ANALYZING INTER-APPLICATION COMMUNICATION IN ANDROID

Erika ChinAdrienne Porter FeltKate GreenwoodDavid Wagner

University of California BerkeleyMobiSys 2011

Outline

Introduction Android Overview Intent-based Attack Surfaces ComDroid Evaluation Other mobile Platforms

Introduction

Introduction

Android’s message passing system can become an attack surface if used incorrectly Intent Intents can be used for both intra- and inter-

application communication ComDroid

A tool analyzes Android applications to detect potential instances of vulnerabilities

Personal data loss, corruption, phishing…

Android Overview

Android Overview

Android’s security model differs significantly from the standard desktop security model

The complexity of Android’s message passing system implies it has the largest attack surface

Android Overview

Threat Model

Isolation (mem, file..)

Isolation (mem, file..)

Android Overview

Activity Activity Activity

Service

BroadcastReceiver

Service

BroadcastReceiver

Service

BroadcastReceiver

Intent

Intent

Intent

System Intent

Malicious Intent

Fake System Intent

Android Overview

Activity

www.bank.com

attacker.com

?

Android Overview

This paper do not consider attacks on the OS

Just focus on securing applications from each other

Android Overview

Intents [link] System broadcast Intents

Only can be sent by the OS Explicit or implicit

12

Explicit Intents

Yelp MapApp

Name: MapActivity

To: MapActivity

Only the specified destination receives this message

13

Implicit Intents

Yelp

ClockApp

MapApp

Handles Action: VIEW

Handles Action: DISPLAYTIME

Implicit IntentAction: VIEW

14

Implicit Intents

Yelp

BrowserApp

MapApp

Handles Action: VIEW

Handles Action: VIEW

Implicit IntentAction: VIEW

Android Overview

Activities Services Broadcast Receivers Content Providers

Advanced Defense Laboratory 16

Android Overview

Activity Display on screen

2009/12/8

Advanced Defense Laboratory 17

Android Overview

Service Background process

2009/12/8

Advanced Defense Laboratory 18

Android Overview

Broadcast Receiver Asynchronous event notification

2009/12/8

Advanced Defense Laboratory 19

Android Overview

Content Provider Share data between applications Do not use Intents Use URI (Uniform Resource Identifier)

2009/12/8

Android Overview

Component Declaration AndroidManifest.xml

To receive Intents… Service and Activity must be declared in

the manifest Broadcast Receivers can be declared at

runtime or in the manifest

Android Overview

Exported Components EXPORTED flag (in AndroidManifest.xml) Includes at least one Intent filter

Intent filter Action, category, data, extra data…

Android Overview

A sender can assign any action, type, or category (certain actions that it only the system can send)

Android Overview

Permission Normal Dangerous Signature SignatureOrSystem

Intent-based Attack Surfaces

25

Common Developer Pattern:Unique Action Strings

ShowtimeSearch

Results UI

IMDb AppHandles Actions: willUpdateShowtimes,showtimesNoLocationError

Implicit IntentAction: willUpdateShowtimes

26

27

Common Developer Pattern:Unique Action Strings

ShowtimeSearch

Results UI

IMDb AppHandles Actions: willUpdateShowtimes,showtimesNoLocationError

Implicit IntentAction: willUpdateShowtimes

28

ATTACK #1: Eavesdropping

ShowtimeSearch

Malicious Receiver

IMDb AppHandles Action: willUpdateShowtimes,showtimesNoLocationError

Implicit IntentAction: willUpdateShowtimes

Eavesdropping App

Sending Implicit Intents makes communication public

29

ATTACK #2: Intent Spoofing

Malicious Component

Results UI

IMDb AppHandles Action: willUpdateShowtimes,showtimesNoLocationError

Action: showtimesNoLocationError

Malicious Injection App

Receiving Implicit Intents makes the component public

30Typical case Attack case

31

ATTACK #3: Man in the Middle

ShowtimeSearch

Results UI

IMDb AppHandles Action: willUpdateShowtimes,showtimesNoLocation Error

Malicious Receiver

Handles Action: willUpdateShowtimes,showtimesNoLocationError

Man-in-the-Middle App

Action: willUpdateShowtimes

Action: showtimesNoLocationError

ATTACK #4: System Intent Spoofing Background – System Broadcast

Event notifications sent by the system Some can only be sent by the system

Receivers become accessible to all applications when listening for system broadcast

32

33

System BroadcastComponent

App 1

Handles Action: BootCompleted

Component

App 2

Handles Action: BootCompleted

Component

App 3

Handles Action: BootCompleted

SystemNotifier

Action:BootCompleted

34

System Intent Spoofing: Failed Attack

Handles Action: BootCompleted

MaliciousComponent

Malicious App

Action: BootCompleted

Component

App 1

35

System Intent Spoofing: Successful Attack

Handles Action: BootCompleted

MaliciousComponent

Malicious App

Component

App 1

To: App1.Component

Real World Example: ICE App ICE App: Allows doctors access to

medical information on phones

Contains a component that listens for the BootCompleted system broadcast

On receipt of the Intent, it exits the application and locks the screen

36

Real World Example: ICE

37

ComDroid

ComDroid

Disassemble application DEX files using Dedexer tool

Parses the disassembled output and logs potential component and Intent vulnerabilities

ComDroid

ComDroid

Permission Normal and Dangerous

Intent Analysis Intents, IntentFilters, registers, sinks

(e.g., sendBroadcast(), startActivity(), etc.) and components

ComDroid

Intent Whether it has been made explicit Whether it has an action Whether it has any flags set Whether it has any extra data

Sinks Implicit or not?

ComDroid

Component Analysis Public or not? Main, launching Activity is public but is

less likely to be attackable registerReceiver() With data / without data System broadcast

Intent.getAction() Misuse

ComDroid

Limitation and discussion Do not distinguish between paths

through if and switch statements False negatives

Pending Intent Future work

Evaluation

Evaluation

Evaluation

Evaluation

Evaluation

Evaluation