Reference : Borrowing your enemy's arrows: the case of code reuse in android via direct inter-app...
Scientific congresses, symposiums and conference proceedings : Paper published in a journal
Engineering, computing & technology : Computer science
Security, Reliability and Trust
http://hdl.handle.net/10993/45769
Borrowing your enemy's arrows: the case of code reuse in android via direct inter-app code invocation
English
Gao, Jun mailto [University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT) > TruX >]
li, li mailto [Monash University > Faculty of Information Technology]
Kong, Pingfan mailto [University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT) > TruX >]
Bissyande, Tegawendé François D Assise mailto [University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT) > TruX >]
Klein, Jacques mailto [University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT) > TruX >]
Nov-2020
ESEC/FSE 2020: Proceedings of the 28th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering
Association for Computing Machinery
Yes
International
New York
United States
The 28th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering
from 06-11-2020 to 16-11-2020
[en] Android ; Java Reflection ; DICI
[en] {The Android ecosystem offers different facilities to enable communication among app components and across apps to ensure that rich services can be composed through functionality reuse. At the heart of this system is the Inter-component communication (ICC) scheme, which has been largely studied in the literature. Less known in the community is another powerful mechanism that allows for direct inter-app code invocation which opens up for different reuse scenarios, both legitimate or malicious. This paper exposes the general workflow for this mechanism, which beyond ICCs, enables app developers to access and invoke functionalities (either entire Java classes, methods or object fields) implemented in other apps using official Android APIs. We experimentally showcase how this reuse mechanism can be leveraged to â plagiarize" supposedly-protected functionalities. Typically, we were able to leverage this mechanism to bypass security guards that a popular video broadcaster has placed for preventing access to its video database from outside its provided app. We further contribute with a static analysis toolkit, named DICIDer, for detecting direct inter-app code invocations in apps. An empirical analysis of the usage prevalence of this reuse mechanism is then conducted. Finally, we discuss the usage contexts as well as the implications of this studied reuse mechanism
Interdisciplinary Centre for Security, Reliability and Trust (SnT) > Trux
Researchers ; Professionals
http://hdl.handle.net/10993/45769
10.1145/3368089.3409745
FnR ; FNR10621687 > Sjouke Mauw > SPsquared > Security and Privacy for System Protection > 01/01/2017 > 30/06/2023 > 2016

File(s) associated to this reference

Fulltext file(s):

FileCommentaryVersionSizeAccess
Limited access
article.pdfAuthor preprint2.27 MBRequest a copy

Bookmark and Share SFX Query

All documents in ORBilu are protected by a user license.