SCLib: A practical and lightweight defense against component hijacking in android applications

SCLib: A practical and lightweight defense against component hijacking in android applications

Cross-app collaboration via inter-component communication is a fundamental mechanism on Android. Although it brings the benefits such as functionality reuse and data sharing, a threat called component hijacking is also introduced. By hijacking a vulnerable component in victim apps, an attack app can...

Full description

Saved in:
Bibliographic Details
Main Authors: WU, Daoyuan, CHENG, Yao, GAO, Debin, LI, Yingjiu, DENG, Robert H.
Format: text
Language:English
Published: Institutional Knowledge at Singapore Management University 2018
Subjects:
Access control
Android (operating system)
Data privacy
Firmware
Network security
Open systems
Android applications
Android devices
Component libraries
Data Sharing
Functionality reuse
Fundamental mechanisms
Mandatory access control
Proof of concept
Mobile security
Information Security
Online Access:https://ink.library.smu.edu.sg/sis_research/4088
https://ink.library.smu.edu.sg/context/sis_research/article/5091/viewcontent/1801.04372.pdf
Tags: Add Tag
No Tags, Be the first to tag this record!
Institution: Singapore Management University
Language: English
id sg-smu-ink.sis_research-5091
record_format dspace
spelling sg-smu-ink.sis_research-50912020-04-06T09:53:28Z SCLib: A practical and lightweight defense against component hijacking in android applications WU, Daoyuan CHENG, Yao GAO, Debin LI, Yingjiu DENG, Robert H. Cross-app collaboration via inter-component communication is a fundamental mechanism on Android. Although it brings the benefits such as functionality reuse and data sharing, a threat called component hijacking is also introduced. By hijacking a vulnerable component in victim apps, an attack app can escalate its privilege for operations originally prohibited. Many prior studies have been performed to understand and mitigate this issue, but no defense is being deployed in the wild, largely due to the deployment difficulties and performance concerns. In this paper we present SCLib, a secure component library that performs in-app mandatory access control on behalf of app components. It does not require firmware modification or app repackaging as in previous works. The library-based nature also makes SCLib more accessible to app developers, and enables them produce secure components in the first place over fragmented Android devices. As a proof of concept, we design six mandatory policies and overcome unique implementation challenges to mitigate attacks originated from both system weaknesses and common developer mistakes. Our evaluation using ten high-profile open source apps shows that SCLib can protect their 35 risky components with negligible code footprint (less than 0.3% stub code) and nearly no slowdown to normal intra-app communication. 2018-03-01T08:00:00Z text application/pdf https://ink.library.smu.edu.sg/sis_research/4088 info:doi/10.1145/3176258.3176336 https://ink.library.smu.edu.sg/context/sis_research/article/5091/viewcontent/1801.04372.pdf http://creativecommons.org/licenses/by-nc-nd/4.0/ Research Collection School Of Computing and Information Systems eng Institutional Knowledge at Singapore Management University Access control Android (operating system) Data privacy Firmware Network security Open systems Android applications Android devices Component libraries Data Sharing Functionality reuse Fundamental mechanisms Mandatory access control Proof of concept Mobile security Information Security
institution Singapore Management University
building SMU Libraries
continent Asia
country Singapore
Singapore
content_provider SMU Libraries
collection InK@SMU
language English
topic Access control
Android (operating system)
Data privacy
Firmware
Network security
Open systems
Android applications
Android devices
Component libraries
Data Sharing
Functionality reuse
Fundamental mechanisms
Mandatory access control
Proof of concept
Mobile security
Information Security
spellingShingle Access control
Android (operating system)
Data privacy
Firmware
Network security
Open systems
Android applications
Android devices
Component libraries
Data Sharing
Functionality reuse
Fundamental mechanisms
Mandatory access control
Proof of concept
Mobile security
Information Security
WU, Daoyuan
CHENG, Yao
GAO, Debin
LI, Yingjiu
DENG, Robert H.
SCLib: A practical and lightweight defense against component hijacking in android applications
description Cross-app collaboration via inter-component communication is a fundamental mechanism on Android. Although it brings the benefits such as functionality reuse and data sharing, a threat called component hijacking is also introduced. By hijacking a vulnerable component in victim apps, an attack app can escalate its privilege for operations originally prohibited. Many prior studies have been performed to understand and mitigate this issue, but no defense is being deployed in the wild, largely due to the deployment difficulties and performance concerns. In this paper we present SCLib, a secure component library that performs in-app mandatory access control on behalf of app components. It does not require firmware modification or app repackaging as in previous works. The library-based nature also makes SCLib more accessible to app developers, and enables them produce secure components in the first place over fragmented Android devices. As a proof of concept, we design six mandatory policies and overcome unique implementation challenges to mitigate attacks originated from both system weaknesses and common developer mistakes. Our evaluation using ten high-profile open source apps shows that SCLib can protect their 35 risky components with negligible code footprint (less than 0.3% stub code) and nearly no slowdown to normal intra-app communication.
format text
author WU, Daoyuan
CHENG, Yao
GAO, Debin
LI, Yingjiu
DENG, Robert H.
author_facet WU, Daoyuan
CHENG, Yao
GAO, Debin
LI, Yingjiu
DENG, Robert H.
author_sort WU, Daoyuan
title SCLib: A practical and lightweight defense against component hijacking in android applications
title_short SCLib: A practical and lightweight defense against component hijacking in android applications
title_full SCLib: A practical and lightweight defense against component hijacking in android applications
title_fullStr SCLib: A practical and lightweight defense against component hijacking in android applications
title_full_unstemmed SCLib: A practical and lightweight defense against component hijacking in android applications
title_sort sclib: a practical and lightweight defense against component hijacking in android applications
publisher Institutional Knowledge at Singapore Management University
publishDate 2018
url https://ink.library.smu.edu.sg/sis_research/4088
https://ink.library.smu.edu.sg/context/sis_research/article/5091/viewcontent/1801.04372.pdf
_version_ 1770574304056967168

Similar Items