You are on page 1of 23

DroidChecker: analyzing android applications for capability leak

Patrick P.F. Chan, Lucas C.K. Hui and S. M. Yiu


WISEC '12 Proceedings of the fifth ACM conference on Security and Privacy in Wireless and Mobile Networks

Contribution
A novel approach to automatically detect capability leak in Android applications.

5/20/2013

Capability Leak
An application with less permissions (a nonprivileged caller) gain access to the components of a more privileged application (a privileged callee). Then the lower privileged application can do things through the capability of the higher privileged application.
5/20/2013 3

Four Major Android Components


Activity
An activity represents a single screen with a user interface

Services
runs in the background to perform long-running operations, does not provide a user interface. For example, a service might play music in the background while the user is in a different application, or it might fetch data over the network without blocking user interaction with an activity.
5/20/2013 4

Android Components (contd..)


Content Providers
A content provider manages a shared set of application data. Data stored in the file system, an SQLite database, on the web etc.

BroadCast Receivers
responds to system-wide broadcast announcements. For example, a broadcast announcing that the screen has turned off, the battery is low etc.
5/20/2013 5

How one application can communicate with the Other?


Through ICC (Inter Component communication). Either intra or inter application. To be specific, through special kind of message called Intents. [Exception : Content Provider] Content providers are addressed through a special content Uniform Resource Indentifier (URI).
Format : content://<authority>/<table>/[<id>]
5/20/2013 6

Passing of intents (Example)

Ref: http://www.mertkavi.com/tag/android-programlama

5/20/2013

System Design
APK File
Convert

JAR

Decompile

Source Files Capability leak Detection

Get Manifest

Parse Manifest File

Risky Components ?

List of potential Components

Result

Note : Drawn using the idea from [1]

5/20/2013

Two Main Steps


Manifest File Parsing to find risky components for further review. Capability Leak Detection Find the vulnerable applications/components from the candidates.

5/20/2013

Manifest Parsing (1)


At first checks the Android Manifest file to see:
Whether the application uses at least one permission , if no, the parsing process terminates. [It has no capability] Then it checks whether the application is guarded by any permission in <android:permission> tag, then the application is safe.
5/20/2013 10

Manifest Parsing (2)


For components not found safe in earlier check

5/20/2013

Note : Drawn using the idea from [1]

11

Capability Leak Detection


After finding vulnerable components
Examine the source code of those components
Tries to find the data paths leading to capability leak through inter-procedural control flow graph and following taint propagation

5/20/2013

12

Capability Leak Detection


Two kinds of data path are of interest:
Involving API calls that result in a sensitive operation to be called. Involving API calls that returns the result of a sensitive operation.

5/20/2013

13

Taint propagation
Two kinds of variables are tainted
Appearing in the parameter of a sensitive call
Variables holding return value of sensitive operation

5/20/2013

14

Example

Example taken from [1]


5/20/2013 15

Example

5/20/2013

Example taken from [1]

16

Limitations
1. Static analysis technique, so lot of false positives (FP). 2. Only detect capability leaks through Activity and Services, does not work for Content Providers

3. Not practical to be used by user himself.


4. Did not handle one case in the Manifest File parsing module.
The protection level of the permission by which an application is protected was not considered
5/20/2013 17

Question 2
Do you have any idea to stop applications from leaking capability? Please justify and explain your you idea if there is any.

5/20/2013

18

Idea for Capability Leak Detection


Existing mechanism does not restrict access to a publicly exported (explicitly or implicitly) component, even if the application hosting those components owns certain permsisions. Here, lies opportunity of capability leak detection.

5/20/2013

19

Example

App1 Components can access the components of App2, which can access component 1 of App3. So, App1 can now indirectly access component 1 of App3.
Note : Drawn using the idea from [1]
5/20/2013 20

Proposal
Let suppose, AppX uses permissions PX ={ Px1,..,Pxn} and it has unguarded components. AppY has permissios PY = {Py1,,Pyn} and it wants to access components of AppX.

The proposal is to have this access, it must be that: Px PY


5/20/2013 21

References
[1] Chan, Patrick PF, Lucas CK Hui, and S. M. Yiu. "Droidchecker: analyzing android applications for capability leak." Proceedings of the fifth ACM conference on Security and Privacy in Wireless and Mobile Networks. ACM, 2012.

5/20/2013

22

Questions and Comments


??

5/20/2013

23