Kai Wang
ABSTRACT
Android is the most commonly used mobile device operation system. The core of Android, the System Server (SS), is a multi-threaded process that provides most of the system services. Based on a new understanding of the security risks introduced by the callback mechanism in system services, we have discovered a general type of design flaw. A vulnerability detection tool has been designed and implemented based on static taint analysis. We applied the tool on all the 80 system services in the SS of Android 5.1.0. With its help, we have discovered six previously unknown vulnerabilities, which are further confirmed on Android 2.3.7-6.0.1. According to our analysis, about 97.3% of the entire 1.4 billion real-world Android devices are vulnerable. Our proof-of-concept attack proves that the vulnerabilities can enable a malicious app to freeze critical system functionalities or soft-reboot the system immediately. It is a neat type of denial-of-service at-tack. We also proved that the attacks can be conducted at mission critical moments to achieve meaningful goals, such as anti anti-virus, anti process-killer, hindering app updates or system patching. After being informed, Google confirmed our findings promptly. Several suggestions on how to use callbacks safely are also proposed to Google.
- 27 million doctors' mobile devices at high risk of malwaretextbar ITProPortal.com. http://goo.gl/BJs5Mu.Google Scholar
- Android and RTOS together: The dynamic duo for today's medical devices - embedded computing design. http://goo.gl/StURzu.Google Scholar
- Android auto. https://www.android.com/auto/.Google Scholar
- Android OS for smart medical equipment, developing embedded medical devicestextbar hughes systique. http://goo.gl/aO0NFk.Google Scholar
- Android point of saletextbar android POS restaurants, cafes, barstextbar tablet POS. http://www.posandro.com/.Google Scholar
- The best android POS of 2016textbar top ten reviews. goo.gl/9xykVH.Google Scholar
- Gartner says worldwide smartphone sales grew 9.7 percent in fourth quarter of 2015. http://goo.gl/M0ZwSk.Google Scholar
- Google says there are now 1.4 billion active android devices worldwide. http://goo.gl/utHxO8.Google Scholar
- Lollipop is now the most-used version of android, marshmallow up to 2.3 percent. http://goo.gl/Q598DH.Google Scholar
- S. Arzt, S. Rasthofer, C. Fritz, E. Bodden, A. Bartel, J. Klein, Y. Le Traon, D. Octeau, and P. McDaniel. FlowDroid: Precise context, flow, field, object-sensitive and lifecycle-aware taint analysis for android apps. In Proceedings of the 35th ACM SIGPLAN Conference on Programming Language Design and Implementation, PLDI '14, pages 259--269. ACM. Google ScholarDigital Library
- J. Bell and G. Kaiser. Dynamic taint tracking for java with phosphor (demo). In Proceedings of the 2015 International Symposium on Software Testing and Analysis, ISSTA 2015, pages 409--413. ACM. Google ScholarDigital Library
- E. Bodden. Inter-procedural data-flow analysis with IFDS/IDE and soot. In Proceedings of the ACM SIGPLAN International Workshop on State of the Art in Java Program Analysis, SOAP '12, pages 3--8. ACM. Google ScholarDigital Library
- C. Cao, N. Gao, P. Liu, and J. Xiang. Towards analyzing the input validation vulnerabilities associated with android system services. In Proceedings of the 31st Annual Computer Security Applications Conference, ACSAC 2015, pages 361--370. ACM. Google ScholarDigital Library
- Q. A. Chen, Z. Qian, and Z. M. Mao. Peeking into your app without actually seeing it: Ui state inference and novel android attacks. In 23rd USENIX Security Symposium (USENIX Security 14), pages 1037--1052, San Diego, CA, Aug. 2014. USENIX Association. Google ScholarDigital Library
- W. Enck, P. Gilbert, B.-G. Chun, L. P. Cox, J. Jung, P. McDaniel, and A. N. Sheth. TaintDroid: An information-flow tracking system for realtime privacy monitoring on smartphones. In Proceedings of the 9th USENIX Conference on Operating Systems Design and Implementation, OSDI'10, pages 393--407. USENIX Association. Google ScholarDigital Library
- G. Gong. Fuzzing android system services by binder call to escalate privilege. https://www.blackhat.com/us-15/briefings.html.Google Scholar
- H. Huang, S. Zhu, K. Chen, and P. Liu. From system services freezing to system server shutdown in android: All you need is a loop in an app. In Proceedings of the 22Nd ACM SIGSAC Conference on Computer and Communications Security, CCS '15, pages 1236--1247. ACM. Google ScholarDigital Library
- W. Huang, Y. Dong, A. Milanova, and J. Dolby. Scalable and precise taint analysis for android. In Proceedings of the 2015 International Symposium on Software Testing and Analysis, ISSTA 2015, pages 106--117. ACM. Google ScholarDigital Library
- W. Kai, Z. Yuqing, L. Qixu, and F. Dan. A fuzzing test for dynamic vulnerability detection on android binder mechanism. In 2015 IEEE Conference on Communications and Network Security (CNS), pages 709--710.Google Scholar
- W. Klieber, L. Flynn, A. Bhosale, L. Jia, and L. Bauer. Android taint flow analysis for app sets. In Proceedings of the 3rd ACM SIGPLAN International Workshop on the State of the Art in Java Program Analysis, SOAP '14, pages 1--6. ACM. Google ScholarDigital Library
- V. B. Livshits and M. S. Lam. Finding security vulnerabilities in java applications with static analysis. In Proceedings of the 14th USENIX Security Symposium. Google ScholarDigital Library
- D. Lundberg, B. Farinholt, E. Sullivan, R. Mast, S. Checkoway, S. Savage, A. C. Snoeren, and K. Levchenko. On the security of mobile cockpit information systems. In Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security, CCS '14, pages 633--645. ACM. Google ScholarDigital Library
- J. Paupore, E. Fernandes, A. Prakash, S. Roy, and X. Ou. Practical always-on taint tracking on mobile devices. In Proceedings of the 15th USENIX Conference on Hot Topics in Operating Systems, HOTOS'15, pages 29--29. USENIX Association. Google ScholarDigital Library
- S. V. President and BCG. Android OS smartphone market share worldwide 2009--2015textbar statistic. http://goo.gl/9mI3Qw.Google Scholar
- A. Rountev, M. Sharp, and G. Xu. IDE dataflow analysis in the presence of large object-oriented libraries. In Proceedings of the Joint European Conferences on Theory and Practice of Software 17th International Conference on Compiler Construction, CC'08/ETAPS'08, pages 53--68. Springer-Verlag. Google ScholarDigital Library
- M. Sridharan, S. Artzi, M. Pistoia, S. Guarnieri, O. Tripp, and R. Berg. F4f: Taint analysis of framework-based web applications. In Proceedings of the 2011 ACM International Conference on Object Oriented Programming Systems Languages and Applications, OOPSLA '11, pages 1053--1068. ACM. Google ScholarDigital Library
- Z. Wei and D. Lie. LazyTainter: Memory-efficient taint tracking in managed runtimes. In Proceedings of the 4th ACM Workshop on Security and Privacy in Smartphones & Mobile Devices, SPSM '14, pages 27--38. ACM. Google ScholarDigital Library
- R. Wilkers. Northrop to demo DARPA navigation system on android; charles volk comments. http://goo.gl/dLmhXN.Google Scholar
- Z. Yang and M. Yang. LeakMiner: Detect information leakage on android with static taint analysis. In Proceedings of the 2012 Third World Congress on Software Engineering, WCSE '12, pages 101--104. IEEE Computer Society. Google ScholarDigital Library
- Z. Zhao and F. C. Colon Osono. "TrustDroid™": Preventing the use of SmartPhones for information leaking in corporate networks through the used of static analysis taint tracking. In Proceedings of the 2012 7th International Conference on Malicious and Unwanted Software (MALWARE), MALWARE '12, pages 135--143. IEEE Computer Society. Google ScholarDigital Library
Index Terms
- Call Me Back!: Attacks on System Server and System Apps in Android through Synchronous Callback
Recommendations
From System Services Freezing to System Server Shutdown in Android: All You Need Is a Loop in an App
CCS '15: Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications SecurityThe Android OS not only dominates 78.6% of the worldwide smartphone market in 2014, but importantly has been widely used for mission critical tasks (e.g., medical devices, auto/aircraft navigators, embedded in satellite project). The core of Android, ...
Checksum-Aware Fuzzing Combined with Dynamic Taint Analysis and Symbolic Execution
Fuzz testing has proven successful in finding security vulnerabilities in large programs. However, traditional fuzz testing tools have a well-known common drawback: they are ineffective if most generated inputs are rejected at the early stage of program ...
Dazed Droids: A Longitudinal Study of Android Inter-App Vulnerabilities
ASIACCS '18: Proceedings of the 2018 on Asia Conference on Computer and Communications SecurityAndroid devices are an integral part of modern life from phone to media boxes to smart home appliances and cameras. With 38.9% of market share, Android is now the most used operating system not just in terms of mobile devices but considering all OSes. ...
Comments