research-article

All your app links are belong to us: understanding the threats of instant apps based attacks

Authors:

Zhou XuAuthors Info & Claims

ESEC/FSE 2020: Proceedings of the 28th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering

Pages 914 - 926

https://doi.org/10.1145/3368089.3409702

Published: 08 November 2020 Publication History

Get Access

Abstract

Android deep link is a URL that takes users to a specific page of a mobile app, enabling seamless user experience from a webpage to an app. Android app link, a new type of deep link introduced in Android 6.0, is claimed to offer more benefits, such as supporting instant apps and providing more secure verification to protect against hijacking attacks that previous deep links can not. However, we find that the app link is not as secure as claimed, because the verification process can be bypassed by exploiting instant apps.

In this paper, we explore the weakness of the existing app link mechanism and propose three feasible hijacking attacks. Our findings show that even popular apps are subject to these attacks, such as Twitter, Whatsapp, Facebook Message. Our observation is confirmed by Google. To measure the severity of these vulnerabilities, we develop an automatic tool to detect vulnerable apps, and perform a large-scale empirical study on 400,000 Android apps.

Experiment results suggest that app link hijacking vulnerabilities are prevalent in the ecosystem. Specifically, 27.1% apps are vulnerable to link hijacking with smart text selection (STS); 30.0% apps are vulnerable to link hijacking without STS, and all instant apps are vulnerable to instant app attack. We provide an in-depth understanding of the mechanisms behind these types of attacks. Furthermore, we propose the corresponding detection and defense methods that can successfully prevent the proposed hijackings for all the evaluated apps, thus raising the bar against the attacks on Android app links. Our insights and findings demonstrate the urgency to identify and prevent app link hijacking attacks.

Supplementary Material

Auxiliary Teaser Video (fse20main-p249-p-teaser.mp4)

The attached video is the full video of the paper All Your App Links Are Belong to Us: Understanding the Threats of Instant Apps Based Attacks.

Download
64.01 MB

Auxiliary Presentation Video (fse20main-p249-p-video.mp4)

The attached video is the full video of the paper All Your App Links Are Belong to Us: Understanding the Threats of Instant Apps Based Attacks.

Download
613.63 MB

References

[1]

Simone Aonzo, Alessio Merlo, Giulio Tavella, and Yanick Fratantonio. 2018. Phishing Attacks on Modern Android. In Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security (CCS). 1788-1801.

Abstract

Supplementary Material

References

Cited By

Index Terms

Recommendations

Inter-app communication between Android apps developed in app-inventor and Android studio

An Explorative Study of the Mobile App Ecosystem from App Developers' Perspective

Same app, different app stores: a comparative study

Comments

Information

Published In

Sponsors

Publisher

Publication History

Permissions

Check for updates

Author Tags

Qualifiers

Conference

Acceptance Rates

Contributors

Other Metrics

Bibliometrics

Article Metrics

Other Metrics

Citations

Cited By

Get Access

Login options

Full Access

View options

PDF

eReader

Figures

Other

Share

Share this Publication link

Share on social media

Affiliations