Huan Feng
ABSTRACT
In Android, communications between apps and system services are supported by a transaction-based Inter-Process Communication (IPC) mechanism. Binder, as the cornerstone of this IPC mechanism, separates two communicating parties as client and server. As with any client-server model, the server should not make any assumption on the validity (sanity) of client-side transaction. To our surprise, we find this principle has frequently been overlooked in the implementation of Android system services. In this paper, we try to answer why developers keep making this seemingly simple mistake by studying more than 100 vulnerabilities on this attack surface. We analyzed these vulnerabilities to find that most of them are rooted at a common confusion of where the actual security boundary is among system developers. We thus highlight the deficiency of testing only on client-side public APIs and argue for the necessity of testing and protection on the Binder interface --- the actual security boundary. Specifically, we design and implement BinderCracker, an automatic testing framework that supports context-aware fuzzing and actively manages the dependency between transactions. It does not require the source codes of the component under test, is compatible with services in different layers, and performs much more effectively than simple black-box fuzzing. We also call attention to the attack attribution problem for IPC-based attacks. The lack of OS-level support makes it very difficult to identify the culprit apps even for developers with adb access. We address this issue by providing an informative runtime diagnostic tool that tracks the origin, schema, content, and parsing details of each failed transaction. This brings transparency into the IPC process and provides an essential step for other in-depth analysis or forensics.
- D. Amalfitano, A. R. Fasolino, and P. Tramontana. A gui crawling-based technique for android mobile application testing. In Software Testing, Verification and Validation Workshops (ICSTW), 2011 IEEE Fourth International Conference on, pages 252--261. IEEE, 2011. Google Scholar
Digital Library
- D. Amalfitano, A. R. Fasolino, P. Tramontana, S. De Carmine, and A. M. Memon. Using gui ripping for automated testing of android applications. In Proceedings of the 27th IEEE/ACM International Conference on Automated Software Engineering, pages 258--261. ACM, 2012. Google ScholarDigital Library
- Android interface definition language (aidl). http://developer.android.com/guide/components/aidl.html.Google Scholar
- S. Bugiel, L. Davi, A. Dmitrienko, T. Fischer, and A.-R. Sadeghi. Xmandroid: A new android evolution to mitigate privilege escalation attacks.Google Scholar
- E. Chin, A. P. Felt, K. Greenwood, and D. Wagner. Analyzing inter-application communication in android. In Proceedings of the 9th International Conference on Mobile Systems, Applications, and Services, MobiSys '11, pages 239--252, New York, NY, USA, 2011. ACM. Google ScholarDigital Library
- Cve-2015-1474. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1474.Google Scholar
- Cve-2015-1528. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1528.Google Scholar
- Cve-2015-6612. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6612.Google Scholar
- Cve-2015-6620. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6620.Google Scholar
- K. O. Elish, D. Yao, and B. G. Ryder. On the need of precise inter-app icc classification for detecting android malware collusions. In Proceedings of IEEE Mobile Security Technologies (MoST), in conjunction with the IEEE Symposium on Security and Privacy, 2015.Google Scholar
- W. Enck, P. Gilbert, B.-G. Chun, L. P. Cox, J. Jung, P. McDaniel, and A. N. Sheth. Taintdroid: An information-flow tracking system for realtime privacy monitoring on smartphones. In Proceedings of the 9th USENIX Conference on Operating Systems Design and Implementation, OSDI'10, pages 1--6, Berkeley, CA, USA, 2010. USENIX Association. Google ScholarDigital Library
- W. Enck, D. Octeau, P. McDaniel, and S. Chaudhuri. A study of android application security. In Proceedings of the 20th USENIX Conference on Security, SEC'11, pages 21--21, Berkeley, CA, USA, 2011. USENIX Association. Google ScholarDigital Library
- A. P. Felt, E. Chin, S. Hanna, D. Song, and D. Wagner. Android permissions demystified. In Proceedings of the 18th ACM Conference on Computer and Communications Security, CCS '11, pages 627--638, New York, NY, USA, 2011. ACM. Google ScholarDigital Library
- A. P. Felt, E. Ha, S. Egelman, A. Haney, E. Chin, and D. Wagner. Android permissions: User attention, comprehension, and behavior. In Proceedings of the Eighth Symposium on Usable Privacy and Security, SOUPS '12, pages 3:1--3:14, New York, NY, USA, 2012. ACM. Google ScholarDigital Library
- Fuzzing android system services by binder call. https://www.blackhat.com/docs/us-15/materials/us-15-Gong-Fuzzing-Android-System-Services-By-Binder-Call-To-Escalate-Privilege.pdf.Google Scholar
- Google says there are now 1.4 billion active android devices worldwide. http://www.androidcentral.com/google-says-there-are-now-14-billion-active-android-devices-worldwide.Google Scholar
- Hey your parcel looks bad. https://www.blackhat.com/docs/asia-16/materials/asia-16-He-Hey-Your-Parcel-Looks-Bad-Fuzzing-And-Exploiting-Parcelization-Vulnerabilities-In-Android.pdf.Google Scholar
- P. Hornyack, S. Han, J. Jung, S. Schechter, and D. Wetherall. These aren't the droids you're looking for: Retrofitting android to protect data from imperious applications. In Proceedings of the 18th ACM Conference on Computer and Communications Security, CCS '11, pages 639--652, New York, NY, USA, 2011. ACM. Google ScholarDigital Library
- C. Hu and I. Neamtiu. Automating gui testing for android applications. In Proceedings of the 6th International Workshop on Automation of Software Test, pages 77--83. ACM, 2011. Google ScholarDigital Library
- Improving your code with lint. http://developer.android.com/tools/debugging/improving-w-lint.html.Google Scholar
- D. Kantola, E. Chin, W. He, and D. Wagner. Reducing attack surfaces for intra-application communication in android. In Proceedings of the Second ACM Workshop on Security and Privacy in Smartphones and Mobile Devices, SPSM '12, pages 69--80, New York, NY, USA, 2012. ACM. Google ScholarDigital Library
- B. Lee, L. Lu, T. Wang, T. Kim, and W. Lee. From zygote to morula: Fortifying weakened aslr on android. In Proceedings of the 2014 IEEE Symposium on Security and Privacy, SP '14, pages 424--439, Washington, DC, USA, 2014. IEEE Computer Society. Google ScholarDigital Library
- A. Machiry, R. Tahiliani, and M. Naik. Dynodroid: An input generation system for android apps. In Proceedings of the 2013 9th Joint Meeting on Foundations of Software Engineering, pages 224--234. ACM, 2013. Google ScholarDigital Library
- A. K. Maji, F. A. Arshad, S. Bagchi, and J. S. Rellermeyer. An empirical study of the robustness of inter-component communication in android. In Proceedings of the 2012 42Nd Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN), DSN '12, pages 1--12, Washington, DC, USA, 2012. IEEE Computer Society. Google ScholarDigital Library
- C. Marforio, A. Francillon, S. Capkun, S. Capkun, and S. Capkun. Application collusion attack on the permission-based security model and its implications for modern smartphone systems. Department of Computer Science, ETH Zurich, 2011.Google Scholar
- T. McDonnell, B. Ray, and M. Kim. An empirical study of api stability and adoption in the android ecosystem. In Software Maintenance (ICSM), 2013 29th IEEE International Conference on, pages 70--79. IEEE, 2013. Google ScholarDigital Library
- M. Nauman, S. Khan, and X. Zhang. Apex: Extending android permission model and enforcement with user-defined runtime constraints. In Proceedings of the 5th ACM Symposium on Information, Computer and Communications Security, ASIACCS '10, pages 328--332, New York, NY, USA, 2010. ACM. Google ScholarDigital Library
- Number of apps available in leading app stores as of july 2015. http://www.statista.com/statistics/276623/number-of-apps-available-in-leading-app-stores/.Google Scholar
- O. Peles and R. Hay. One class to rule them all: 0-day deserialization vulnerabilities in android. In 9th USENIX Workshop on Offensive Technologies (WOOT 15), 2015. Google ScholarDigital Library
- M. Rangwala, P. Zhang, X. Zou, and F. Li. A taxonomy of privilege escalation attacks in android applications. Int. J. Secur. Netw., 9(1):40--55, Feb. 2014. Google ScholarDigital Library
- R. Sasnauskas and J. Regehr. Intent fuzzer: Crafting intents of death. In Proceedings of the 2014 Joint International Workshop on Dynamic Analysis (WODA) and Software and System Performance Testing, Debugging, and Analytics (PERTEA), WODA+PERTEA 2014, pages 1--5, New York, NY, USA, 2014. ACM. Google ScholarDigital Library
- Security updates and resources. https://source.android.com/security/overview/updates-resources.html.Google Scholar
- A. Shabtai, Y. Fledel, and Y. Elovici. Securing android-powered mobile devices using selinux. IEEE Security & Privacy, (3):36--44, 2009. Google ScholarDigital Library
- A. Shabtai, Y. Fledel, U. Kanonov, Y. Elovici, S. Dolev, and C. Glezer. Google android: A comprehensive security assessment. IEEE Security and Privacy, 8(2):35--44, Mar. 2010. Google ScholarDigital Library
- S. Smalley and R. Craig. Security enhanced (se) android: Bringing flexible mac to android. In NDSS, volume 310, pages 20--38, 2013.Google Scholar
- Smartphone os market share, q4 2014. http://www.idc.com/prodserv/smartphone-os-market-share.jsp.Google Scholar
- K. Tam, S. J. Khan, A. Fattori, and L. Cavallaro. Copperdroid: Automatic reconstruction of android malware behaviors. In NDSS, 2015.Google ScholarCross Ref
- Accusations fly between uber and lyft. http://bits.blogs.nytimes.com/2014/08/12/accusations-fly-between-uber-and-lyft/.Google Scholar
- H. Ye, S. Cheng, L. Zhang, and F. Jiang. Droidfuzzer: Fuzzing the android apps with intent-filter tag. In Proceedings of International Conference on Advances in Mobile Computing & Multimedia, MoMM '13, pages 68:68--68:74, New York, NY, USA, 2013. ACM. Google ScholarDigital Library
Recommendations
Ghost in the Binder: Binder Transaction Redirection Attacks in Android System Services
CCS '21: Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications SecurityBinder, the main mechanism for Android applications to access system services, adopts a client-server role model in its design, assuming the system service as the server and the application as the client. However, a growing number of scenarios require ...
Defending Your Android App
RIIT '15: Proceedings of the 4th Annual ACM Conference on Research in Information TechnologyIn recent years, applications in the Google Play Store have been targets for attackers. Hackers have used a slew of techniques to analyze and modify Android developers' apps. Attackers are modifying app content so they can take advantage of unknowing ...
Taming transitive permission attack via bytecode rewriting on Android application
Google Android is popular for mobile devices in recent years. The openness and popularity of Android make it a primary target for malware. Even though Android's security mechanisms could defend most malware, its permission model is vulnerable to ...
Comments