Nothing Special   »   [go: up one dir, main page]

skip to main content
10.1145/3507657.3528555acmconferencesArticle/Chapter ViewAbstractPublication PageswisecConference Proceedingsconference-collections
short-paper

PITracker: Detecting Android PendingIntent Vulnerabilities through Intent Flow Analysis

Published: 16 May 2022 Publication History

Abstract

Intent is an essential inter-component communication mechanism of Android OS, which can be used to request an action from another app component. The security of its design and implementation attracts lots of attention. However, the security of PendingIntent, a kind of delayed-triggered Intent, was neglected by most previous research, and the related analysis techniques are still imperfect. In this paper, we design a novel automated tool, PITracker, to detect the PendingIntent vulnerabilities in Android apps. It achieves the Intent flow tracking technique proposed by us, figuring out how an Intent is created and where it goes. In the real-world evaluations, PITracker discovered 2,939 potential threats in 10,000 third-party apps and 214 in 1,412 pre-installed apps. Among them, 11 exploitable vulnerabilities have been confirmed and acknowledged by the corresponding vendors.

References

[1]
2021. AAPT2. Retrieved February 2, 2022 from https://developer.android.com/st udio/command-line/aapt2?hl=en
[2]
2021. AccessibilityService. Retrieved February 2, 2022 from https://developer.an droid.com/reference/android/accessibilityservice/AccessibilityService
[3]
2021. baksmali. Retrieved February 2, 2022 from https://github.com/JesusFreke/ smali
[4]
2021. CVE-2014-8609. Retrieved February 2, 2022 from https://packetstormsecur ity.com/files/129281/Android-Settings-Pendingintent-Leak.html
[5]
2021. CVEs of PendingIntent. Retrieved February 2, 2022 from https://developer. android.com/guide/components/intents-filters
[6]
2021. http://soot-oss.github.io/soot/. Retrieved February 2, 2022 from http://soot-oss.github.io/soot/
[7]
2021. Intent.java. Retrieved February 2, 2022 from https://cs.android.com/andro id/platform/superproject/+/master:frameworks/base/core/java/android/content/Intent.java
[8]
2021. NotificationListenerService. Retrieved February 2, 2022 from https://develo per.android.com/reference/android/service/notification/NotificationListenerService
[9]
2021. PendingIntent. Retrieved February 2, 2022 from https://developer.android. com/reference/android/app/PendingIntent
[10]
2021. PendingIntent Remediation. Retrieved February 2, 2022 from https://develo per.android.com/guide/components/intents-filters
[11]
Erika Chin, Adrienne Porter Felt, Kate Greenwood, and David A. Wagner. 2011. Analyzing Inter-application Communication in Android. In Proceedings of the 9th International Conference on Mobile Systems, Applications, and Services (MobiSys), Bethesda, MD, USA, June 28 - July 01, 2011.
[12]
Sascha Groß, Abhishek Tiwari, and Christian Hammer. 2018. PIAnalyzer: A Precise Approach for PendingIntent Vulnerability Analysis. In Proceedings of the 23rd European Symposium on Research in Computer Security (ESORICS), Barcelona, Spain, September 3-7, 2018.
[13]
En He, Wenbo Chen, and Daoyuan Wu. 2021. Re-route Your Intent for Privilege Escalation. BlackHat 2021 (2021).
[14]
Li Li, Alexandre Bartel, Tegawendé F. Bissyandé, Jacques Klein, Yves Le Traon, Steven Arzt, Siegfried Rasthofer, Eric Bodden, Damien Octeau, and Patrick D. McDaniel. 2015. IccTA: Detecting Inter-Component Privacy Leaks in Android Apps. In Proccedings of the 37th IEEE/ACM International Conference on Software Engineering (ICSE), Florence, Italy, May 16-24, 2015.
[15]
Long Lu, Zhichun Li, Zhenyu Wu, Wenke Lee, and Guofei Jiang. 2012. CHEX: Statically Vetting Android Apps for Component Hijacking Vulnerabilities. In Proceedings of the 19th ACM Conference on Computer and Communications Security (CCS), Raleigh, NC, USA, October 16-18, 2012.
[16]
Jordan Samhi, Alexandre Bartel, Tegawendé F. Bissyandé, and Jacques Klein. 2021. RAICC: Revealing Atypical Inter-Component Communication in Android Apps. In Proceedings of the 43rd IEEE/ACM International Conference on Software Engineering (ICSE), Madrid, Spain, May 22--30, 2021.
[17]
Daoyuan Wu, Debin Gao, Robert H. Deng, and Rocky K. C. Chang. 2021. When Program Analysis Meets Bytecode Search: Targeted and Efficient Inter-procedural Analysis of Modern Android Apps in BackDroid. In Proceedings of the 51st Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN), Taipei, Taiwan, June 21-24, 2021.
[18]
Kun Yang, Jianwei Zhuge, Yongke Wang, Lujue Zhou, and Hai-Xin Duan. 2014. IntentFuzzer: Detecting Capability Leaks of Android Applications. In Proceedings of the 9th ACM Symposium on Information, Computer and Communications Security (AsiaCCS), Kyoto, Japan, June 3-6, 2014.

Cited By

View all
  • (2024)Highly Precise and Efficient Analysis of PendingIntent Vulnerabilities for Android AppsSecurity and Communication Networks10.1155/2024/86637012024:1Online publication date: 10-Oct-2024
  • (2023)AppChainer: investigating the chainability among payloads in android applicationsCybersecurity10.1186/s42400-023-00151-26:1Online publication date: 2-Aug-2023
  • (2023)Can We Trust the Phone Vendors? Comprehensive Security Measurements on the Android Firmware EcosystemIEEE Transactions on Software Engineering10.1109/TSE.2023.327565549:7(3901-3921)Online publication date: 1-Jul-2023

Index Terms

  1. PITracker: Detecting Android PendingIntent Vulnerabilities through Intent Flow Analysis

    Recommendations

    Comments

    Please enable JavaScript to view thecomments powered by Disqus.

    Information & Contributors

    Information

    Published In

    cover image ACM Conferences
    WiSec '22: Proceedings of the 15th ACM Conference on Security and Privacy in Wireless and Mobile Networks
    May 2022
    314 pages
    ISBN:9781450392167
    DOI:10.1145/3507657
    • General Chair:
    • Murtuza Jadliwala,
    • Program Chairs:
    • Yongdae Kim,
    • Alexandra Dmitrienko
    Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

    Sponsors

    Publisher

    Association for Computing Machinery

    New York, NY, United States

    Publication History

    Published: 16 May 2022

    Permissions

    Request permissions for this article.

    Check for updates

    Badges

    Author Tags

    1. android
    2. pendingintent
    3. vulnerability detection

    Qualifiers

    • Short-paper

    Conference

    WiSec '22

    Acceptance Rates

    Overall Acceptance Rate 98 of 338 submissions, 29%

    Contributors

    Other Metrics

    Bibliometrics & Citations

    Bibliometrics

    Article Metrics

    • Downloads (Last 12 months)40
    • Downloads (Last 6 weeks)4
    Reflects downloads up to 20 Feb 2025

    Other Metrics

    Citations

    Cited By

    View all
    • (2024)Highly Precise and Efficient Analysis of PendingIntent Vulnerabilities for Android AppsSecurity and Communication Networks10.1155/2024/86637012024:1Online publication date: 10-Oct-2024
    • (2023)AppChainer: investigating the chainability among payloads in android applicationsCybersecurity10.1186/s42400-023-00151-26:1Online publication date: 2-Aug-2023
    • (2023)Can We Trust the Phone Vendors? Comprehensive Security Measurements on the Android Firmware EcosystemIEEE Transactions on Software Engineering10.1109/TSE.2023.327565549:7(3901-3921)Online publication date: 1-Jul-2023
    • (2022)MULBER: Effective Android Malware Clustering Using Evolutionary Feature Selection and Mahalanobis Distance MetricSymmetry10.3390/sym1410222114:10(2221)Online publication date: 21-Oct-2022

    View Options

    Login options

    View options

    PDF

    View or Download as a PDF file.

    PDF

    eReader

    View online with eReader.

    eReader

    Figures

    Tables

    Media

    Share

    Share

    Share this Publication link

    Share on social media