| With Android smartphones and tablets being widespread,a huge number of Android apps are developed for the user's consumption.However,the developers usually do not pay enough attention to the application security.Funding and experience vary from company to company,many serious security problems have occurred in recent years.The four basic components in Android system are Activity,service,Broadcast Receiver and Content Provider.These reusable components constitute an Android app.An Intent is a messaging object which can be used to start one component and achieve inter-process communication.In order to facilitate code reuse,a component can be declared public,which means that all apps can send an intent to invoke it.On the contrary,a component can be declared private and only the app itself can start it.Other apps have no permissions to invoke the private component.Although a newly discovered vulnerability named next-intent vulnerability(NIV)can bypass this restriction,which can be used to start other app's private component.There is no automated work to detect the vulnerability on large scale.So we are not aware of how severe and prevailing this class of vulnerabilities is in real-world Android apps.To answer the question,in this paper we analyze the cause of the vulnerability and summarize the exploitation process.Then we design and implement a framework to automatically detects and verifies the vulnerability using static and dynamic analysis technology.The framework adopts modular design and is flexible to cover other vulnerabilities.It is composed of two modules:NIV discovery module and NIV exploitation module.In order to find NIV efficiently and effectively on a large scale,we design an intent flow analysis strategy which accurately tracks the intent in smali code.The NIV discovery module mainly conducts static intent flow analysis,which is designed to track the target intent instance and check whether it meets all the features of NIV.Meanwhile,it generates relevant information to guide the vulnerability exploitation.The NIV exploitation module installs the vulnerable app on the Android emulator and releases test cases to exploit the NIV and simulate the possible login process.With the log information collected from the Android emulator during the exploitation,we are able to see whether the vulnerability is successfully exploited.At last,we use the framework to analyze 20000 apps from Google play and find 190 of them have NIV,some of which even have millions of downloads.We also confirmed that an opensource project and a third-party SDK,which are still used by other apps,have next intent vulnerabilities. |
PDF Full Text Request