You are on page 1of 23

DroidChecker: analyzing android applications for capability leak

Patrick P.F. Chan, Lucas C.K. Hui and S. M. Yiu

WISEC '12 Proceedings of the fifth ACM conference on Security and Privacy in Wireless and Mobile Networks

A novel approach to automatically detect capability leak in Android applications.


Capability Leak
An application with less permissions (a nonprivileged caller) gain access to the components of a more privileged application (a privileged callee). Then the lower privileged application can do things through the capability of the higher privileged application.
5/20/2013 3

Four Major Android Components

An activity represents a single screen with a user interface

runs in the background to perform long-running operations, does not provide a user interface. For example, a service might play music in the background while the user is in a different application, or it might fetch data over the network without blocking user interaction with an activity.
5/20/2013 4

Android Components (contd..)

Content Providers
A content provider manages a shared set of application data. Data stored in the file system, an SQLite database, on the web etc.

BroadCast Receivers
responds to system-wide broadcast announcements. For example, a broadcast announcing that the screen has turned off, the battery is low etc.
5/20/2013 5

How one application can communicate with the Other?

Through ICC (Inter Component communication). Either intra or inter application. To be specific, through special kind of message called Intents. [Exception : Content Provider] Content providers are addressed through a special content Uniform Resource Indentifier (URI).
Format : content://<authority>/<table>/[<id>]
5/20/2013 6

Passing of intents (Example)



System Design
APK File



Source Files Capability leak Detection

Get Manifest

Parse Manifest File

Risky Components ?

List of potential Components


Note : Drawn using the idea from [1]


Two Main Steps

Manifest File Parsing to find risky components for further review. Capability Leak Detection Find the vulnerable applications/components from the candidates.


Manifest Parsing (1)

At first checks the Android Manifest file to see:
Whether the application uses at least one permission , if no, the parsing process terminates. [It has no capability] Then it checks whether the application is guarded by any permission in <android:permission> tag, then the application is safe.
5/20/2013 10

Manifest Parsing (2)

For components not found safe in earlier check


Note : Drawn using the idea from [1]


Capability Leak Detection

After finding vulnerable components
Examine the source code of those components
Tries to find the data paths leading to capability leak through inter-procedural control flow graph and following taint propagation



Capability Leak Detection

Two kinds of data path are of interest:
Involving API calls that result in a sensitive operation to be called. Involving API calls that returns the result of a sensitive operation.



Taint propagation
Two kinds of variables are tainted
Appearing in the parameter of a sensitive call
Variables holding return value of sensitive operation




Example taken from [1]

5/20/2013 15



Example taken from [1]


1. Static analysis technique, so lot of false positives (FP). 2. Only detect capability leaks through Activity and Services, does not work for Content Providers

3. Not practical to be used by user himself.

4. Did not handle one case in the Manifest File parsing module.
The protection level of the permission by which an application is protected was not considered
5/20/2013 17

Question 2
Do you have any idea to stop applications from leaking capability? Please justify and explain your you idea if there is any.



Idea for Capability Leak Detection

Existing mechanism does not restrict access to a publicly exported (explicitly or implicitly) component, even if the application hosting those components owns certain permsisions. Here, lies opportunity of capability leak detection.




App1 Components can access the components of App2, which can access component 1 of App3. So, App1 can now indirectly access component 1 of App3.
Note : Drawn using the idea from [1]
5/20/2013 20

Let suppose, AppX uses permissions PX ={ Px1,..,Pxn} and it has unguarded components. AppY has permissios PY = {Py1,,Pyn} and it wants to access components of AppX.

The proposal is to have this access, it must be that: Px PY

5/20/2013 21

[1] Chan, Patrick PF, Lucas CK Hui, and S. M. Yiu. "Droidchecker: analyzing android applications for capability leak." Proceedings of the fifth ACM conference on Security and Privacy in Wireless and Mobile Networks. ACM, 2012.



Questions and Comments