RAICC: Revealing Atypical Inter-Component Communication in Android Apps

in 43rd International Conference on Software Engineering (ICSE) (2021, May)

Inter-Component Communication (ICC) is a key mechanism in Android. It enables developers to compose rich functionalities and explore reuse within and across apps. Unfortunately, as reported by a large ... [more ▼]

Inter-Component Communication (ICC) is a key mechanism in Android. It enables developers to compose rich functionalities and explore reuse within and across apps. Unfortunately, as reported by a large body of literature, ICC is rather "complex and largely unconstrained", leaving room to a lack of precision in apps modeling. To address the challenge of tracking ICCs within apps, state of the art static approaches such as Epicc, IccTA and Amandroid have focused on the documented framework ICC methods (e.g., startActivity) to build their approaches. In this work we show that ICC models inferred in these state of the art tools may actually be incomplete: the framework provides other atypical ways of performing ICCs. To address this limitation in the state of the art, we propose RAICC a static approach for modeling new ICC links and thus boosting previous analysis tasks such as ICC vulnerability detection, privacy leaks detection, malware detection, etc. We have evaluated RAICC on 20 benchmark apps, demonstrating that it improves the precision and recall of uncovered leaks in state of the art tools. We have also performed a large empirical investigation showing that Atypical ICC methods are largely used in Android apps, although not necessarily for data transfer. We also show that RAICC increases the number of ICC links found by 61.6% on a dataset of real-world malicious apps, and that RAICC enables the detection of new ICC vulnerabilities. [less ▲]

De l'utilisation d'une bibliothèque à l'exécution d'un code arbitraire

Article for general public (2020)

ACMiner: Extraction and Analysis of Authorization Checks inAndroid’s Middleware

(2019)

Billions of users rely on the security of the Android platform to protect phones, tablets, and many different types of consumer electronics. While Android’s permission model is well studied, the ... [more ▼]

Billions of users rely on the security of the Android platform to protect phones, tablets, and many different types of consumer electronics. While Android’s permission model is well studied, the enforcementof the protection policy has received relatively little attention. Much of this enforcement is spread across system services,taking the form of hard-coded checks within their implementations.In this paper, we propose Authorization Check Miner (ACMiner),a framework for evaluating the correctness of Android’s access control enforcement through consistency analysis of authorization checks. ACMiner combines program and text analysis techniques to generate a rich set of authorization checks, mines the corresponding protection policy for each service entry point, and uses association rule mining at a service granularity to identify inconsistencies that may correspond to vulnerabilities. We used ACMiner to study the AOSP version of Android 7.1.1 to identify 28 vulnerabilities relating to missing authorization checks. In doing so, we demonstrate ACMiner’s ability to help domain experts process thousands of authorization checks scattered across millions of lines of code. [less ▲]

MUSTI: Dynamic Prevention of Invalid Object Initialization Attacks

Report (2018)

Exploitation du CVE-2015-4843

Article for general public (2018)

Twenty years of Escaping the Java Sandbox

Article for general public (2018)

The Java platform is broadly deployed on billions of devices, from servers and desktop workstations to consumer electronics. It was originally designed to implement an elaborate security model, the Java ... [more ▼]

The Java platform is broadly deployed on billions of devices, from servers and desktop workstations to consumer electronics. It was originally designed to implement an elaborate security model, the Java sandbox, that allows for the secure execution of code retrieved from potentially untrusted remote machines without putting the host machine at risk. Concretely, this sandboxing approach is used to secure the execution of untrusted Java applications such as Java applets in the web browser. Unfortunately, critical security bugs -- enabling a total bypass of the sandbox -- affected every single major version of the Java platform since its introduction. Despite major efforts to fix and revise the platform's security mechanisms over the course of two decades, critical security vulnerabilities are still being found. In this work, we review the past and present of Java insecurity. Our goal is to provide an overview of how Java platform security fails, such that we can learn from the past mistakes. All security vulnerabilities presented here are already known and fixed in current versions of the Java runtime, we discuss them for educational purposes only. This case study has been made in the hope that we gain insights that help us design better systems in the future. [less ▲]

Architecture 64 bits / aslr: quelles conséquences pour les exploits 32 bits? Étude de cas avec Java et le CVE-2010-0842

Article for general public (2017)

Security Analysis of Permission-Based Systems using Static Analysis: An Application to the Android Stack

Doctoral thesis (2014)

In recent years, mobile devices, such as smart phones, have spread at an exponential rate. The most used system running on these devices, accounting for almost 80% of market share for smart phones world ... [more ▼]

In recent years, mobile devices, such as smart phones, have spread at an exponential rate. The most used system running on these devices, accounting for almost 80% of market share for smart phones world-wide, is the Android software stack. This system runs Android applications that users download from an application market. The system is called a permission-based system since it limits access to protected resources by checking that applications have the required permission(s). Users store and manipulate personal information such as contact lists or pictures using applications on their devices and trust that their data is safe. Analyzing applications and the system on top of which they are running would be an objective method to evaluate if the data is well-protected.In this thesis we aim at analyzing Android applications from the security point of view and answering to the following challenging questions: How can Android applications be analyzed? Are permissions well-defined for Android applications? Can applications leak protected data? How can dynamic analysis complement static analysis? To answer these questions we structure the thesis around four objectives. The first objective is to analyze Android applications with static analysis tools. The challenge is that Android applications are packaged with Dalvik bytecode, different in many aspects from the Java bytecode. We developed Dexpler, a tool to transform Dalvik bytecode into Jimple, an understandable format for Soot, one of the most used static analysis framework for Java-based programs. With Dexpler we can now analyze Android applications.The second objective is to check that developers do not give too many permissions to the Android applications they develop. Reducing the number of permission reduces the attack surface of an malicious user exploiting an application. We analyze the code of applications to check which permissions they really require. This requires to deeply analyze the Android framework to extract a mapping between API methods (that Android application call) and required permissions. We present an Andersen-like field-sensitive approach using novel domain-specific optimizations to extract the mapping from the Android framework. Permissions protect sensitive data. Nevertheless, applications having the right permission(s) to access the data could leak the data. This is for instance the case with malware or application packaged with aggressive advertisement libraries. The third objective is to statically analyze Android applications to detect such leaks. Android applications are different from traditional Java applications. One of the most important differences is that Android applications are made of components. Analyzing Android applications to find leaks requires to link components that communicate together and to model every component. We developed IccTA to detect privacy leaks. It connects components at the code level to perform inter-component and inter-application data-flow analysis.Analyzing Android applications statically enables to find security issues such as the GPS coordinates leaking out of the device. However, static analyses do not run directly on users’ devices and thus do not take the device’s context into account. The last objective of this thesis is to have an insight of how dynamic approaches can complement static analyses. We are the first to present a tool-chain to dynamically instrument Android applications in vivo, i.e. directly on the device. We present two use cases instrumenting applications to show that dynamic approaches are feasible, that they can leverage results from static analyses, and that they are beneficial for the user from the point of view of security or privacy. One of the use case is a fine-grained permission system prototype enabling the user to disable or enable application permissions at will. The four contributions have been validated through rigorous experiments as complete as possible. Through this thesis we provide solutions to analyze Android applications using static analysis, to check the permission set of applications, to find private data leaks in Android applications and to analyze permission-based frameworks. By analyzing what goes wrong, we can improve the security and privacy of mobile applications. [less ▲]

I know what leaked in your pocket: uncovering privacy leaks on Android Apps with Static Taint Analysis

Report (2014)

Android applications may leak privacy data carelessly or maliciously. In this work we perform inter-component data-flow analysis to detect privacy leaks between components of Android applications. Unlike ... [more ▼]

Android applications may leak privacy data carelessly or maliciously. In this work we perform inter-component data-flow analysis to detect privacy leaks between components of Android applications. Unlike all current approaches, our tool, called IccTA, propagates the context between the components, which improves the precision of the analysis. IccTA outperforms all other available tools by reaching a precision of 95.0% and a recall of 82.6% on DroidBench. Our approach detects 147 inter-component based privacy leaks in 14 applications in a set of 3000 real-world applications with a precision of 88.4%. With the help of ApkCombiner, our approach is able to detect inter-app based privacy leaks. [less ▲]

Detecting privacy leaks in Android Apps

Scientific Conference (2014, February 26)

The number of Android apps have grown explosively in recent years and the number of apps leaking private data have also grown. It is necessary to make sure all the apps are not leaking private data before ... [more ▼]

The number of Android apps have grown explosively in recent years and the number of apps leaking private data have also grown. It is necessary to make sure all the apps are not leaking private data before putting them to the app markets and thereby a privacy leaks detection tool is needed. We propose a static taint analysis approach which leverages the control-flow graph (CFG) of apps to detect privacy leaks among Android apps. We tackle three problems related to inter- component communication (ICC), lifecycle of components and callback mechanism making the CFG imprecision. To bridge this gap, we ex- plicitly connect the discontinuities of the CFG to provide a precise CFG. Based on the precise CFG, we aim at providing a taint analysis approach to detect intra-component privacy leaks, inter-component privacy leaks and also inter-app privacy leaks. [less ▲]