Privacy Leakage through Exploitation of Vulnerable Inter-App Communication on Android

Hafiz Muhammad Arslan Maqsood, Kashif Naseer Qureshi, Faisal Bashir, Najam Ul Islam

Research output: Chapter in Book/Report/Conference proceedingConference contributionpeer-review

Abstract

Android applications can access only the resources for which they have explicitly been granted permission by the user. These permissions may be granted at install-time or runtime and ensure that privacy of users' data is always preserved. Inter-app communication on Android; however, is vulnerable to privacy leakage because there is no mechanism which would preclude an app from receiving data from another app, for which it does not have the requisite permissions. This vulnerability may be un-intentional due to developer negligence or it may intentionally be placed in apps to launch a collusion attack. In this paper, we present Inter Application Data Flow (IADF) analyzer: an android app analyzer which can be used to detect the existence of this vulnerability. IADF works by reverse engineering, extracting and correlating apps' intents, activities and manifest features. To prove its effectiveness, we analyze 28 android apps through IADF. The first app we used for analysis is called Sieve which has been published for testing purposes and is known to have many vulnerabilities. The remaining 27 apps used in our analysis are legitimate, in-the-wild apps, published on the Google Play store. Among these apps, we discovered the existence of privacy leakage through Inter-app communication vulnerability in a social media app. Discovery of this vulnerability in a very small set of legitimate apps points to the possibility of its existence in other apps on the Google Play store.

Original languageEnglish
Title of host publication2019 13th International Conference on Open Source Systems and Technologies, ICOSST 2019 - Proceedings
PublisherInstitute of Electrical and Electronics Engineers Inc.
Pages31-36
Number of pages6
ISBN (Electronic)9781728146133
DOIs
Publication statusPublished - Dec 2019
Externally publishedYes
Event13th International Conference on Open Source Systems and Technologies, ICOSST 2019 - Lahore, Pakistan
Duration: 17 Dec 201919 Dec 2019

Publication series

Name2019 13th International Conference on Open Source Systems and Technologies, ICOSST 2019 - Proceedings

Conference

Conference13th International Conference on Open Source Systems and Technologies, ICOSST 2019
Country/TerritoryPakistan
CityLahore
Period17/12/1919/12/19

Keywords

  • Activities
  • Android
  • Collusion
  • Intents
  • Inter-app Communication
  • Manifest

Fingerprint

Dive into the research topics of 'Privacy Leakage through Exploitation of Vulnerable Inter-App Communication on Android'. Together they form a unique fingerprint.

Cite this