DroidChecker: analyzing android applications for capability leak
Patrick P.F. Chan, Lucas C.K. Hui and S. M. Yiu
WISEC '12 Proceedings of the fifth ACM conference on Security and Privacy in Wireless and Mobile Networks
04/20/2023 2
Contribution
• A novel approach to automatically detect capability leak in Android applications.
04/20/2023 3
Capability Leak
• An application with less permissions (a non-privileged caller) gain access to the components of a more privileged application (a privileged callee).
• Then the lower privileged application can do things through the capability of the higher privileged application.
04/20/2023 4
Four Major Android Components
• Activity– An activity represents a single screen with a user
interface• Services– runs in the background to perform long-running
operations, does not provide a user interface. For example, a service might play music in the background while the user is in a different application, or it might fetch data over the network without blocking user interaction with an activity.
04/20/2023 5
Android Components (contd..)
• Content Providers– A content provider manages a shared set of
application data. Data stored in the file system, an SQLite database, on the web etc.
• BroadCast Receivers– responds to system-wide broadcast
announcements. For example, a broadcast announcing that the screen has turned off, the battery is low etc.
04/20/2023 6
How one application can communicate with the Other?
• Through ICC (Inter Component communication). Either intra or inter application.
• To be specific, through special kind of message called Intents. [Exception : Content Provider]
• Content providers are addressed through a special content Uniform Resource Indentifier (URI).– Format : content://<authority>/<table>/[<id>]
04/20/2023 7
Passing of intents (Example)
Ref: http://www.mertkavi.com/tag/android-programlama
04/20/2023 8
System DesignAPK File JAR Source Files
ParseManifest File
List of potential
Components
Result
DecompileConvert
Get Manifest
Risky Components ?
Note : Drawn using the idea from [1]
Capability leak Detection
04/20/2023 9
Two Main Steps
• Manifest File Parsing – to find risky components for further review.
• Capability Leak Detection – Find the vulnerable applications/components from the candidates.
04/20/2023 10
Manifest Parsing (1)• At first checks the Android Manifest file to see:
– Whether the application uses at least one permission , if no, the parsing process terminates. [It has no capability]
– Then it checks whether the application is guarded by any permission in <android:permission> tag, then the application is safe.
04/20/2023 11
Manifest Parsing (2)
Note : Drawn using the idea from [1]
For components not found safe in earlier check
04/20/2023 12
Capability Leak Detection
• After finding vulnerable components – – Examine the source code of those components
– Tries to find the data paths leading to capability leak through inter-procedural control flow graph and following taint propagation
04/20/2023 13
Capability Leak Detection
• Two kinds of data path are of interest:– Involving API calls that result in a sensitive
operation to be called.
– Involving API calls that returns the result of a sensitive operation.
04/20/2023 14
Taint propagation
• Two kinds of variables are tainted –– Appearing in the parameter of a sensitive call
– Variables holding return value of sensitive operation
04/20/2023 15
Example
Example taken from [1]
04/20/2023 16
Example
Example taken from [1]
04/20/2023 17
Limitations
1. Static analysis technique, so lot of false positives (FP).
2. Only detect capability leaks through Activity and Services, does not work for Content Providers
3. Not practical to be used by user himself.
4. Did not handle one case in the Manifest File parsing module. The protection level of the permission by which an application
is protected was not considered
04/20/2023 18
Question 2
Do you have any idea to stop applications from leaking capability? Please justify and explain your you idea if there is any.
04/20/2023 19
Idea for Capability Leak Detection
• Existing mechanism does not restrict access to a publicly exported (explicitly or implicitly) component, even if the application hosting those components owns certain permsisions.
• Here, lies opportunity of capability leak detection.
04/20/2023 20
Example
App1 Components can access the components of App2, which can access component 1 of App3. So, App1 can now indirectly access component 1 of App3.
Note : Drawn using the idea from [1]
04/20/2023 21
Proposal
• Let suppose, AppX uses permissions PX ={ Px1,..,Pxn} and it has unguarded components.
• AppY has permissios PY = {Py1,…,Pyn} and it wants to access components of AppX.
• The proposal is to have this access, it must be that: Px ⊆ PY
04/20/2023 22
References
[1] Chan, Patrick PF, Lucas CK Hui, and S. M. Yiu. "Droidchecker: analyzing android applications for capability leak." Proceedings of the fifth ACM conference on Security and Privacy in Wireless and Mobile Networks. ACM, 2012.
04/20/2023 23
Questions and Comments
??
