. However, so far there is not a sound approach at the source code level for app developers aiming to detect input validation vulnerabilities in Android apps. In this paper, we propose a novel approach for detecting input validation flaws in Android apps and we implement a prototype named EasyIVD, which provides practical static analysis of Java source code. EasyIVD leverages backward program slicing to extract transaction and constraint slices from Java source code. Then EasyIVD validates these slices with predefined security rules to detect vulnerabilities in a known pattern. To detect vulnerabilities in an unknown pattern, EasyIVD extracts implicit security specifications as frequent patterns from the duplicated slices and verifies them. Then EasyIVD semi-automatically confirms the suspicious rule violations and reports the confirmed ones as vulnerabilities. We evaluate EasyIVD on four versions of original Android apps spanning from version 2.2 to 5.0. It detects 58 vulnerabilities including confused deputy attacks and denial of service attacks. Our results prove that EasyIVD can provide a practical defensive solution for app developers.


Acknowledgment

Acknowledgments

This research was supported in part by National Information Security Special Projects of National Development and Reform Commission of China (Grant No. (2012)1424), National Natural Science Foundation of China (Grant Nos. 61572460, 61272481, 61303239), and Open Project Program of the State Key Laboratory of Information Security (Grant No. 2015-MS-04).


References

[1] Category: input validation on owasp. \url{https://www.owasp.org/index.php/Category:Input_Validation}. Google Scholar

[2] Grace M, Zhou Y J, Wang Z, et al. Systematic detection of capability leaks in stock Android smartphones. In: Proceedings of the 19th Annual Symposium on Network and Distributed System Security (NDSS'12), San Diego, 2012. Google Scholar

[3] Felt A P, Wang H J, Moshchuk A, et al. Permission re-delegation: attacks and defenses. In: Proceedings of the 20th USENIX Conference on Security (Sec'11), San Francisco, 2011. 22--38. Google Scholar

[4] Zhou Y J, Jiang X X. Detecting passive content leaks and pollution in Android applications. In: Proceedings of the 20th Network and Distributed System Security Symposium (NDSS'13), San Diego, 2013. Google Scholar

[5] Lu L, Li Z C, Wu Z Y, et al. Chex: statically vetting android apps for component hijacking vulnerabilities. In: Proceedings of the 2012 ACM Conference on Computer and Communications Security (CCS'12), Raleigh, 2012. 229--240. Google Scholar

[6] Zhang M, Yin H. AppSealer: automatic generation of vulnerability-specific patches for preventing component hijacking attacks in Android applications. In: Proceedings of the 21th Annual Network and Distributed System Security Symposium (NDSS'14), San Diego, 2014. Google Scholar

[7] Yang K, Zhuge J W, Wang Y K, et al. IntentFuzzer: detecting capability leaks of Android applications. In: Proceedings of the 9th ACM Symposium on Information, Computer and Communications Security (ASIA CCS 2014), Kyoto, 2014. 531--536. Google Scholar

[8] Fuchs A P, Chaudhuri A, Foster J S. SCanDroid: automated security certification of Android applications. Technical Report CS-TR-4991. 2009. Google Scholar

[9] Mustafa T, Sohr K. Understanding the implemented access control policy of Android system services with slicing and extended static checking. Int J Inf Secur, 2012, 14: 347-366 Google Scholar

[10] Enck W, Ongtang M, McDaniel P. On lightweight mobile phone application certification. In: Proceedings of the 16th ACM Conference on Computer and Communications Security (CCS'09), Chicago, 2009. 235--245. Google Scholar

[11] Jiang X X. Smishing vulnerability in multiple Android platforms (including Gingerbread, Ice Cream Sandwich, and Jelly Bean). http://www.csc.ncsu.edu/faculty/jiang/smishing.html, 2012. Google Scholar

[12] Thomascannon. Android sms spoofer. https://github.com/thomascannon/android-sms-spoof, 2012. Google Scholar

[13] Fang Z J, Zhang Y Q, Kong Y, et al. Static detection of logic vulnerabilities in Java web applications. Secur Commun Netw, 2014, 7: 519-531 CrossRef Google Scholar

[14] Enck W, Ongtang M, McDaniel P. Understanding Android security. IEEE Secur Priv, 2009, 7: 50-57 CrossRef Google Scholar

[15] Au K W Y, Zhou Y F, Huang Z, et al. Pscout: analyzing the Android permission specification. In: Proceedings of the 2012 ACM Conference on Computer and Communications Security (CCS'12), Raleigh, 2012. 217--228. Google Scholar

[16] Enck W, Octeau D, McDaniel P, et al. A study of Android application security. In: Proceedings of the 20th USENIX Conference on Security (SEC'11), San Francisco, 2011. 21--37. Google Scholar

[17] Felt A P, Chin E, Hanna S, et al. Android permissions demystified. In: Proceedings of the 18th ACM Conference on Computer and Communications Security (CCS'11), Chicago, 2011. 627--638. Google Scholar

[18] Enck W, Ongtang M, McDaniel P. On lightweight mobile phone application certification. In: Proceedings of the 16th ACM Conference on Computer and Communications Security (CCS'09), Chicago, 2009. 235--245. Google Scholar

[19] Berger B J, Sohr K, Koschke R. Extracting and analyzing the implemented security architecture of business applications. In: Proceedings of 17th European Conference on Software Maintenance and Reengineering (CSMR'13), Genova, 2013. 285--294. Google Scholar

[20] Zhang Y Q, Liu Q X, Luo Q H, et al. XAS: Cross-API scripting attacks in social ecosystems. Sci China Inf Sci, 2014, 58: 012101-57 Google Scholar

Copyright 2019 Science China Press Co., Ltd. 《中国科学》杂志社有限责任公司 版权所有

京ICP备18024590号-1