TY - GEN
T1 - Privacy Leakage through Exploitation of Vulnerable Inter-App Communication on Android
AU - Maqsood, Hafiz Muhammad Arslan
AU - Qureshi, Kashif Naseer
AU - Bashir, Faisal
AU - Islam, Najam Ul
N1 - Publisher Copyright:
© 2019 IEEE.
PY - 2019/12
Y1 - 2019/12
N2 - Android applications can access only the resources for which they have explicitly been granted permission by the user. These permissions may be granted at install-time or runtime and ensure that privacy of users' data is always preserved. Inter-app communication on Android; however, is vulnerable to privacy leakage because there is no mechanism which would preclude an app from receiving data from another app, for which it does not have the requisite permissions. This vulnerability may be un-intentional due to developer negligence or it may intentionally be placed in apps to launch a collusion attack. In this paper, we present Inter Application Data Flow (IADF) analyzer: an android app analyzer which can be used to detect the existence of this vulnerability. IADF works by reverse engineering, extracting and correlating apps' intents, activities and manifest features. To prove its effectiveness, we analyze 28 android apps through IADF. The first app we used for analysis is called Sieve which has been published for testing purposes and is known to have many vulnerabilities. The remaining 27 apps used in our analysis are legitimate, in-the-wild apps, published on the Google Play store. Among these apps, we discovered the existence of privacy leakage through Inter-app communication vulnerability in a social media app. Discovery of this vulnerability in a very small set of legitimate apps points to the possibility of its existence in other apps on the Google Play store.
AB - Android applications can access only the resources for which they have explicitly been granted permission by the user. These permissions may be granted at install-time or runtime and ensure that privacy of users' data is always preserved. Inter-app communication on Android; however, is vulnerable to privacy leakage because there is no mechanism which would preclude an app from receiving data from another app, for which it does not have the requisite permissions. This vulnerability may be un-intentional due to developer negligence or it may intentionally be placed in apps to launch a collusion attack. In this paper, we present Inter Application Data Flow (IADF) analyzer: an android app analyzer which can be used to detect the existence of this vulnerability. IADF works by reverse engineering, extracting and correlating apps' intents, activities and manifest features. To prove its effectiveness, we analyze 28 android apps through IADF. The first app we used for analysis is called Sieve which has been published for testing purposes and is known to have many vulnerabilities. The remaining 27 apps used in our analysis are legitimate, in-the-wild apps, published on the Google Play store. Among these apps, we discovered the existence of privacy leakage through Inter-app communication vulnerability in a social media app. Discovery of this vulnerability in a very small set of legitimate apps points to the possibility of its existence in other apps on the Google Play store.
KW - Activities
KW - Android
KW - Collusion
KW - Intents
KW - Inter-app Communication
KW - Manifest
UR - http://www.scopus.com/inward/record.url?scp=85083100985&partnerID=8YFLogxK
U2 - 10.1109/ICOSST48232.2019.9043935
DO - 10.1109/ICOSST48232.2019.9043935
M3 - Conference contribution
AN - SCOPUS:85083100985
T3 - 2019 13th International Conference on Open Source Systems and Technologies, ICOSST 2019 - Proceedings
SP - 31
EP - 36
BT - 2019 13th International Conference on Open Source Systems and Technologies, ICOSST 2019 - Proceedings
PB - Institute of Electrical and Electronics Engineers Inc.
T2 - 13th International Conference on Open Source Systems and Technologies, ICOSST 2019
Y2 - 17 December 2019 through 19 December 2019
ER -