Erika Chin Adrienne Porter Felt Kate Greenwood David Wagner University of California Berkeley MobiSys 2011

Outline  Introduction  Android Overview  Intent-based Attack Surfaces  ComDroid  Evaluation  Other mobile Platforms

Introduction

 Android’s message passing system can become an attack surface if used incorrectly  Intent  Intents can be used for both intra- and inter- application communication  ComDroid  A tool analyzes Android applications to detect potential instances of vulnerabilities  Personal data loss, corruption, phishing…

Android Overview

 Android’s security model differs significantly from the standard desktop security model  The complexity of Android’s message passing system implies it has the largest attack surface

Android Overview  Threat Model Isolation (mem, file..)

Android Overview Activity Service BroadcastReceiver Service BroadcastReceiver Service BroadcastReceiver Intent System Intent Malicious Intent Fake System Intent

Android Overview Activity attacker.com ?

Android Overview  This paper do not consider attacks on the OS  Just focus on securing applications from each other

Android Overview  Intents [link][link]  System broadcast Intents  Only can be sent by the OS  Explicit or implicit

Explicit Intents 12 Yelp Map App Name: MapActivity To: MapActivity Only the specified destination receives this message

Implicit Intents 13 Yelp Clock App Map App Handles Action: VIEW Handles Action: DISPLAYTIME Implicit Intent Action: VIEW

Implicit Intents 14 Yelp Browser App Map App Handles Action: VIEW Implicit Intent Action: VIEW

Android Overview  Activities  Services  Broadcast Receivers  Content Providers

Android Overview  Activity  Display on screen 2009/12/8Advanced Defense Laboratory 16

Android Overview  Service  Background process 2009/12/8Advanced Defense Laboratory 17

Android Overview  Broadcast Receiver  Asynchronous event notification 2009/12/8Advanced Defense Laboratory 18

Android Overview  Content Provider  Share data between applications  Do not use Intents  Use URI (Uniform Resource Identifier) 2009/12/8Advanced Defense Laboratory 19

Android Overview  Component Declaration  AndroidManifest.xml  To receive Intents…  Service and Activity must be declared in the manifest  Broadcast Receivers can be declared at runtime or in the manifest

Android Overview  Exported Components  EXPORTED flag (in AndroidManifest.xml)  Includes at least one Intent filter  Intent filter  Action, category, data, extra data…

Android Overview  A sender can assign any action, type, or category (certain actions that it only the system can send)

Android Overview  Permission  Normal  Dangerous  Signature  SignatureOrSystem

Intent-based Attack Surfaces

Common Developer Pattern: Unique Action Strings 25 Showtime Search Results UI IMDb App Handles Actions: willUpdateShowtimes, showtimesNoLocationError Implicit Intent Action: willUpdateShowtimes

26

Common Developer Pattern: Unique Action Strings 27 Showtime Search Results UI IMDb App Handles Actions: willUpdateShowtimes, showtimesNoLocationError Implicit Intent Action: willUpdateShowtimes

ATTACK #1: Eavesdropping 28 Showtime Search Malicious Receiver IMDb App Handles Action: willUpdateShowtimes, showtimesNoLocationError Implicit Intent Action: willUpdateShowtimes Eavesdropping App Sending Implicit Intents makes communication public

ATTACK #2: Intent Spoofing 29 Malicious Component Results UI IMDb App Handles Action: willUpdateShowtimes, showtimesNoLocationError Action: showtimesNoLocationError Malicious Injection App Receiving Implicit Intents makes the component public

30 Typical caseAttack case

ATTACK #3: Man in the Middle 31 Showtime Search Results UI IMDb App Handles Action: willUpdateShowtimes, showtimesNoLocation Error Malicious Receiver Handles Action: willUpdateShowtimes, showtimesNoLocationError Man-in-the-Middle App Action: willUpdateShowtimes Action: showtimesNoLocation Error

ATTACK #4: System Intent Spoofing  Background – System Broadcast  Event notifications sent by the system  Some can only be sent by the system  Receivers become accessible to all applications when listening for system broadcast 32

System Broadcast 33 Component App 1 Handles Action: BootCompleted Component App 2 Handles Action: BootCompleted Component App 3 Handles Action: BootCompleted System Notifier Action: BootCompleted

System Intent Spoofing: Failed Attack 34 Handles Action: BootCompleted Malicious Component Malicious App Action: BootCompleted Component App 1

System Intent Spoofing: Successful Attack 35 Handles Action: BootCompleted Malicious Component Malicious App Component App 1 To: App1.Component

Real World Example: ICE App  ICE App: Allows doctors access to medical information on phones  Contains a component that listens for the BootCompleted system broadcast  On receipt of the Intent, it exits the application and locks the screen 36

Real World Example: ICE 37

ComDroid

 Disassemble application DEX files using Dedexer tool Dedexer  Parses the disassembled output and logs potential component and Intent vulnerabilities

ComDroid

 Permission  Normal and Dangerous  Intent Analysis  Intents, IntentFilters, registers, sinks (e.g., sendBroadcast(), startActivity(), etc.) and components

ComDroid  Intent  Whether it has been made explicit  Whether it has an action  Whether it has any flags set  Whether it has any extra data  Sinks  Implicit or not?

ComDroid  Component Analysis  Public or not?  Main, launching Activity is public but is less likely to be attackable  registerReceiver()  With data / without data  System broadcast  Intent.getAction()  Misuse

ComDroid  Limitation and discussion  Do not distinguish between paths through if and switch statements  False negatives  Pending Intent  Future work

Evaluation