Paper published in a book (Scientific congresses, symposiums and conference proceedings)
Automatically Exploiting Potential Component Leaks in Android Applications
Li, Li; {"lastName":"BARTEL", "firstNames":"Alexandre","affiliations":["University of Luxembourg \u003e Interdisciplinary Centre for Security, Reliability and Trust (SNT)"]} 50024843; Klein, Jacqueset al.
2014 • In The 13th IEEE International Conference on Trust, Security and Privacy in Computing and Communications (IEEE TrustCom-14), IEEE, Sept. 2014, Beijing, China.
[en] We present PCLeaks, a tool based on inter- component communication (ICC) vulnerabilities to perform data-flow analysis on Android applications to find potential component leaks that could potentially be exploited by other components. To evaluate our approach, we run PCLeaks on 2000 apps randomly selected from the Google Play store. PCLeaks reports 986 potential component leaks in 185 apps. For each leak reported by PCLeaks, PCLeaksValidator automatically generates an Android app which tries to exploit the leak. By manually running a subset of the generated apps, we find that 75% of the reported leaks are exploitable leaks.
Disciplines :
Computer science
Author, co-author :
Li, Li ; University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT)
Klein, Jacques ; University of Luxembourg > Faculty of Science, Technology and Communication (FSTC) > Computer Science and Communications Research Unit (CSC)
Le Traon, Yves ; University of Luxembourg > Faculty of Science, Technology and Communication (FSTC) > Computer Science and Communications Research Unit (CSC)
Language :
English
Title :
Automatically Exploiting Potential Component Leaks in Android Applications
Publication date :
September 2014
Event name :
The 13th IEEE International Conference on Trust, Security and Privacy in Computing and Communications (IEEE TrustCom-14)
Event date :
from 24-09-2014 to 26-09-2014
Main work title :
The 13th IEEE International Conference on Trust, Security and Privacy in Computing and Communications (IEEE TrustCom-14), IEEE, Sept. 2014, Beijing, China.
Rahul Pandita, Xusheng Xiao, Wei Yang, William Enck, and Tao Xie. "WHYPER: Towards Automating Risk Assessment of Mobile Applications." In: Proceedings of the 22st USENIX conference on Security symposium. 2013.
Alessandra Gorla, Ilaria Tavecchia, Florian Gross, and Andreas Zeller. "Checking App Behavior Against App Descriptions". In: ICSE'14: Proceedings of the 36th International Conference on Software Engineering. Hyderabad (India), 31 May-7 June, 2014.
Damien Octeau, Patrick McDaniel, Somesh Jha, Alexandre Bartel, Eric Bodden, Jacques Klein, and Yves Le Traon. "Effective intercomponent communication mapping in android with epicc: An essential step towards holistic security analysis". In: Proceedings of the 22nd USENIX Security Symposium. 2013.
Clint Gibler, Jonathan Crussell, Jeremy Erickson, and Hao Chen. "AndroidLeaks: automatically detecting potential privacy leaks in android applications on a large scale". In: Proceedings of the 5th international conference on Trust and Trustworthy Computing. TRUST'12. Vienna, Austria: Springer-Verlag, 2012, pp. 291-307.
Li Li, Alexandre Bartel, Jacques Klein, Yves Le Traon, Steven Arzt, Rasthofer Siegfried, Eric Bodden, Damien Octeau, and Patrick Mcdaniel. I know what leaked in your pocket: uncovering privacy leaks on Android Apps with Static Taint Analysis. English. Tech. rep. 978-2-87971-129-4 TR-SNT-2014-9. Apr. 2014.
Yajin Zhou and Xuxian Jiang. "Detecting passive content leaks and pollution in android applications". In: Proceedings of the 20th Annual Symposium on Network and Distributed System Security. 2013.
Steven Arzt, Siegfried Rasthofer, Eric Bodden, Alexandre Bartel, Jacques Klein, Yves le Traon, Damien Octeau, and Patrick Mc-Daniel. "FlowDroid: Precise Context, Flow, Field, Object-sensitive and Lifecycle-Aware Taint Analysis for Android Apps". In: Proceedings of the 35th annual ACM SIGPLAN conference on Programming Language Design and Implementation (PLDI 2014). 2014.
Jinyung Kim, Yongho Yoon, Kwangkeun Yi, and Junbum Shin. "ScanDal: Static Analyzer for Detecting Privacy Leaks in Android Applications". In: MoST 2012: Mobile Security Technologies 2012. Ed. by Hao Chen, Larry Koved, and Dan S. Wallach. San Francisco, CA, USA: IEEE, May 2012.
Patrick P. F. Chan, Lucas C. K. Hui, and S. M. Yiu. "DroidChecker: analyzing android applications for capability leak". In: Proceedings of the fifth ACM conference on Security and Privacy in Wireless and Mobile Networks. WISEC '12. Tucson, AZ, USA: ACM, Apr. 2012, pp. 125-136.
Li Li, Alexandre Bartel, Jacques Klein, and Yves Le Traon. "Detecting privacy leaks in Android Apps". In: International Symposium on Engineering Secure Software and Systems-Doctoral Symposium (ESSoS-DS2014) (2014).
Thomas Reps, Susan Horwitz, and Mooly Sagiv. "Precise interprocedural dataflow analysis via graph reachability". In: POPL '95. 1995, pp. 49-61.
Long Lu, Zhichun Li, Zhenyu Wu, Wenke Lee, and Guofei Jiang. "CHEX: statically vetting Android apps for component hijacking vulnerabilities". In: Proceedings of the 2012 ACM conference on Computer and communications security. CCS '12. Raleigh, North Carolina, USA: ACM, 2012, pp. 229-240.
Zhibo Zhao and Fernando C. Coĺon Osorio. ""TrustDroid;": Preventing the use of SmartPhones for information leaking in corporate networks through the used of static analysis taint tracking". In: MALWARE. 2012, pp. 135-143.
Zhemin Yang and Min Yang. "LeakMiner: Detect Information Leakage on Android with Static Taint Analysis". In: Third World Congress on Software Engineering (WCSE 2012). 2012, pp. 101-104.
Siegfried Rasthofer, Steven Arzt, and Eric Bodden. "A Machinelearning Approach for Classifying and Categorizing Android Sources and Sinks". In: The 2014 Network and Distributed System Security Symposium (NDSS). 2014.
Eric Bodden. "Inter-procedural data-flow analysis with IFDS/IDE and Soot". In: Proceedings of the ACM SIGPLAN International Workshop on State of the Art in Java Program analysis. SOAP '12. 2012, pp. 3-8.
Alexandre Bartel, Jacques Klein, Martin Monperrus, and Yves Le Traon. "Dexpler: Converting Android Dalvik Bytecode to Jimple for Static Analysis with Soot". In: ACM Sigplan International Workshop on the State Of The Art in Java Program Analysis. Beijing, China, 2012.
David Sounthiraraj, Justin Sahs, Garret Greenwood, Zhiqiang Lin, and Latifur Khan. "SMV-HUNTER: Large Scale, Automated Detection of SSL/TLS Man-in-The-Middle Vulnerabilities in Android Apps". In: The 2014 Network and Distributed System Security Symposium (NDSS). 2014.
Aske Simon Christensen, Anders Møller, and Michael I Schwartzbach. Precise analysis of string expressions. Springer, 2003.
Thomas Ristenpart, Eran Tromer, Hovav Shacham, and Stefan Savage. "Hey, you, get off of my cloud: exploring information leakage in thirdparty compute clouds". In: Proceedings of the 16th ACM conference on Computer and communications security. ACM. 2009, pp. 199-212.
Omer Tripp, Marco Pistoia, Stephen J Fink, Manu Sridharan, and Omri Weisman. "TAJ: effective taint analysis of web applications". In: ACM Sigplan Notices. Vol. 44. 6. ACM. 2009, pp. 87-97.
Manuel Egele, Christopher Kruegel, Engin Kirda, and Giovanni Vigna. "PiOS: Detecting Privacy Leaks in iOS Applications." In: The Network and Distributed System Security Symposium (NDSS 2011). 2011.
Adam P Fuchs, Avik Chaudhuri, and Jeffrey S Foster. "SCan-Droid: Automated security certification of Android applications". In: Manuscript, Univ. of Maryland, http: //www. cs. umd. edu/ avik/projects/ scandroidascaa (2009).
William Enck, Peter Gilbert, Byung-Gon Chun, Landon P Cox, Jaeyeon Jung, Patrick McDaniel, and Anmol Sheth. "TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones." In: OSDI. Vol. 10. 2010, pp. 255-270.
Alessandro Reina, Aristide Fattori, and Lorenzo Cavallaro. "A system call-centric analysis and stimulation technique to automatically reconstruct android malware behaviors". In: EuroSec, April (2013).
Shunya Sakamoto, Kenji Okuda, Ryo Nakatsuka, and Toshihiro Yamauchi. "DroidTrack: Tracking and Visualizing Information Diffusion for Preventing Information Leakage on Android". In: Journal of Internet Services and Information Security (JISIS) 4.2 (2014), pp. 55-69.
Erika Chin, Adrienne Porter Felt, Kate Greenwood, and David Wagner. "Analyzing inter-Application communication in Android". In: Proceedings of the 9th international conference on Mobile systems, applications, and services. MobiSys '11. Bethesda, Maryland, USA: ACM, 2011, pp. 239-252.
Quang Do, B. Martini, and K.-K.R. Choo. "Enhancing User Privacy on Android Mobile Devices via Permissions Removal". In: System Sciences (HICSS), 2014 47th Hawaii International Conference on. 2014, pp. 5070-5079.
Alexandre Bartel, Jacques Klein, Martin Monperrus, Kevin Allix, and Yves Le Traon. Improving privacy on android smartphones through in-vivo bytecode instrumentation. Technical Report. 2012.
Alexandre Bartel, Jacques Klein, Martin Monperrus, and Yves Le Traon. "Static Analysis for Extracting Permission Checks of a Large Scale Framework: The Challenges And Solutions for Analyzing Android". In: IEEE Transactions on Software Engineering (TSE) (2014).
Alexandre Bartel, Jacques Klein, Martin Monperrus, and Yves Le Traon. "Automatically Securing Permission-Based Software by Reducing the Attack Surface: An Application to Android". In: Proceedings of the 27th IEEE/ACM International Conference On Automated Software Engineering. Essen, Germany, 2012.
Siegfried Rasthofer, Steven Arzt, Enrico Lovat, and Eric Bodden. "DroidForce: Enforcing Complex, Data-Centric, System-Wide Policies in Android". In: Proceedings of the International Conference on Availability, Reliability and Security (ARES). 2014