You are on page 1of 12

The Misuse of Android Unix Domain Sockets and Security

Implications

Yuru Shao† , Jason Ott∗ , Yunhan Jack Jia† , Zhiyun Qian∗ , Z. Morley Mao†

University of Michigan, ∗ University of California, Riverside
{yurushao, jackjia, zmao}@umich.edu, jott002@ucr.edu, zhiyunq@cs.ucr.edu

ABSTRACT eral vulnerabilities (e.g., CVE-2011-1823, CVE-2011-3918,
In this work, we conduct the first systematic study in un- and CVE-2015-6841) have already been reported. Vendor
derstanding the security properties of the usage of Unix do- customizations make things worse, as they expose additional
main sockets by both Android apps and system daemons Linux IPC channels: CVE-2013-4777 and CVE-2013-5933.
as an IPC (Inter-process Communication) mechanism, espe- Nevertheless, unlike Android IPCs, the use of Linux IPCs
cially for cross-layer communications between the Java and on Android has not yet been systematically studied.
native layers. We propose a tool called SInspector to ex- In addition to the Android system, apps also have access
pose potential security vulnerabilities in using Unix domain to the Linux IPCs implemented within Android. Among
sockets through the process of identifying socket addresses, them, Unix domain sockets are the only one apps can easily
detecting authentication checks, and performing data flow make use of: signals are not capable of carrying data and
analysis. Our in-depth analysis revealed some serious vul- not suitable for bidirectional communications; Netlink sock-
nerabilities in popular apps and system daemons, such as ets are geared for communications across the kernel space
root privilege escalation and arbitrary file access. Based and the user space. The Android software development kit
on our findings, we propose countermeasures and improved (SDK) provides developers Java APIs for using Unix do-
practices for utilizing Unix domain sockets on Android. main sockets. Meanwhile, Android’s native development
kit (NDK) also provides native APIs for accessing low-level
Linux features, including Unix domain sockets. Unix do-
1. INTRODUCTION main sockets are also known as local sockets, a term which
Inter-process communication (IPC) is one of the most fun- we use interchangeably. They are completely different from
damental features provided by modern operating systems. the “local socket” in ScreenMilker [25], which refers to a TCP
IPC makes it possible for different processes to cooperate, socket used for local IPC instead of network communication.
enriching the functionalities an operating system can offer to Many developers use Unix domain sockets in their apps,
end users. In the context of Android, one of the most popu- despite the fact that Google’s best practices encourage them
lar mobile operating systems to date, to support communica- to use Android IPCs [4]. The reason being Android IPCs are
tions between different apps and interactions between differ- not suited to support communications between an app’s Java
ent components of the same app, it provides a set of easy-to- and native processes/threads. While there are APIs avail-
use, Android-specific IPC mechanisms, primarily including able in SDK, no such API exists in the native layer [7]. As
Intents, Binder, and Messenger [4, 11]. However, Android a result, developers must resort to using Unix domain sock-
IPCs are meanwhile significant attack vectors that can be ets to realize cross-layer IPC. Furthermore, some developers
leveraged to carry out attacks such as confused deputy and port existing Linux programs and libraries, which already
man-in-the-middle [23, 15, 17, 19]. utilize Unix domain sockets, to the Android platform.
While Android relies upon a tailored Linux environment, Android IPCs are well documented on the official devel-
it still inherits a subset of traditional/native Linux IPCs oper website, replete with training materials and examples.
(which are distinct from Android IPCs), such as signals, This helps educate developers on best practices and secure
Netlink sockets, and Unix domain sockets. In fact, they implementations. However, there is little documentation
are heavily utilized by the native layer of the Android run- about Unix domain sockets, leaving developers to use them
time. Exposed Linux IPC channels, if not properly pro- as they see fit — this may result in vulnerable implemen-
tected, could be abused by adversaries to exploit vulnerabil- tations. Moreover, using Unix domain sockets securely re-
ities within privileged system daemons and the kernel. Sev- quires expertise in both Linux’s and Android’s security mod-
els, which developers may not have.
Permission to make digital or hard copies of all or part of this work for personal or
Motivated by the above facts, we undertake the first sys-
classroom use is granted without fee provided that copies are not made or distributed tematic study focusing on the use of Unix domain sockets
for profit or commercial advantage and that copies bear this notice and the full cita- on Android. We present SInspector, a tool for automatically
tion on the first page. Copyrights for components of this work owned by others than vetting apps and system daemons with the goal of discover-
ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or re-
publish, to post on servers or to redistribute to lists, requires prior specific permission ing potential misuse of Unix domain sockets. Given a set of
and/or a fee. Request permissions from permissions@acm.org. apps, SInspector first identifies ones that use Unix domain
CCS’16, October 24-28, 2016, Vienna, Austria sockets based on API signatures and permissions. SInspec-

c 2016 ACM. ISBN 978-1-4503-4139-4/16/10. . . $15.00 tor then filters out apps that use Unix domain sockets se-
DOI: http://dx.doi.org/10.1145/2976749.2978297

ABSTRACT.” [4] daemons for manual examination. the socket file. apps are isolated and run in their own process. discretionary access control (DAC) system. and common mistakes same guarantees as well as the Android IPCs. Socket files are located under a particular directory. have privilege to create the file with the given pathname. The • We conduct an in-depth analysis on vulnerable apps Android framework introduces a new namespace called RE- and daemons that fail to properly protect Unix domain SERVED. unless de- The Android platform consists of multiple layers. to gain root privilege by exploiting a popular root manage. An address in this namespace is asso- ciated with a file on the filesystem. They are unable to achieve the existing apps and system daemons. a socket file is automatically cre- domain sockets on Android. toggle the SIM card. similar to TCP). In apps using a particular Unix domain socket namespace are addition. IPCs (Binder. including the categoriza. All reliable stream of bytes (SOCK_STREAM. We over. A Unix domain socket is a data communications endpoint We find that only 26. SIn. and performing data flow analysis on native code. and (2) servers listen on addresses in Unix domain mons implemented by Qualcomm. application connecting to your IPC and set security policy SInspector reports potentially vulnerable apps and system for each IPC mechanism. Unix domain sockets undermine the goals of An- domain socket usage. we do not consider network sockets. In native code. FILESYSTEM. rity practices will be protected by safe defaults. kernel. We uncover a number datagrams (SOCK_SEQPACKET). (1) rather than using an underlying network protocol. ABSTRACT sockets are less secure as DAC does not ap- municate with peer apps through secure. In particular. Android-specific ply.com/site/ unixdomainsocketstudy. same host operating system. are the preferred IPC authentication check detection. according to our analysis. In summary. and suggest countermeasures and bet. Moreover. Android APIs for using Unix do- measures in regard to OS-level changes and secure Unix do. When the server binds • Using SInspector. ABSTRACT NO YES N/A come challenges in identifying socket addresses. made by developers. Intents. as well as 9 system daemons. For example. The Android framework provides APIs for using Unix do- main sockets from both Java code and native code. have municate with the server must have read/write privileges for vulnerabilities.1 Android Security Model APIs use ABSTRACT as the default namespace.” [3] Android so does SEAndroid.google. No file permissions can be applied 2. similar to UDP).2 Unix Domain Sockets is not their common usage. on our project website https://sites. SELinux supports fine-grained access flexible security controls. some of which are very serious. It supports transmission of a vent attacks exploiting Unix domain socket channels. From this study. communication over a . FILESYSTEM YES YES YES pose through Unix domain socket channels. All Unix Android’s design goals is to provide a secure platform so that domain socket addresses are publicly accessible from file “[S]ecurity-savvy developers can easily work with and rely on /proc/net/unix/. as local IPC 2.curely and thus are not vulnerable. otherwise binding fails. main sockets expose unprotected socket channels by default. mechanisms as they “allow you to verify the identity of the spector collects runtime information to assist static analysis. These vulnerabilities al. any security measures employed by droid’s security philosophy. without any user awareness. Developers less familiar with secu. In this work.644 apps and 60 system daemons.8% apps and 15% system daemons in for exchanging data between processes executing within the our dataset enforce proper security checks in order to pre. main socket IPC for both app and system developers. These Android IPC mecha- niques to achieve this. These 2. /dev/socket/. One of velopers explicitly specify a preferred namespace. reserved for system use. or unordered and unreliable of serious vulnerabilities in apps. we perform the first study of Unix to an address (pathname). They com. Socket file permissions are enforced through Linux’s tion of usage. and common flaws and security implications. Unix domain sockets differ from Internet sockets in that ment tool. existing security measures being en. socket namespaces. such as socket address analysis and nisms. Table 1: Unix domain socket namespaces. as documented by Google. The server must forced. the server can prevent unauthorized connections. BACKGROUND to sockets under this namespace. we suggest counter. This namespace is completely indepen- dent of the filesystem. as well as grant/deny any other app’s root ac. Compared to FILESYSTEM sockets. it supports ordered and reliable transmission of vulnerable to at least DoS attacks. Other processes who want to com- ing that 45 apps. Attack demos can be found dress namespaces. By setting permissions of the socket file prop- erly. which is in essence a sub-namespace of FILESYS- socket channels. are used in apps and system daemons. For system daemons. we make the following contributions: Has socket Security enforcement • We develop SInspector for analyzing apps and system Namespace file SELinux File permission daemons to discover potential vulnerabilities they ex. there are two Unix domain socket ad- modify system date and time. instead of IP addresses with port num- low us to factory reset the device. We develop several tech. However. we discover communication occurs entirely within the operating system vulnerabilities with customizations on LG phones and dae. we are able transmission of datagrams (SOCK_DGRAM. ter practices for utilizing Unix domain sockets. an AB- We provide the necessary background to understand the STRACT socket address is distinguished from a FILESYS- security vulnerabilities in how Android Unix domain sockets TEM socket by setting sun_path[0] to a null byte ‘\0’. We also categorize Unix However. detect- ing authentication checks. as shown in Table 1. all cess. find. they are more reliable. TEM. etc). and bers. ated. control for both FILESYSTEM and ABSTRACT sockets. Traditionally. We analyze 14.

1 Our Approach the attacker can easily repackage malicious payloads into Due to different characteristics of apps and system dae- popular apps and redistribute them. In general. which is so commonly used [2] that 3. neither are apps that do not invoke related tween entry and end points to reason whether an app is vul. If not. The attacker may also mons. Unix domain socket channels are protected. DESIGN AND IMPLEMENTATION triggered. unlike some private or hidden tain functionality. Table 2: Types of attacks malware can carry out by exploiting Unix domain sockets. They are not vulnerable be- tication or similarly a client connects to a server without cause proper socket file permissions are able to prevent unau- properly authenticating the server. Unix domain sockets just require a common. It mons that are not vulnerable. Dalvik byte . is able to impersonate either a client or a server to talk to the reciprocal host. However. to evaluate which apps/system daemons are Unix domain sockets are designed for local communica. vulnerable apps. not vulnerable. Since using Unix domain sockets requires the IN- security checks. but there is no mapping between Android APIs which can only be called via Java reflection. spector. APIs called through Java reflection nerable. and (3) Linux system calls if the app has native tions (end points) can be invoked without encountering any code. APIs or system calls. it unknown to us which end points are potentially is somehow deleted. it checks (1) gram starting from the point of accepting a Unix domain Android permissions the app declares. vulnerable. which means the client and server processes must system daemons that are definitely not vulnerable (denoted be on the same host OS. Moreover. It detects and categorizes authenti- client it communicates with. We have Spv = S −Snv . After that. relatively small set of apps that are potentially vulnerable. Therefore. (2) Java APIs the socket connection. related to data leakage. It ends up with a The goal of SInspector is to examine the use of Unix do. Role Prerequisite(s) Attacks 1) Start running ahead of the real server Malicous Server Data Leakage/Injection. Next. Then. Those adopting strong dress can only be bound to by one thread/process. SInspector first employs API-based to impact client functionality. 2. In this section. This allows a nefarious thorized accesses to a filesystem-based Unix domain socket user to retrieve sensitive information or access otherwise re- channel. because (1) all socket APIs are cutables. it is not practical for us to define TERNET permission. realistic since calling Unix domain socket APIs only requires the INTERNET permission. First of all. thus the app is not vulnerable. we classify a Unix domain ets. Second. It is imprecise to iden. and discards apps whose ad- through its socket channel without performing any authen- dresses are under protection.1. that code is not reachable and will never be 3.3 Threat Model and Assumptions Therefore. permission and therefore apps have little intention to hide in our threat model. and then identify whether critical func. of vulnerabilities. and identify those Manual efforts are finally required to confirm the existence that are most likely vulnerable for validation. main socket in apps and system daemons. More importantly. we choose to conservatively filter out apps and tions only. are currently not considered. API-based Filter. Fig- build a standalone exploit app which evades anti-malware ure 1 shows the modules and overall analysis steps of SIn- products due to its perceived low privilege. are not in our analysis scope. apps may contain native libraries/exe. that uses Unix domain socket will be executed or not at runtime. an incomplete list of end points would result in significant false negatives. where S represents main socket channels is installed on the user device. Apps us- checks are considered to be not vulnerable. app calls. an ABSTRACT ad- cation mechanisms apps implement. they are inaccessible for by Snv ) — the others are considered to be potentially vul- remote network-based attackers. apps without this permission are surely a comprehensive list of end points and use dependencies be. in which they make system calls to implement cer. DoS 2) Client has no/weak authentication of server Malicous Client Server has no/weak authentication of client Privilege Escalation. we adopt different techniques to analyze them. and (2) permissions and Linux system calls. as the vulnerable app/system daemon to be exploited. DoS FILESYSTEM socket could be interrupted if the socket file However. ing ABSTRACT namespace are vulnerable to DoS because Reachability Analyzer checks whether the vulnerable code their addresses could be occupied by the malware. This is the whole set of apps/system daemons. we describe our design and implementation of SInspector. This module filters out apps that An ideal solution is to analyze all program paths in a pro. Each step rules out a subset of apps/system dae- We summarize attacks malware can launch in Table 2. For each app. the malware runs on the same device the relevant logic. thus Address Analyzer. Address Analyzer finds out Unix domain socket socket as vulnerable if the server accepts valid commands address(es) each app uses. the apps left are further examined by Au- stricted resources through the Unix domain socket server/- thentication Detector. non-dangerous tify app behaviors based on system calls they make. Data Leakage/Injection.1 App Analysis obtain sensitive data from clients or feed clients fake data Given a set of apps. available in Android SDK. This module identifies socket ad- any data leaked from the target app/system daemon can dresses each app uses and determines if their corresponding possibly be a building block for more sophisticated attacks. A rogue Unix domain socket server could 3. A mock Unix domain socket Filter to filter out those not using Unix domain sockets client could access server data or leverage the server as a or having insufficient permission to use Unix domain sock- confused deputy [24]. Our threat model assumes nerable (denoted by Spv ) — instead of directly identifying a malicious app that attempts to exploit exposed Unix do.

Reachability apps. First. In our threat model. Though code similarity comparison techniques ity implemented with Unix domain sockets. and therefore the Several obstacles make pure static analysis of system dae- app using it is considered not vulnerable. when using FILESYS. apps call Android SDK find out system daemons using Unix domain socket with API LocalSocket.. especially for the FILESYSTEM Authentication Detector. there formats and there is no universal tool to unpack factory im- is no other operation altering the socket file’s permissions ages. code and native code are analyzed by Address Analyzer’s peer’s credentials. considered to be strong. However. the entry points. Further analysis is unnecessary cause of the fact that apps using the same library typically for apps employing strong checks.name/. As we have mentioned in §2. i. While in native code. /data/data/app. all system files. server logic present in the same app. If uates whether the socket channel on an address is secure or Unix domain socket code cannot be reached from either of not. They start automatically.2 System Daemon Analysis lowing conditions has proper permissions.e. Based on UID. they are usually heavyweight.1. we believe the code will not be reached at TEM addresses. serve as Unix domain socket sists of two submodules for processing non-native and native servers waiting for client connections. containing three fields: PID.. Analyzer collects all possible entry points of an app. Therefore. However. GID Being aware of Unix domain socket address(es) an app and PID. All file operations that possibly change the socket evaluating the security of a Unix domain socket channel be- file’s permissions need to be examined. they are absolutely re. as package names and tually uses Unix domain sockets at runtime. and provide no user code separately. GID. domain socket channels are usually enforced with specific has the privilege to change its permissions to whatever it SEAndroid policies made by Google or vendors. Second. UID. App-layer Analyzer and Native-layer An. By default socket files created under this direc. the system call getsockopt is alyzer. comes more complicated. Unix domain socket servers are able to re. To filter out such apps. different from apps.getPeerCredentails() to get a socket Socket Usage Collector. them according to the particular credential they depend on. be. respectively. 3. Reachability Analyzer. SInspector collects runtime information to in the user space. The OS allows both the namespace. In this case. and two submodules. that the app just imports a library that offers functional- Guard [9]. because it is determined by both SEAndroid and client and the server to get their peers’ identity informa. Usually it is much detects checks built upon the credentials. but that part of are also capable of recognizing libraries used across different code is never executed. It also con. have the same Unix socket address (or address structure). Address Analyzer also eval. Second. Second. used to obtain the same information. Authentication Detector can leverage addresses to determine if both client logic and keeps track of the propagation of peer credentials in code. peer credentials) once a Unix domain socket con. wants. The app. strict client accesses by setting proper file permissions for socket files they listen on. It is possible class names could be easily obfuscated by tools like Pro. it is located mons infeasible. given a factory image that contains in the app’s private data directory. Peer credentials are only available for Unix interface. then test all socket channels dae- . A socket file satisfying the fol. which it builds an inter-component control flow graph. and categorizes easier to craft server exploits by replaying client behaviors. it is difficult to extract all required data pkg. on PID are relatively weak. different apps may use common Peer authentication checks derived from UID and GID are libraries that utilize Unix domain sockets to implement cer. socket file permissions. system daemons’ Unix to publicly accessible. as UID and GID are assigned by the tain functionality. authentications based better group apps according to the libraries they use. Authentication Address Analyzer Detector DEX code App-layer App-layer Reachability API-based Analyzer Detector Analyzer Apps App App Potentially Filter Native vulnerable code Native-layer apps Analyzer Native-layer Potentially Detector vulnerable System System System Socket Usage Connection daemons Manual Daemons Daemon Daemon Collector Tester Analysis Figure 1: Overview of our approach to identifying potentially vulnerable apps and system daemons. First. servers and clients can implement various types of connects to and/or listens on has two benefits. The presence of Unix domain This is more reliable than identifying libraries merely based socket APIs in code does not necessarily mean the app ac- on package names and class names. runtime. from it due to the fact that vendors develop their own file tory can only be accessed by the app itself.e. we peer authentication mechanisms. and vice versa. instead of employing API-based Filter and Ad- fore cannot be spoofed or altered by any non-root process dress Analyzer. liable because they are guaranteed by the kernel and there. sues. It is reasonable to assume that their server log- domain sockets. In Java code. ics are always running instead of being started on demand. tion (i. system daemons are suitable for dynamic anal- nection is established. This module detects and categorizes ysis without worrying about potential code coverage is- authentication checks built on peer credentials. thus the app is considered not vulnerable. as the socket file’s owner. We can take advantage of addresses to OS and cannot be spoofed. First. from Besides identifying addresses.

In some cases.format("com. binaries can use the SVC instruction to do binaries. longer. between system call numbers and system call names from tication Detector is reused for detecting and categorizing arch/arm/include/asm/unistd. It is impossible for us to ex. and looks for the INTERNET per. by specifying a system call number in regis. to categorize authentication checks. we could integrate proto. SInspector only As mentioned in §3. ample is shown in Figure 2. constant strings are mation collected. the third-party app with only INTERNET permission locate the method in which Unix domain socket server/- can never run ahead of a system daemon. manual reverse engineering efforts are required Long. In our threat model. Unix domain each Unix domain socket. age name. whose constructors accept an address string as the SEQAPCKET).accept() (for server) 3.mons expose with Connection Tester. and identify all indirect system calls by inspecting R7’s Socket Usage Collector. Reverse engineering } efforts largely depend on the complexity of implementation. which is started by client is initialized. and IDA Pro. The app-layer of Address Analyzer and Authentication mons. Message formats (or called protocols) apps and sys. and leverage (UID.2 Implementation and LocalSocket. logic and the client logic are analyzed separately.xml. Connection Tester attempts to connect to used. tions directly operate on values in memory. 3. procedural control flow graph (CFG) generated by IDA Pro. We perform intra-procedural data flow analysis on the or more DEX files. acting like a client running as a third. and run taint analysis to track propagation paths. or PID data flow analysis on native code. and create a customized entry point the init process even before the Android runtime is initial.g. Native binaries are in ELF format. then invoke Amandroid to build ICFG. we track its construction of party app with INTERNET permission. getInputStream() or LocalSocket. the process that socket address is represented by the LocalSocketAddress listens on the address.currentTimeMillis() & 65535)). including address. first parameter. If Amandroid [31] and IDA Pro. GID or PID) are retrieved. inter-procedural data flow graph getPeerCredentials().. including apps’ ELF li. following the classical static analysis approach [28]. The app-layer Authentication Detector finds paths on ICFG from LocalServerSocket.h found in Android kernel checks inside system daemons. We along the paths. CFG. If a socket channel procedure by querying dependencies on DDG. 18. and there is control dependency be- take advantage of Amandroid to build inter-procedural con. Each basic block consists of a series of ARM assembly code Manifest. while others are weak. 3. STREM. The native layer Authen. … tem daemons use could be quite ad-hoc. Various tools } are helpful for statically and dynamically reversing apps. ploit vulnerable client logics implemented inside system dae. protocol type (DGRAM. considering that the considered strong. 26] into SInspector in the future.valueOf(System. In order to reduce human efforts. protected void b(…) { … The effort needed for validating vulnerable code is supposed String addr = getAddr(). or class. values before each SVC 0 instruction. the Xposed framework [12]. to see which ones are ter R7 and then executing SVC 0. tween either getInputStream()/getOutputStream() and trol flow graph (ICFG). In other cases where an address is built from pack- them one by one. decodes it. This allows us to are well protected. Unfortunately there does not exist any not resolve indirect call targets that are stored in registers. to it.14. We first however.. We extract the mapping accessible for an unprivileged app. braries/executables and system daemons. In Java code.currentT imeM illis()%65535].socket”+ A system daemon is not vulnerable if all its socket channels System. Socket Usage Collector gathers runtime information of DDG from the entry point. col reversing techniques proposed in prior work [16. Figure 2: A dynamically constructed socket address case. checks relying on UID and GID are supports 32-bit ARM binaries for now. API-based Filter extracts Android. We look at construction sites of Local- Connection Tester. One prerequisite of attacking client is being able to Detector are implemented on top of Amandroid. majority of Android devices are equipped with 32-bit ARM The native-layer Address Analyzer leverages intra- architecture processors. to be minimal. disassembled by IDA Pro’s state-of-the-art disassembling en- mission.3 Manual Analysis For apps and system daemons that are most likely to be public static String getAddr() { return String.getOutputStream(). robust tools that can perform data flow analysis on ARM More specifically. flow analysis to extract the address as [“com. Analyzing Apps.socket%x". IDA Pro is able to Computing data flow at the assembly level is complicated. we look at which fields native part for performing app-layer analysis. in which we need to apply data connection will be denied because of insufficient privilege. This means val- .qihoo.serverSock = new LocalServerSocket(addr).1. to investigate the existence of vulnerabilities. random integer. and no instruc- system calls. IDFG and ized. The server start running before the real server. Such an ex- is enforced by either file permissions or SEAndroid policies. We also define methods in IDA Pro’s disassembler and control flow analysis to build Context and PackageManager that take UID. e. Both of them offer great we find that LocalSocket.1.getPeerCredentials() is called extensibility and are friendly to plugin development. as sinks. authentication happens. GID.connect() (for client) to LocalSocket. in which all invoked APIs are visible. vulnerable. and corresponding system daemon. According to socket channel infor. In order (IDFG). JEB [8]. However. App code written in Java is compiled into one gine.qihoo. We implement SInspector based on two cutting-edge tools. SocketAddress objects. although writing workable exploits may take this. etc. ARM is a load-store architecture. identify direct system calls represented as constant relative since we have to take into consideration both registers and addresses embedded in the instructions. it does the function stack. and data dependence graph (DDG) from apps’ non. group apps that share the same socket address or have the same address construction procedure.

version 45 are indeed vulnerable. The latest GMS library has completely discarded data flows across different functions. and GID will locate at addresses A.689) use ABSTRACT addresses. App data are from intra-procedural data flow analysis. authentication or weak authentications. Except Amazon Whisperlink and OpenVPN. functions that access values at A. most of system daemons use RE- GID. a mirror of Google Play that allows confirmed 9 of them are truly vulnerable.2. A+4. which tor finally reported 67 apps that are most likely to be vulner- makes it difficult for us to obtain APK files. Root access of the Android device is required. We present a case free downloading. Therefore. and (2) native executables/li- ets. and Different from apps. we are not able to automatically craft exploits Usage column will be described later in §4.734 (25. Besides apps using common libraries listed in Table 5. 2 byte off the start of sockadd_un. which provides a much more powerful netstat ap- plet.644 apps. majority of them (3. We observe to finally validate vulnerabilities. while the option value will be populated by peer credentials.. Among 14. When getsockopt is called. Unix domain sockets. suppose option value’s address is A.1.1. customized Android. SInspector may have false that 3. UID. the third one (option name) Collector. package name. API-based Filter and daemon data come from Socket Usage rameters in total. We build Connection ABSTRACT 3. The most compute-intensive Android 5. We choose to install tem daemon could use more than one namespaces. The native- library is potentially vulnerable to DoS and data injection layer intra-procedural data flow analysis is likely to miss attacks. es. SInspector reported 12 potentially name) from Google Play and download corresponding APK vulnerable system daemons. 4. The first byte of sun_path 4. “Singleton” and “Global lock” in the be vulnerable. We also use three phones to evaluate SInspector: (1) LG All experiments are done on a machine with 3.406 apps use an outdated Google Mobile Services positives. Socket Usage Collector Table 3: Numbers of apps/system daemons that use Unix calls a command line tool netstat to get interested socket domain sockets.1 Overview indicates address namespace. # Daemons # Apps wise netstat will not be able to find out the process that LG G3 Galaxy S4 Nexus 4 listens on a particular socket address. They could introduce libraries use the ABSTRACT namespace.734 20 27 13 3. Compared to Nexus 4 running non- PID. All of module of app analysis is Reachability Analyzer. 3. SInspec- can only be downloaded through the Google Play app. Table 4 summarizes gories. study of most critical vulnerabilities in §5. Analyzing System Daemons. ARM processors or cannot be rooted. a only a few use FILESYSTEM and RESERVED addresses. Most them. structure consisting of three 4-byte integers: PID.689 5 8 2 Tester into a third-party app that requests only INTERNET FILESYSTEM 36 4 5 2 permission.ues must be loaded into registers in order to operate upon them are updated to the latest firmware and rooted.1. Among them.0. and the option name is an integer equal to 17 (macro SO_PEERCRED).5%) have Unix and the fourth one (option value pointer) are crucial. we inspect option system daemons and heavier usage of ABSTRACT ad- name and record option value’s address on the stack A. able. which implies that Google may have We may also have false negatives: (1) we cannot han- been aware of potential problems of using Unix domain sock- dle dynamically loaded code.3 Limitations One limitation of SInspector is that we have to rely on 4. Note that the default netstat shipped with pace may be greater than the total number. because of our conservative strategies for filtering (GMS) library alone and exclude them. LG G3 and Galaxy S4 have more respectively. or A+8 are inevitably expose more attack vectors. Native-layer Authentication Detector is reused RESERVED 20 13 17 11 for analyzing system daemons.1. considered as checks. After reachability analysis. making them all uncaught control and data flows. including (approximately) top 340 from all 44 cate. SERVED addresses. only handle 32-bit ARM binaries. We examine for our experiments because SInspector’s dynamic analysis the second argument of system calls bind() and connect(). getsockopt has five pa. dresses. To tackle this. Table 3 shows the overall statistics on Unix domain socket The native-layer Authentication Detector also performs usage among apps and system daemons. to-date Google Play apps crawled by ourselves in mid-April SInspector found 73 potentially vulnerable apps having no 2016.g. other. Total 3. Google has imposed restrictions to ensure that apps analysis effectiveness.4. The outdated GMS out insusceptible apps and system daemons. requires root access and the static data flow analysis can which is an address pointing to the sockadd_un structure. A+4. This fact clearly shows that vendor customizations ter that. Even though we can We summarize identified libraries utilizing Unix domain find out apps and system daemons that are highly likely to sockets in Table 5.26GHz × 8 G3 running Android 4. as one app/sys- Android has very limited capability. When domain socket related APIs or system calls in code. Unix domain socket string is copied to the sun_path field. In other words.1 Libraries human efforts to generate exploits.4. we need to carefully handle all commonly of recently released Android phones either equip with 64-bit used instructions that operate on registers and memory. busybox. vulnerable to DoS.2 Tool Effectiveness and Performance We evaluate SInspector with a total number of 14. and A+8.644 up. We manually looked at all 67 apps and confirmed that we crawl meta data of apps (e. UID. They are not suitable pecially load and store (pseudo) instructions. After manual examination.1. RESULTS 4. and (3) LG Nexus 4 running 5. Depending . The sum of numbers in each address names- information. (2) Samsung Galaxy S4 running Core i7 and 16GB of memory. we files from ApkPure [5]. all other braries might be packed or encrypted. Af.

io.2 Realizing Singleton An ABSTRACT socket address can only be bound on by Potentially True False Precision one Unix domain socket server instance.internal. we extract code patterns for categorizing Unix domain socket usage and summarize Baidu Push. DI. How- connection is established. as Figure 3 shows. Code excerpted but it turns out the usage in the wild is not limited to IPC. Library # Apps (reachable) Usage Namespace Auth Susceptible attack(s) Baidu Push 9 (9) Singleton ABS N/A DoS Tencent XG 11 (11) Singleton ABS N/A DoS Umeng Message 17 (17) Singleton ABS N/A DoS Facebook SocketLock 13 (13) Global lock ABS N/A DoS Yandex Metrica 95 (95) Global lock ABS N/A DoS Facebook Stetho 97 (97) Debugging interface ABS Permission DoS Sony Liveware 8 (5) Data transfer ABS None DoS. DI.telephony"). For system daemon analysis.2 Unix Domain Socket Usage Figure 3: com. STRACT addresses are used exclusively. Once an address Vulnerable Positive Positive has been taken. a feature that Android’s media recording APIs This use case also takes advantage of the feature that AB- do not support.2. The average time for analyz.2. Tencent XG. media output is mization service. This ensures that only one optimization task . we do find a very unique use of Unix domain tiple apps and realize that with a Unix domain socket. state-level blocking of Google services. DI. DI. e. 4. 108 new LocalServerSocket("com. That would be sockets is performing IPC. They choose to share one push service instance across mul- However. Apps are free to implement their less power-efficient if they each run their own push service. ever. DL Samsung SDK 12 (10) Data transfer ABS None DoS. or certain data stream to a file descriptor. Galaxy S4 5 4 1 80% the PhoneFactory class in AOSP “use UNIX domain socket Nexus 4 1 1 0 100% to prevent subsequent initialization” of the Phone instance. the client passes its output file de.PhoneFactory Unix domain sockets provide a means to perform IPC.0.1 Inter-Process Communication is likely that multiple apps integrated the same push ser- Not surprisingly. DI and DL in the last column stand for data injection and data leakage. Facebook apps all have a DEX opti- camera/microphone output.android. They will not do optimization before suc- converted to a stream that can be further processed in real cessfully acquiring a global lock implemented with a Unix time. There is demand which takes advantage of an existing media recording API on global locks because some resources cannot be used by setOutputFile(fd) that outputs camera and microphone two different processes/threads simultaneously. socket as an IPC mechanism. domain socket. from AOSP 6.7% certain code will not be executed more than once.3 Implementing Global Lock streaming. Reachabil- ity Analyzer could take a few minutes to more than one hour.android. the prominent usage of Unix domain vice library co-exist on the same device. In fact. Therefore. saging (GCM) is not accessible. to perform live streaming. DL QT5 10 (10) Debugging interface ABS None DoS. another server that attempts to bind on it Apps 67 45 22 67. the average time for analyzing a system daemon is 110 hasException = true. 106 // use UNIX domain socket to 107 // prevent subsequent initialization ing one app is 2.Table 5: Libraries that use Unix domain socket. uses a Unix domain socket for locking. 111 } 39 seconds. on the numbers of bytecode instructions of apps. Android itself does not provide global locks shared be- scriptor to this API so that the server can read real-time tween different apps. IDA Pro’s disassembling process took a few seconds to a few 109 } catch (java. After a Unix domain socket operations should be serialized instead of parallelized. Developers came up with a workaround. According to our experience in inspecting potentially vul- nerable apps SInspector reported. In this way. and Umeng Message are three them in Table 6. Google Cloud Mes- as well as to implement watchdogs. It 4. DL Amazon Whisperlink 11 (7) Data transfer FS None Not vulnerable OpenVPN 7 (4) Cmd & control FS None Not vulnerable Table 4: Results summary. own protocols for client/server communication. apps targeting on China market have to choose other push services.internal..telephony. Due to the widely used by apps to implement global locks and singleton.g. ABS and FS under “Namespace” are short for ABSTRACT and FILESYS- TEM.2.1_r10. This feature is widely exploited to ensure that LG G3 6 4 2 66. 4. A few video recording apps leverage Unix domain sockets to realize real-time media 4.502 seconds.IOException ex) { minutes.2% would fail. DL Clean Master 9 (9) Data transfer ABS None DoS. 105 try { Other modules are pretty fast. We observe that Unix domain sockets are top message push service providers in China.

getInputStream() Server also blocks at reading after accepting client connection. Android app is its package name. However. LocalSocket.connect() 193 from (or write data to) the other end. The daemon and managing Qualcomm connectivity engine [10]. the Kaspersky Security the system daemon cnd on LG G3 and Galaxy S4 is used for app starts a native daemon in a service. Unix domain sockets. returns.000 as both UID and GID. These checks are handy when each type of checks. 10. Requests notified and restart it immediately. LocalSocket.browser”. Table 7 own UID and GID. there are no APIs commands from ADB shell. process name has 1.<init>() LocalSocketServer. as Figure 4 depicts. Only 9 of 60 (15%) UID/GID checks. In app layer. while system daemons use all unauthorized peers. In native layer. checks meaningless. checks client user name. which is used for remote debugging. user experience. returns. since each user also has its unique user daemons employ strong checks. the user system tion checks into four types: UID/GID checks. getting process name with its PID is done by reading /proc/PID/cmdline Daemon Daemon Daemon or /proc/PID/comm on the proc filesystem (procfs). They also effec- heavily rely on the correctness of SEAndroid policies and tively authenticate the peer’s identity. Apps and daemons tend to use different one wants to allow only privileged users or particular apps types of authentication checks. For example.3 Peer Authentication can send legitimate requests to cnd effortlessly. Therefore. In native root and system are allowed.2. by checking if a client’s UID layer.getOutputStream() Singleon/ LocalServerSocket. any app 4.setArgV0(String s) through Java Some apps have important services that are expected reflection. meaning that their security name that cannot be spoofed or modified. By default. If one is died. as UID and GID can never be spoofed or checks except permission checks. For instance. Start Daemon. apps can easily get the peer It starts a Unix domain socket server accepting debugging app’s permissions with its UID. user name checks. By changing process name to “android.accept() Unix domain socket server/client reads data IPC LocalSocket. but apps from the same developer could shows the numbers of apps and system daemons adopting share the same UID and GID.connect() Client connects to server and then blocks at reading.000 for privileged users. For example.bind() after binding to an address. is equal to 0 or 2. the other will gets if the client’s process name is “android. UID/GID Checks. One possible reason is in modified. Start Service. This hidden method makes all process name therefore developers have to to find a workaround to au. runs in background.<init>() Server has no reading/writing operations 165 Global Lock LocalSocket. UID/GID checks efficiently prevent checks and permission checks. User Name Checks. by calling a hidden method Process. and classify peer authentica. For example. Process (a) Service and (b) Service is dead so (c) Daemon is dead so name checks compare the peer’s process name with prede- Daemon are Daemon’s read() Service’s read() fined process name(s). Interestingly. Samsung Galaxy S4’s file access permissions. Apps only adopt UID/GID to communicate with it. These checks are similar to sible to query the peer’s permissions. But due to the lack of Android runtime context.browser”. Usage Key APIs Code Pattern # Apps LocalSocketServer. but it requires no are against Android’s memory management philosophy. in case they are somehow termi. from other clients are not legitimate and will be discarded. each app has its checks. UID/GID Process name User name Permission 4. and permissions.4 Implementing Watchdog #Apps 20 0 0 97 #Daemons 7 3 2 0 Service Service Service read() read() read() read() read() read() Process Name Checks. Normally. the process name of an both alive. It accepts re- the service monitor each other mutually. This method is supposed to be used by the sys- to always run in background. Table 6: Code patterns for categorizing Unix domain socket usage. process name and user name can be easily obtained. They implement a watchdog mechanism leveraging pass checks and send messages to the victim. A list of names . obtain differs.000. modify their own process names at runtime. as malicious apps can always change tomatically restart them. Android reserves UIDs less than thentication Detector module. Watchdog 33 LocalSocket. the content of the two proc files of an app process is actually the app’s Figure 4: The Kaspersky app’s service and daemon monitor package name. We refine the categorization made by SInspector’s Au. their process names to legitimate ones so that they can by- nated.getInputStream() LocalSocket. the Android Wear app has a service different layers the information apps/system daemons can called AdbHubService. we find that apps are able to each other through a Unix domain socket. RIL daemon. Such “immortal” services tem (labeled with @hide in source code). rild. and permission checks. and helps reduce negative impact on Table 7: Statistics on peer authenication checks. it is infea. Only commands coming from for getting the peer’s process name or user name. through a Unix quests from clients through a Unix domain socket and checks domain socket channel.

CASE STUDY app to grant or deny root access of any other apps.so1 . “DENY” (6) Root access granted/denied thentication checks. on Android. fying file permissions and changing file status and ownership ing tool.so pro- 5.so). we observe two apps adopt token-based checks. widely used third-party libraries. Figure 5 private file.1. uid) to do permission checking (5) Connecting to server and send “ALLOW”/ Token-based Checks. resulting in denial of service. (4) Looking up granted existing policies tials. 5. The second one.. the app starts a native process and executes and more details are available on our project website https: libestool2. product to date. address. then calls Context. as well By examining the output of SInspector. any vulnerable are actually false positives. injecting “ALLOW” any app can get root access regardless fectively prevent unauthorized accesses. SInspector currently cannot identify licly accessible as its file permissions are set to rwxrwxrwx. We find two apps what the user’s actual decision is. employing two different methods to share tokens between the server and the client.pop/files/comm/tool_port. broadcasts the token on the server side. causing permanent data loss. Moreover.android. e. App requesting radio. (3) factory reset the victim de. Helium Backup. which claims to be able to root 103.pop/files/ many one-click rooting tools become available [33]. the FILESYSTEM-based socket channel is pub- and extract the token. @/data/data/com. 1 This binary looks like a shared library from its name. In app layer. These vulnerabilities can be a new version in 24 hours.1 Applications if the device is rooted and the user chooses to run ES File Ex- plorer in root mode. We were able to read any app’s private files and a root access management portal. the device. listening on another ABSTRACT As rooting gaining popular in the Android community.. it pops the token. This allows a malicious 5. The server and the client first securely share a small chunk of data (called token). The normal root request clients having the right token can talk to it. but tem/bin/su. allowing the attacker to steal user privacy ES File Explorer is a very popular file management app and modify system settings. a system permission that can only be acquired by Root access system apps.checkPermission(permission.790 different are sent to these two native processes to execute. such checks. Since the server and the client are both created illustrates the whole process. The (3) Asking for decision (with server socket addr) Facebook Stetho library checks if the peer has the DUMP per- mission. OS Monitor. If no corresponding policy exists. support a wide range of devices Since there is no client authentication on the server side running Android 2. This stalls a command line tool. these apps reported as potentially and there is no client authentication in su. Attack demos ciently support. The server compares the to- ken of the incoming client with its own copy so that only Figure 5: Vulnerability illustration. we successfully as grant itself root privileges in order to take full control of discovered several high-severity zero-day vulnerabilities af. It first obtains UID and PID from peer creden. they have privileges to read the private file However. models (as of May. Certain low-level operations.socketXXXXX Connecting to server socket channel.com/site/unixdomainsocketstudy. pid. As a result. it starts another libestools2. apps can call several APIs in and send “ALLOW” the Context class to check another app’s permissions. These checks enforce that only socket server listening on a randomly generated apps with specific permissions can access the Unix domain address: . User name checks might be better than UID/GID Rooting App su root access checks because the same user may have different UID/GID on different devices due to vendor customization. We reported this vulnerability to the developers fecting popular apps installed by hundreds of millions of and they rated it as the most severe security bug in their users. media. (2) read and write arbitrary files. after grant or deny apps’ root requests.android. which creates a Unix domain socket server //sites. .1 Data Injection in a Rooting Tool cess with root privileges.0 Marshmallow. The first one.e.1. giving the 5. assuming the token is shared in secure ways. such as modi- allow users to gain root access very easily. The rooting app looks up other apps without the required permission cannot receive existing policies. estrongs.of privileged users are hardcoded in the binary. shown as steps (1){2}{3}.2 Privilege Escalation in ES File Explorer attacker entire control of the device. it is essentially an ELF executable.g. One major root. app can inject arbitrary decisions before the rooting app sends out the real decision to su. The broadcast is who starts a Unix domain socket server waiting for the root- protected by a developer-defined permission. accumulating over 300 million installs [6]. su. To vice. They fixed the vulnerability and released mons having root privileges. @/data/data/com. 2016). stores its token in a up a dialog that asks the user to make decision.estrongs. As well as rooting. By checks. to the system partition /sys. the ES File Explorer app and its native processes. listening on an ABSTRACT address. This type of procedure consists of steps (1)-(6) with solid arrow lines. through which users can protected system files by exploiting this vulnerability. Apps then request root access by executing su. (1) Requesting root (2) Starting a Unix domain Permission Checks. exploited to (1) grant root access to any apps.3 Gingerbread and above up to Android (i. can ef. which comm/su_port. the rooting app in. successfully reversing the communication protocol used by Once a device is successfully rooted. and (4) change system perform file operations that Java layer APIs cannot effi- date and time. any app can send them commands 6. As a result. libestool2. and system dae. the tool also serves as to run. and therefore ing app to send back user decision. by the app itself. Besides aforementioned peer au.google.

To our surprise. tackers to DoS services relying on exact system date and For example. nect to the server through this address and send control OpenVPN management interface allows OpenVPN clients commands to it on a Nexus 4. we are able to con- the community version of OpenVPN for Linux. policies editable at runtime may open new attack vectors. COUNTERMEASURE DISCUSSION the OpenVPN client. As our study suggests. nels based on ABSTRACT addresses are less secure than et/atd. validating server certificate. We are able to control the to be administratively controlled from an external program audio playing on a peripheral device connected to the phone via a TCP or Unix domain socket. least) the LG G3 is vulnerable. Moreover.timeservice”.e. is expected to be en- inside the app. coordinates. if in the right format. are Commands from any apps. causing deny-of-service at least. although having individual UIDs and GIDs. on (at domain sockets. However. therefore other allow apps with location permissions to get the user’s GPS Android phones using Qualcomm time daemon are also vul. A system daemon may need to provide mission to change the system date and time. an adversary can establish connection to the management interface and then control 6. The client is an ELF executable ported from forced by SEAndroid. the misuse of Unix domain sock- ets on Android has resulted in severe vulnerabilities. A privileged system daemon exposes its function- This vulnerability allows any app with the INTERNET per. ertheless. the use of ABSTRACT namespace. party apps. e. make phone calls. We first found that a LG G3 daemon /system/bin/- time_daemon opens a Unix domain socket server listening on 6. /system/bin/atd. they are able More fine-grained SEAndroid policies and domain to read and write this socket file so that they can talk to assignment. Surprisingly. capability of doing factory reset to only system apps. atd is a proprietary daemon developed main socket channels created by apps use the ABSTRACT by LG. or more radically. Though the LG G3 and the Galaxy ing use of OpenVPN for Android utilize Unix domain sockets S4 also expose the same channel. affording at. Therefore. For now.. signed CVE-2016-3683. The ABSTRACT address.1 LG AT daemon approaches to implementing secure IPC that utilizes Unix The privileged AT Daemon.2. This vulnerability has been reported and was as- to the developers. causing permanent data loss Changing the default namespace. The permission configuration tuitive mitigation is to change the default namespace from means all users in the inet Linux group can read and write ABSTRACT to FILESYSTEM. As a result. some security improvements despite their tendency to intro- anisms.1 OS-level Solutions toggle the SIM card. i.2. However. This daemon veri. reverse engineering the protocol can be made to regulate Unix domain socket accesses.3 DoS VPN Apps 5. system daemons will have to . none of these apps adopt any client duce vulnerabilities [34]. whose permissions are not correctly configured (i. each user may install any number of apps. which allows any app with only the INTERNET permission to factory reset the phone. the LG AT daemon may want to expose the time. enforceable by SEAndroid because domain-level policies can- fully crafted commands that can instruct atd to perform not tell one third-party app from another. will be assigned the same domain label. ality to apps. It starts a Unix domain socket server that performs namespace by default. To achieve this. and time_daemon is developed by Qualcomm. socket chan- no client authentication. untrusted_app.2. wiping all user data and toggle the SIM card. we success.a2dp_ctrl. This case suggests that vendors may have made file. Consequently. Therefore. 5. Unix do- and denial of service. we need to assign different domain labels to In fact. diverse functionality to apps that have different privileges. and making fixed been assigned CVE-2016-3360. which exposes a Unix domain socket channel for con- at advanced users and offers many settings and the ability trolling the A2DP protocol [1]. Due to the lack of DAC.3 Bluedroid Multiple OpenVPN clients for Android are available.e.2 Secure IPC on Unix Domain Sockets an ABSTRACT address @time_genoff.1. and more. sion all belong to the inet group. OpenVPN supports various client authentication mech.g. verification is weak and daemons require Unix domain sockets for IPC and discuss can be easily bypassed — it only checks whether the process possible solutions to their security problems. an in- srw-rw---. to import profiles from files and to configure/change profiles @/data/misc/bluedroid/. /system/bin/. 6.2 Qualcomm Time Daemon app. In the current SEAndroid model. Nev- allows us to send arbitrary SMS requests. authentication. factory reset. Quite a few of apps mak. those based on FILESYSTEM addresses. through Bluetooth. this could introduce new problems: pre-defined get user’s geographic location. some apps always fail at connecting stage due to insufficient per- of them fail to set file permissions correctly for the socket mission. name of the client is a constant string “comm. listening on socket file /dev/sock. it would be untenable to define policies for every 5. Android apps having the INTERNET permis.. accesses from third-party to communicate with the management app. The Android Bluetooth stack implementation is call blue- OpenVPN for Android is an open source client that targets droid. We 5. We demonstrate three scenarios where apps and system fies the client’s identity. disable this socket file. This vulnerability has policies would not be able to cover apps.vulnerability was fixed two months after we first reported it nerable. Unix processed by the daemon. all third- the AT daemon through this Unix domain socket channel.2 System Daemons discuss possible countermeasures to minimize the problem from two aspects: (1) OS-level mitigations and (2) better 5...system inet). etc. atd accepts a large set of commands (only a subset different third-party apps so that more fine-grained policies were successfully reversed). domain sockets accesses between third-party apps are not By reversing the message format atd accepts.

Unfortunately. 20. we conducted the first systematic study in Unix domain socket understanding the usage of Unix domain sockets by both apps and system daemons as an IPC mechanism on An- droid. 27. to pre-installed the incoming request. to check UID on both client and server sides. Java and the native layers. Kratos [29] found frame- work vulnerabilities from the perspective of inconsistent se- curity enforcement. The goal ways of uncovering vulnerabilities are being developed. Android. daemon functionality is indirectly exposed to apps with the These works aim to exploit the IPC mechanisms in order help of a system service. and GPS data [30]. novel attacks and innovative Figure 6 demonstrates the proposed solution. They discovered that many of these firmware broadcast to the server app to request a communication to. Wu et. However. We use static anal- ysis to detect the misuse of Unix domain sockets in apps. e.g. and performing data flow analysis on na- . to disclose sensitive information such as SMS messages. cross-layer IPC. malware. A system service is added between apps and e. FlowDroid [14] has bles need an intra-application. 31. none of the aforemen- Figure 6: A secure way to expose system daemon function. Customizations to An app exposes interfaces to other apps. a tool ted arrow lines stand for permission-protected broadcasts. The to this system service through Android Binder and their per. There also ex- (Check app permission) System Daemon ist works focusing on detecting implemention flaws of the App Android framework. RELATED WORK of Android runtime context in system daemons precludes As the community continues to explore and understand daemons from easily obtaining the app’s permission(s). Apps having native executa. apps have to discovered that over 85% of all preinstalled apps in stock choose Unix domain sockets for cross-layer IPCs. been widely used for doing taint analysis on Android apps. We pro.enforce app permissions themselves. An app consisting of both Java and native code Techniques that serve this purpose have been extensively performs cross-layer IPC. [13] studied the threat (Check sys UID) Direct access denied of hanging attribute references. call history.. If the user allows. Messenger. for discovering potential security vulnerabilities through the process of identifying socket addresses. and pre-installed apps are susceptible to a litany of vulner- ken. Unix domain sockets. In this way. especially for cross-layer communications between the Figure 7: Token-based secure Unix domain socket IPC. Note that the token is not meaningful to anyone mentations. it performs dynamic else. the system daemon. Android IPC mechanisms. CONCLUSION App Reply a token App In this paper. the client connects to the server with droid framework. They presented ComDroid Binder System Service socket to detect app communication vulnerabilities. After that. Instead of letting apps and daemons static and/or dynamic analysis of Android apps and frame- communicate directly through a Unix domain socket. tents. The server responds by asking the user to allow or deny abilities that range from injected malware. Amandroid [31] is a data flow analysis its non-native part. and we build same UID as their owner apps. On a customized phone. [17] Unix examined Android application interaction and identified se- domain curity risks in app components. device to its related Linux files. work.g. Security risks in customizations. the server app gen. Our work reveals and studies a new customization domain — privileged system daemons — which can be exploited to perform dangerous operations. An app cre. For example. Android and its ecosystem. We presented SInspector. detecting authen- tication checks. executables still have the framework that provides better ICC support. 31. al. the lack 7. Apps talk Android IPC and framework vulnerabilities. as exploitable interfaces. Binder. ADDICTED [34] is a tool for automat- its token and a Unix domain socket connection will be es. Of those 85% pose a token-based mechanism inspired by Helium described of apps. Particularly. studied [14. thus can be easily authenticated by the daemon. have been thoroughly studied [17. and signing vulnerabilities. it does not handle inter-component communica- domain sockets to communicate with the native process from tions (ICC) well. Even if it was stolen. This guish and demonstrate how our work contributes to Android new system service runs as the system user with UID 1000. 21. These all point to a erates a one-time token for that particular client and returns systemic problem introduced by customization of the An- the token. being to delegate peer authentication to the existing An. and uses Unix However. Unfortunately.3. Request token Ask for user Client decision Server 8. By comparing our work with that of others we distin- tem service acts as an intermediary between the two. as Figure 7 illustrates. and In- missions are validated by the system service. Dot. The client app first sends a customization. ically detecting flaws exposed by customized driver imple- tablished. Aafer et. In this case. Therefore. inter-application communications. tioned works explore traditional Linux IPCs on Android. Many of the existing works in Android security leverage droid security model. 22]. security research. the Android framework has been known to introduce new specific IPCs such as Intents are expected to be used for vulnerabilities not present in the AOSP [32]. al. almost all vulnerabilities are a direct result of vendor in §4. Static analysis of Android apps.. a sys. 14. the attacker would not be able analysis to correlate the operations on a security-sensitive to use it to talk to the server app. 22]. images have more privileges than they need. ality to apps. it is convenient our tool on top of it. Chin et. al. ates a native process to run its executable.

Greenwood. W. http://www. Felt. Zhou. and Acknowledgments M.android. Li. 2012. Roy. NDSS. McDaniel. Flowdroid: Precise context. of CCS. A. https://source. X. 2010. 2008. back on our work. Jiang. C. [26] Z. N. Crussell. field.com/. Song. Y. Wu. Ott. Towards taming providers: A double-edged sword. Hare potential malware threats.android. android smartphones.pewinternet. Triggerscope: Towards TechnologyOverview/Pages/A2DP. ISOC NDSS. Fratantonio. X. traces. and C. Ou.com/ Enforcement in the Android Framework. Klein. Le Traon. Wang. C. Polyglot: The peril of fragmentation: Security hazards in Automatic extraction of protocol message format using android device driver customizations. 2007. Communication. N. [10] Qualcomm’s cne brings “smarts” to 3g/4g wi-fi [27] L. We analyzed 14. [5] ApkPure website. Hardy. Aafer. Amandroid: A precise 2015.-R. Shao.-y.com/ statically vetting android apps for component news/onq/2013/07/02/qualcomms-cne-bringing. Privilege escalation attacks on android. Qian.com/. K. In J. Z. context-aware monitored execution. Shastry. P. [33] H. In Proc. and D. J. In Proc. et al. Sheth. ACM Transactions on Computer 9. 2013. Davi. S.bluetooth. and Z. A. http://www. 2011. to communicate with it? http://stackoverflow. ISOC NDSS. of ISOC NDSS. Nielson. In impact of vendor customizations on android security. Han. W. Wang. P. [2] An Analysis of Android App Permissions. Enck. H. In Proc. M. 32(2):5. Dmitrienko. and H. 2014. and B. Wang. as well as certain system Analyzing inter-application communication in daemons. Rasthofer. Dmitrienko. and X. 2012. T. J. suffer from serious vulnerabilities. Gibler. P. object-sensitive [32] L. A study of known and X. Chen.aspx. Liang. A. Bartel. Discoverer: ting.com/ Screenmilker: How to milk your android screen for questions/14215462/how-to-create-a-android-native. 2012. IEEE S&P. hanging attribute references. and X. Davi. Du. Wang. of ACM CCS. Arzt. of ACM privilege-escalation attacks on android. E. [1] Advanced audio distribution profile (a2dp). In Proc. of ACM CCS. [4] Android Security Tips: Using Interprocess [23] M. E. Tendulkar. and H. as well as by the Office of Naval Research Chun. secrets. S. The Confused Deputy:(or why capabilities [6] Es app group. html#android-platform-security-architecture. Proc. Zhang. Gilbert.org/ C. of USENIX Security. and factory reset. Z. we proposed countermeasures to Automatic protocol reverse engineering from network prevent these attacks from occurring. In Proc. Kirda. Kratos: Discovering Inconsistent Security Policy [12] Xposed development tutorial. Chex: seamless interworking. [7] How to create a android native service and use binder [25] C. This research was supported in part by the National Science Foundation under grants CNS-1318306 [20] W.com/security/index. Fischer. Springer.android. Principles [11] Security — Platform Security Architecture. Kannan. [13] Y. Z. H. Sadeghi. arbitrary file access.sourceforge. Zhang. J. Fritz. https://github. smarts-3g4g-wi-fi-seamless-interworking. Springer. [15] S. Grace. and G. and CNS-1526455. 2014. https://www. In Proc. Springer. Y. Chin. Zhou. Robertson. an-analysis-of-android-app-permissions/. A. of ACM CCS. Grace. SMobile Global Threat hunting in the wild android: A study on the threat of Centre.com/security/. The and lifecycle-aware taint analysis for android apps.-G. and P.estrongs. Cui. Zhang. of ACM MobiSys. Proc. She. of dynamic binary analysis. 2014. [21] Y. Based on our study. Lin. P. Mao. protocol format reverse engineering through https://www. A. Qian. R. W. and X. [16] J. Q. Nielson. A. of rovo89/XposedBridge/wiki/Development-tutorial.com/. of ACM CCS. privilege escalation. hijacking vulnerabilities. Chen. framework for security vetting of android apps. detecting logic bombs in android applications. [28] F. In Proc. http://developer. of program analysis. Zhang. Caballero. and A. In Proc. [24] N. Wu. and X. Naveed. D. 2016. D. and Z. 2014. D. 2012.com/ Systematic detection of capability leaks in stock training/articles/security-tips. Bodden. In Proc. Z. Octeau. A. of ACM CCS. Bugiel. [31] F. [19] L. AndroidLeaks: automatically detecting potential [3] Android Security Overview. Y. Jiang. K. . Z. B. TaintDroid: an information-flow tracking system for realtime privacy monitoring on smartphones. https://developer. of ACM PLDI. pages 346–360. In Proc. service-and-use-binder-to-communicate-with-it. In Information Security. Y. Bianchi. Wei. Vigna. of ISOC [9] ProGuard. under grant N00014-14-1-0440. Jung.org/2015/11/10/ [22] C. Yin. Cox. Wagner. ACM SIGOPS. X. https://source. Jiang. In Proc. J. Jiang. S.html#IPC. Zhou. [34] X. finding that some apps. Winandy. V.-C. https://apkpure. of IEEE S&P. M. including root Android. In Proc. J. Hankin. 2015. 2014. Vennon. X. Zhou.-R. Zhang. http://proguard. 2015. Erickson.net/. Wu. Android malware. Zhang.pnfsoftware. In Proc. and general inter-component data flow analysis [14] S. Z. [30] T. Lee. and M. flow.644 Android apps and 60 system [17] E. McDaniel. Grace. Zhou. We thank the anonymous reviewers for their valuable feed- 2010. Xu. and G. REFERENCES Systems (TOCS). [29] Y. In Proc.tive code. L. Lu. and D. Wang. X. Lee. and X. 1988. Lin. M. N. Li. daemons. might have been invented). Kruegel. L.qualcomm. Chen. H. [18] W. J. A. of ISOC NDSS. Automatic [8] Jeb decompiler by pnf software. Android root and its Sadeghi. 2016. 2007. privacy leaks in android applications on a large scale.