research-article

Characterizing and identifying misexposed activities in Android applications

Authors:

Jian ZhangAuthors Info & Claims

ASE '18: Proceedings of the 33rd ACM/IEEE International Conference on Automated Software Engineering

Pages 691 - 701

https://doi.org/10.1145/3238147.3238164

Published: 03 September 2018 Publication History

Abstract

Exported Activity (EA), a kind of activities in Android apps that can be launched by external components, is one of the most important inter-component communication (ICC) mechanisms to realize the interaction and cooperation among multiple apps. Existing works have pointed out that, once exposed, an activity will be vulnerable to malicious ICC attacks, such as permission leakage attack. Unfortunately, it is observed that a considerable number of activities in commercial apps are exposed inadvertently, while few works have studied the necessity and reasonability of such exposure. This work takes the first step to systematically study the exposing behavior of EAs through analyzing 13,873 Android apps. It utilizes the EA associated call relationships extracted from byte-code via data-flow analysis, as well as the launch conditions obtained from the manifest files, to guide the study on the usage and misexposure of EAs. The empirical findings are that the EA mechanism is widely adopted in development and the activities are liable to be misexposed due to the developers' misunderstanding or carelessness. Further study on subsets of apps selected according to different criteria indicates that the misexposed EAs have specific characteristics, which are manually summarized into six typical misuse patterns. As a consequence, ten heuristics are designed to decide whether an activity should be exposed or not and are implemented into an automatic tool called Mist. Experiments on the collected apps show that around one fifth EAs are unnecessarily exposed and there are more than one third EAs whose exposure may not be suggested.

References

[1]

Erika Chin, Adrienne Porter Felt, Kate Greenwood, and David A. Wagner. Analyzing inter-application communication in Android. In Proceedings of the 9th International Conference on Mobile Systems, Applications, and Services (MobiSys 2011), pages 239–252, 2011.

Digital Library

[2]

Roee Hay, Omer Tripp, and Marco Pistoia. Dynamic detection of inter-application communication vulnerabilities in Android. In Proceedings of the 2015 International Symposium on Software Testing and Analysis, pages 118–128, 2015.

Digital Library

[3]

Adrienne Porter Felt, Erika Chin, Steve Hanna, Dawn Song, and David A. Wagner. Android permissions demystified. In Proceedings of the 18th ACM Conference on Computer and Communications Security, CCS, pages 627–638, 2011.

Digital Library

[4]

Li Li, Alexandre Bartel, Tegawendé F. Bissyandé, Jacques Klein, Yves Le Traon, Steven Arzt, Siegfried Rasthofer, Eric Bodden, Damien Octeau, and Patrick Mc-Daniel. IccTA: Detecting inter-component privacy leaks in Android apps. In Proceedings of the 37th IEEE/ACM International Conference on Software Engineering, pages 280–291, 2015.

Digital Library

[5]

Michael C. Grace, Yajin Zhou, Zhi Wang, and Xuxian Jiang. Systematic detection of capability leaks in stock Android smartphones. In 19th Annual Network and Distributed System Security Symposium, NDSS, 2012.

[6]

Hamid Bagheri, Alireza Sadeghi, Joshua Garcia, and Sam Malek. COVERT: compositional analysis of Android inter-app permission leakage. IEEE Transactions on Software Engineering, 41(9):866–886, 2015.

Digital Library

[7]

Joshua Garcia, Mahmoud Hammad, Negar Ghorbani, and Sam Malek. Automatic generation of inter-component communication exploits for Android applications. In Proceedings of the 2017 11th Joint Meeting on Foundations of Software Engineering, ESEC/FSE, pages 661–671, 2017.

Digital Library

[8]

Jun Ma, Shaocong Liu, Yanyan Jiang, Xianping Tao, Chang Xu, and Jian Lu. Lesdroid - a tool for detecting exported service leaks of Android applications. The preprint is available at website http://moon.nju.edu.cn/people/junma/static/ files/LesDroid(pre-print).pdf, 2018.

[9]

Fengguo Wei, Sankardas Roy, Xinming Ou, and Robby. Amandroid: A precise and general inter-component data flow analysis framework for security vetting of Android apps. In Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security, pages 1329–1341, 2014.

Digital Library

[10]

activity | Android Developers. https://developer.android.com/guide/topics/ manifest/activity-element.html, 2017.

[11]

Intents and Intent Filters | Android Developers. https://developer.android.com/ guide/components/intents-filters.html, 2017.

[12]

intent filter | Android Developers. https://developer.android.com/guide/topics/ manifest/intent-filter-element.html, 2017.

[13]

Online APK Downloader | Download APK Directly From Google Play To Your Computer. http://apkleecher.com/, 2017.

[14]

Open SDK. https://open.weixin.qq.com/cgi-bin/showdocument?action=dir_list& t=resource/res_list&verify=1&id=1417751808&token=&lang=en_US, 2017.

[15]

Soot. http://www.bodden.de/2008/09/22/soot-intra, 2017.

[16]

Reaching definition | Wikipedia. https://en.wikipedia.org/wiki/Reaching_ definition, 2017.

[17]

Use-define chain - Wikipedia. https://en.wikipedia.org/wiki/Use-define_chain, 2017.

[18]

Markus M. Breunig, Hans-Peter Kriegel, Raymond T. Ng, and Jörg Sander. LOF: identifying density-based local outliers. In Proceedings of the 2000 ACM SIGMOD International Conference on Management of Data, pages 93–104, 2000.

Digital Library

[19]

William F Clocksin and Christopher S Mellish. Programming in PROLOG. Springer Science & Business Media, 2003.

Digital Library

[20]

Dennis Merritt. Building expert systems in Prolog. Springer Science & Business Media, 2012.

[21]

covert. http://www.ics.uci.edu/~seal/projects/covert/index.html.

[22]

Steven Arzt, Siegfried Rasthofer, Christian Fritz, Eric Bodden, Alexandre Bartel, Jacques Klein, Yves Le Traon, Damien Octeau, and Patrick McDaniel. Flowdroid: precise context, flow, field, object-sensitive and lifecycle-aware taint analysis for Android apps. In Proceedings of the 2014 ACM SIGPLAN Conference on Programming Language Design and Implementation, pages 29:1–29:11, 2014.

Digital Library

[23]

Michael I. Gordon, Deokhwan Kim, Jeff H. Perkins, Limei Gilham, Nguyen Nguyen, and Martin C. Rinard. Information flow analysis of Android applications in droidsafe. In 22nd Annual Network and Distributed System Security Symposium, 2015.

[24]

Wei Huang, Yao Dong, Ana Milanova, and Julian Dolby. Scalable and precise taint analysis for Android. In Proceedings of the 2015 International Symposium on Software Testing and Analysis, pages 106–117, 2015.

Digital Library

[25]

Vitalii Avdiienko, Konstantin Kuznetsov, Alessandra Gorla, Andreas Zeller, Steven Arzt, Siegfried Rasthofer, and Eric Bodden. Mining apps for abnormal usage of sensitive data. In Proceedings of the 37th IEEE/ACM International Conference on Software Engineering, pages 426–436, 2015.

Digital Library

[26]

Songyang Wu, Pan Wang, Xun Li, and Yong Zhang. Effective detection of Android malware based on the usage of data flow APIs and machine learning. Information & Software Technology, 75:17–25, 2016.

Digital Library

[27]

Wei Yang, Xusheng Xiao, Benjamin Andow, Sihan Li, Tao Xie, and William Enck. Appcontext: Differentiating malicious and benign mobile app behaviors using context. In 37th IEEE/ACM International Conference on Software Engineering, pages 303–313, 2015.

Digital Library

[28]

Waqar Ahmad, Christian Kästner, Joshua Sunshine, and Jonathan Aldrich. Interapp communication in Android: developer challenges. In Proceedings of the 13th International Conference on Mining Software Repositories, MSR 2016, pages 177–188, 2016.

Digital Library

[29]

Damien Octeau, Patrick D. McDaniel, Somesh Jha, Alexandre Bartel, Eric Bodden, Jacques Klein, and Yves Le Traon. Effective inter-component communication mapping in Android: An essential step towards holistic security analysis. In Proceedings of the 22th USENIX Security Symposium, pages 543–558, 2013.

Digital Library

[30]

Damien Octeau, Daniel Luchaup, Matthew Dering, Somesh Jha, and Patrick McDaniel. Composite Constant Propagation: Application to Android Inter-Component Communication Analysis. In Proceedings of the 37th International Conference on Software Engineering, pages 77–88, 2015.

Digital Library

[31]

Li Li, Alexandre Bartel, Tegawendé F. Bissyandé, Jacques Klein, and Yves Le Traon. Apkcombiner: Combining multiple Android apps to support inter-app analysis. In Proceedings of 30th International Conference on ICT Systems Security and Privacy Protection, pages 513–527, 2015.

[32]

Epicc. http://siis.cse.psu.edu/epicc/.

[33]

Li Lyna Zhang, Chieh-Jan Mike Liang, Yunxin Liu, and Enhong Chen. Systematically testing background services of mobile apps. In Proceedings of the 32nd IEEE/ACM International Conference on Automated Software Engineering, ASE, pages 4–15, 2017.

Digital Library

Cited By

Abolhassani NHalfond W(2023)A Component-Sensitive Static Analysis Based Approach for Modeling Intents in Android Apps2023 IEEE International Conference on Software Maintenance and Evolution (ICSME)10.1109/ICSME58846.2023.00021(97-109)Online publication date: 1-Oct-2023
https://doi.org/10.1109/ICSME58846.2023.00021
Deng XYan JZhang SYan JZhang J(2023)Variable-strength combinatorial testing of exported activities based on misexposure predictionJournal of Systems and Software10.1016/j.jss.2023.111773204(111773)Online publication date: Oct-2023
https://doi.org/10.1016/j.jss.2023.111773
Autili MMalavolta IPerucci AScoccia GVerdecchia R(2021)Software engineering techniques for statically analyzing mobile apps: research trends, characteristics, and potential for industrial adoptionJournal of Internet Services and Applications10.1186/s13174-021-00134-x12:1Online publication date: 23-Jul-2021
https://doi.org/10.1186/s13174-021-00134-x
Show More Cited By

Index Terms

Characterizing and identifying misexposed activities in Android applications
1. General and reference
  1. Cross-computing tools and techniques
    1. Empirical studies
2. Software and its engineering
  1. Software creation and management
    1. Software verification and validation
      1. Software defect analysis
        Software testing and debugging

Recommendations

Characterizing Smartphone Usage Patterns from Millions of Android Users
IMC '15: Proceedings of the 2015 Internet Measurement Conference

he prevalence of smart devices has promoted the popular- ity of mobile applications (a.k.a. apps) in recent years. A number of interesting and important questions remain unan- swered, such as why a user likes/dislikes an app, how an app becomes popular ...
Characterizing Android-specific crash bugs
MOBILESoft '19: Proceedings of the 6th International Conference on Mobile Software Engineering and Systems

Android platform provides a unique framework for app development. Failure to comply with the framework may result in serious bugs. Android platform is also evolving rapidly and developers extensively use APIs provided by the framework, which may lead to ...
Release practices for iOS and Android apps
WAMA 2019: Proceedings of the 3rd ACM SIGSOFT International Workshop on App Market Analytics

We conduct a preliminary study on the practices of releasing apps for the two major mobile platforms: iOS and Android. We select the most popular applications on the official stores, and we retrieve all the releases of such apps to understand how often ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Conferences

ASE '18: Proceedings of the 33rd ACM/IEEE International Conference on Automated Software Engineering

September 2018

955 pages

ISBN:9781450359375

DOI:10.1145/3238147

General Chair:
Marianne Huchard
University of Montpellier, France
,
Program Chairs:
Christian Kästner
Carnegie Mellon University, USA
,
Gordon Fraser
University of Passau, Germany

Copyright © 2018 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGAI: ACM Special Interest Group on Artificial Intelligence
CNRS: Centre National De La Rechercue Scientifique
SIGSOFT: ACM Special Interest Group on Software Engineering
IEEE-CS: Computer Society

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 03 September 2018

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

ASE '18

Sponsor:

SIGAI
CNRS
SIGSOFT
IEEE-CS

ASE '18: 33rd ACM/IEEE International Conference on Automated Software Engineering

September 3 - 7, 2018

Montpellier, France

Acceptance Rates

Overall Acceptance Rate 82 of 337 submissions, 24%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

7
Total Citations
View Citations
303
Total Downloads

Downloads (Last 12 months)8
Downloads (Last 6 weeks)1

Reflects downloads up to 22 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

Abolhassani NHalfond W(2023)A Component-Sensitive Static Analysis Based Approach for Modeling Intents in Android Apps2023 IEEE International Conference on Software Maintenance and Evolution (ICSME)10.1109/ICSME58846.2023.00021(97-109)Online publication date: 1-Oct-2023
https://doi.org/10.1109/ICSME58846.2023.00021
Deng XYan JZhang SYan JZhang J(2023)Variable-strength combinatorial testing of exported activities based on misexposure predictionJournal of Systems and Software10.1016/j.jss.2023.111773204(111773)Online publication date: Oct-2023
https://doi.org/10.1016/j.jss.2023.111773
Autili MMalavolta IPerucci AScoccia GVerdecchia R(2021)Software engineering techniques for statically analyzing mobile apps: research trends, characteristics, and potential for industrial adoptionJournal of Internet Services and Applications10.1186/s13174-021-00134-x12:1Online publication date: 23-Jul-2021
https://doi.org/10.1186/s13174-021-00134-x
Yan JLiu HPan LYan JZhang JLiang BRothermel GBae D(2020)Multiple-entry testing of Android applications by constructing activity launching contextsProceedings of the ACM/IEEE 42nd International Conference on Software Engineering10.1145/3377811.3380347(457-468)Online publication date: 27-Jun-2020
https://dl.acm.org/doi/10.1145/3377811.3380347
Pan LCui BLiu HYan JWang SYan JZhang JDevanbu PCohen MZimmermann T(2020)Static asynchronous component misuse detection for Android applicationsProceedings of the 28th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering10.1145/3368089.3409699(952-963)Online publication date: 8-Nov-2020
https://dl.acm.org/doi/10.1145/3368089.3409699
Zhou MZeng FZhang YLv CChen ZChen G(2019)Automatic Generation of Capability Leaks' Exploits for Android Applications2019 IEEE International Conference on Software Testing, Verification and Validation Workshops (ICSTW)10.1109/ICSTW.2019.00068(291-295)Online publication date: Apr-2019
https://doi.org/10.1109/ICSTW.2019.00068
Zhou MZeng FChen Z(2019)Capability Leakage Detection between Android Applications Based on Dynamic Feedback2019 IEEE 25th International Conference on Parallel and Distributed Systems (ICPADS)10.1109/ICPADS47876.2019.00141(943-948)Online publication date: Dec-2019
https://doi.org/10.1109/ICPADS47876.2019.00141

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents