Security analysis of permission re-delegation vulnerabilities in Android apps
The Android platform facilitates reuse of app func- tionalities by allowing an app to request an action from another app through inter-process communication mechanism. This fea- ture is one of the reasons for the popularity of Android, but it also poses security risks to end users because malicious,...
Saved in:
| Main Authors: | , , |
|---|---|
| Format: | text |
| Language: | English |
| Published: |
Institutional Knowledge at Singapore Management University
2020
|
| Subjects: | |
| Online Access: | https://ink.library.smu.edu.sg/sis_research/5888 https://ink.library.smu.edu.sg/context/sis_research/article/6881/viewcontent/SecurityAnalysisOfPermissionRe.pdf |
| Tags: |
Add Tag
No Tags, Be the first to tag this record!
|
| Institution: | Singapore Management University |
| Language: | English |
| id |
sg-smu-ink.sis_research-6881 |
|---|---|
| record_format |
dspace |
| spelling |
sg-smu-ink.sis_research-68812021-03-29T00:54:57Z Security analysis of permission re-delegation vulnerabilities in Android apps DEMISSIE, Biniam Fisseha CECCATO, Mariano SHAR, Lwin Khin The Android platform facilitates reuse of app func- tionalities by allowing an app to request an action from another app through inter-process communication mechanism. This fea- ture is one of the reasons for the popularity of Android, but it also poses security risks to end users because malicious, unprivileged apps could exploit this feature to make privileged apps perform privileged actions on behalf of them. In our journal paper [4], we investigate the hybrid use of program analysis, genetic algorithm based test generation, natu- ral language processing, machine learning techniques for precise detection of permission re-delegation vulnerabilities in Android apps. Our approach first groups a large set of benign and non- vulnerable apps into different clusters, based on their similarities in terms of functional descriptions. It then generates permission re-delegation model for each cluster, which characterizes common permission re-delegation behaviors of the apps in the cluster. Given an app under test, our approach checks whether it has permission re-delegation behaviors that deviate from the model of the cluster it belongs to. If that is the case, it generates test cases to detect the vulnerabilities. We evaluated the vulnerability detection capability of our approach based on 1,258 official apps and 20 mutated apps. Our approach achieved 81.8% recall and 100% precision. We also compared our approach with two static analysis-based approaches — Covert and IccTA — based on 595 open source apps. Our approach detected 30 vulnerable apps whereas Covert detected one of them and IccTA did not detect any. Executable proof-of-concept attacks generated by our approach were reported to the corresponding app developers. 2020-11-01T07:00:00Z text application/pdf https://ink.library.smu.edu.sg/sis_research/5888 https://ink.library.smu.edu.sg/context/sis_research/article/6881/viewcontent/SecurityAnalysisOfPermissionRe.pdf http://creativecommons.org/licenses/by-nc-nd/4.0/ Research Collection School Of Computing and Information Systems eng Institutional Knowledge at Singapore Management University Program analysis Test case generation Permission re-delegation Android apps Genetic algorithm Natural language processing Outlier detection Computer Sciences |
| institution |
Singapore Management University |
| building |
SMU Libraries |
| continent |
Asia |
| country |
Singapore Singapore |
| content_provider |
SMU Libraries |
| collection |
InK@SMU |
| language |
English |
| topic |
Program analysis Test case generation Permission re-delegation Android apps Genetic algorithm Natural language processing Outlier detection Computer Sciences |
| spellingShingle |
Program analysis Test case generation Permission re-delegation Android apps Genetic algorithm Natural language processing Outlier detection Computer Sciences DEMISSIE, Biniam Fisseha CECCATO, Mariano SHAR, Lwin Khin Security analysis of permission re-delegation vulnerabilities in Android apps |
| description |
The Android platform facilitates reuse of app func- tionalities by allowing an app to request an action from another app through inter-process communication mechanism. This fea- ture is one of the reasons for the popularity of Android, but it also poses security risks to end users because malicious, unprivileged apps could exploit this feature to make privileged apps perform privileged actions on behalf of them.
In our journal paper [4], we investigate the hybrid use of program analysis, genetic algorithm based test generation, natu- ral language processing, machine learning techniques for precise detection of permission re-delegation vulnerabilities in Android apps. Our approach first groups a large set of benign and non- vulnerable apps into different clusters, based on their similarities in terms of functional descriptions. It then generates permission re-delegation model for each cluster, which characterizes common permission re-delegation behaviors of the apps in the cluster. Given an app under test, our approach checks whether it has permission re-delegation behaviors that deviate from the model of the cluster it belongs to. If that is the case, it generates test cases to detect the vulnerabilities. We evaluated the vulnerability detection capability of our approach based on 1,258 official apps and 20 mutated apps. Our approach achieved 81.8% recall and 100% precision. We also compared our approach with two static analysis-based approaches — Covert and IccTA — based on 595 open source apps. Our approach detected 30 vulnerable apps whereas Covert detected one of them and IccTA did not detect any. Executable proof-of-concept attacks generated by our approach were reported to the corresponding app developers. |
| format |
text |
| author |
DEMISSIE, Biniam Fisseha CECCATO, Mariano SHAR, Lwin Khin |
| author_facet |
DEMISSIE, Biniam Fisseha CECCATO, Mariano SHAR, Lwin Khin |
| author_sort |
DEMISSIE, Biniam Fisseha |
| title |
Security analysis of permission re-delegation vulnerabilities in Android apps |
| title_short |
Security analysis of permission re-delegation vulnerabilities in Android apps |
| title_full |
Security analysis of permission re-delegation vulnerabilities in Android apps |
| title_fullStr |
Security analysis of permission re-delegation vulnerabilities in Android apps |
| title_full_unstemmed |
Security analysis of permission re-delegation vulnerabilities in Android apps |
| title_sort |
security analysis of permission re-delegation vulnerabilities in android apps |
| publisher |
Institutional Knowledge at Singapore Management University |
| publishDate |
2020 |
| url |
https://ink.library.smu.edu.sg/sis_research/5888 https://ink.library.smu.edu.sg/context/sis_research/article/6881/viewcontent/SecurityAnalysisOfPermissionRe.pdf |
| _version_ |
1770575639962714112 |