Analyzing Inter-Application Communication in Android
description
Transcript of Analyzing Inter-Application Communication in Android
ANALYZING INTER-APPLICATION COMMUNICATION IN ANDROID
Erika ChinAdrienne Porter FeltKate GreenwoodDavid Wagner
University of California BerkeleyMobiSys 2011
Outline
Introduction Android Overview Intent-based Attack Surfaces ComDroid Evaluation Other mobile Platforms
Introduction
Introduction
Android’s message passing system can become an attack surface if used incorrectly Intent Intents can be used for both intra- and inter-
application communication ComDroid
A tool analyzes Android applications to detect potential instances of vulnerabilities
Personal data loss, corruption, phishing…
Android Overview
Android Overview
Android’s security model differs significantly from the standard desktop security model
The complexity of Android’s message passing system implies it has the largest attack surface
Android Overview
Threat Model
Isolation (mem, file..)
Isolation (mem, file..)
Android Overview
Activity Activity Activity
Service
BroadcastReceiver
Service
BroadcastReceiver
Service
BroadcastReceiver
Intent
Intent
Intent
System Intent
Malicious Intent
Fake System Intent
Android Overview
Activity
www.bank.com
attacker.com
?
Android Overview
This paper do not consider attacks on the OS
Just focus on securing applications from each other
Android Overview
Intents [link] System broadcast Intents
Only can be sent by the OS Explicit or implicit
12
Explicit Intents
Yelp MapApp
Name: MapActivity
To: MapActivity
Only the specified destination receives this message
13
Implicit Intents
Yelp
ClockApp
MapApp
Handles Action: VIEW
Handles Action: DISPLAYTIME
Implicit IntentAction: VIEW
14
Implicit Intents
Yelp
BrowserApp
MapApp
Handles Action: VIEW
Handles Action: VIEW
Implicit IntentAction: VIEW
Android Overview
Activities Services Broadcast Receivers Content Providers
Advanced Defense Laboratory 16
Android Overview
Activity Display on screen
2009/12/8
Advanced Defense Laboratory 17
Android Overview
Service Background process
2009/12/8
Advanced Defense Laboratory 18
Android Overview
Broadcast Receiver Asynchronous event notification
2009/12/8
Advanced Defense Laboratory 19
Android Overview
Content Provider Share data between applications Do not use Intents Use URI (Uniform Resource Identifier)
2009/12/8
Android Overview
Component Declaration AndroidManifest.xml
To receive Intents… Service and Activity must be declared in
the manifest Broadcast Receivers can be declared at
runtime or in the manifest
Android Overview
Exported Components EXPORTED flag (in AndroidManifest.xml) Includes at least one Intent filter
Intent filter Action, category, data, extra data…
Android Overview
A sender can assign any action, type, or category (certain actions that it only the system can send)
Android Overview
Permission Normal Dangerous Signature SignatureOrSystem
Intent-based Attack Surfaces
25
Common Developer Pattern:Unique Action Strings
ShowtimeSearch
Results UI
IMDb AppHandles Actions: willUpdateShowtimes,showtimesNoLocationError
Implicit IntentAction: willUpdateShowtimes
26
27
Common Developer Pattern:Unique Action Strings
ShowtimeSearch
Results UI
IMDb AppHandles Actions: willUpdateShowtimes,showtimesNoLocationError
Implicit IntentAction: willUpdateShowtimes
28
ATTACK #1: Eavesdropping
ShowtimeSearch
Malicious Receiver
IMDb AppHandles Action: willUpdateShowtimes,showtimesNoLocationError
Implicit IntentAction: willUpdateShowtimes
Eavesdropping App
Sending Implicit Intents makes communication public
29
ATTACK #2: Intent Spoofing
Malicious Component
Results UI
IMDb AppHandles Action: willUpdateShowtimes,showtimesNoLocationError
Action: showtimesNoLocationError
Malicious Injection App
Receiving Implicit Intents makes the component public
30Typical case Attack case
31
ATTACK #3: Man in the Middle
ShowtimeSearch
Results UI
IMDb AppHandles Action: willUpdateShowtimes,showtimesNoLocation Error
Malicious Receiver
Handles Action: willUpdateShowtimes,showtimesNoLocationError
Man-in-the-Middle App
Action: willUpdateShowtimes
Action: showtimesNoLocationError
ATTACK #4: System Intent Spoofing Background – System Broadcast
Event notifications sent by the system Some can only be sent by the system
Receivers become accessible to all applications when listening for system broadcast
32
33
System BroadcastComponent
App 1
Handles Action: BootCompleted
Component
App 2
Handles Action: BootCompleted
Component
App 3
Handles Action: BootCompleted
SystemNotifier
Action:BootCompleted
34
System Intent Spoofing: Failed Attack
Handles Action: BootCompleted
MaliciousComponent
Malicious App
Action: BootCompleted
Component
App 1
35
System Intent Spoofing: Successful Attack
Handles Action: BootCompleted
MaliciousComponent
Malicious App
Component
App 1
To: App1.Component
Real World Example: ICE App ICE App: Allows doctors access to
medical information on phones
Contains a component that listens for the BootCompleted system broadcast
On receipt of the Intent, it exits the application and locks the screen
36
Real World Example: ICE
37
ComDroid
ComDroid
Disassemble application DEX files using Dedexer tool
Parses the disassembled output and logs potential component and Intent vulnerabilities
ComDroid
ComDroid
Permission Normal and Dangerous
Intent Analysis Intents, IntentFilters, registers, sinks
(e.g., sendBroadcast(), startActivity(), etc.) and components
ComDroid
Intent Whether it has been made explicit Whether it has an action Whether it has any flags set Whether it has any extra data
Sinks Implicit or not?
ComDroid
Component Analysis Public or not? Main, launching Activity is public but is
less likely to be attackable registerReceiver() With data / without data System broadcast
Intent.getAction() Misuse
ComDroid
Limitation and discussion Do not distinguish between paths
through if and switch statements False negatives
Pending Intent Future work
Evaluation
Evaluation
Evaluation
Evaluation
Evaluation
Evaluation