1. Erika Chin Adrienne Porter Felt Kate Greenwood David Wagner University of California Berkeley MobiSys 2011

2. Outline  Introduction  Android Overview  Intent-based Attack Surfaces  ComDroid  Evaluation  Other mobile Platforms

3. Introduction

4.  Android’s message passing system can become an attack surface if used incorrectly  Intent  Intents can be used for both intra- and inter- application communication  ComDroid  A tool analyzes Android applications to detect potential instances of vulnerabilities  Personal data loss, corruption, phishing…

5. Android Overview

6.  Android’s security model differs significantly from the standard desktop security model  The complexity of Android’s message passing system implies it has the largest attack surface

7. Android Overview  Threat Model Isolation (mem, file..)

8. Android Overview Activity Service BroadcastReceiver Service BroadcastReceiver Service BroadcastReceiver Intent System Intent Malicious Intent Fake System Intent

9. Android Overview Activity www.bank.com attacker.com ?

10. Android Overview  This paper do not consider attacks on the OS  Just focus on securing applications from each other

11. Android Overview  Intents [link][link]  System broadcast Intents  Only can be sent by the OS  Explicit or implicit

12. Explicit Intents 12 Yelp Map App Name: MapActivity To: MapActivity Only the specified destination receives this message

13. Implicit Intents 13 Yelp Clock App Map App Handles Action: VIEW Handles Action: DISPLAYTIME Implicit Intent Action: VIEW

14. Implicit Intents 14 Yelp Browser App Map App Handles Action: VIEW Implicit Intent Action: VIEW

15. Android Overview  Activities  Services  Broadcast Receivers  Content Providers

16. Android Overview  Activity  Display on screen 2009/12/8Advanced Defense Laboratory 16

17. Android Overview  Service  Background process 2009/12/8Advanced Defense Laboratory 17

18. Android Overview  Broadcast Receiver  Asynchronous event notification 2009/12/8Advanced Defense Laboratory 18

19. Android Overview  Content Provider  Share data between applications  Do not use Intents  Use URI (Uniform Resource Identifier) 2009/12/8Advanced Defense Laboratory 19

20. Android Overview  Component Declaration  AndroidManifest.xml  To receive Intents…  Service and Activity must be declared in the manifest  Broadcast Receivers can be declared at runtime or in the manifest

21. Android Overview  Exported Components  EXPORTED flag (in AndroidManifest.xml)  Includes at least one Intent filter  Intent filter  Action, category, data, extra data…

22. Android Overview  A sender can assign any action, type, or category (certain actions that it only the system can send)

23. Android Overview  Permission  Normal  Dangerous  Signature  SignatureOrSystem

24. Intent-based Attack Surfaces

25. Common Developer Pattern: Unique Action Strings 25 Showtime Search Results UI IMDb App Handles Actions: willUpdateShowtimes, showtimesNoLocationError Implicit Intent Action: willUpdateShowtimes

26. 26

27. Common Developer Pattern: Unique Action Strings 27 Showtime Search Results UI IMDb App Handles Actions: willUpdateShowtimes, showtimesNoLocationError Implicit Intent Action: willUpdateShowtimes

28. ATTACK #1: Eavesdropping 28 Showtime Search Malicious Receiver IMDb App Handles Action: willUpdateShowtimes, showtimesNoLocationError Implicit Intent Action: willUpdateShowtimes Eavesdropping App Sending Implicit Intents makes communication public

29. ATTACK #2: Intent Spoofing 29 Malicious Component Results UI IMDb App Handles Action: willUpdateShowtimes, showtimesNoLocationError Action: showtimesNoLocationError Malicious Injection App Receiving Implicit Intents makes the component public

30. 30 Typical caseAttack case

31. ATTACK #3: Man in the Middle 31 Showtime Search Results UI IMDb App Handles Action: willUpdateShowtimes, showtimesNoLocation Error Malicious Receiver Handles Action: willUpdateShowtimes, showtimesNoLocationError Man-in-the-Middle App Action: willUpdateShowtimes Action: showtimesNoLocation Error

32. ATTACK #4: System Intent Spoofing  Background – System Broadcast  Event notifications sent by the system  Some can only be sent by the system  Receivers become accessible to all applications when listening for system broadcast 32

33. System Broadcast 33 Component App 1 Handles Action: BootCompleted Component App 2 Handles Action: BootCompleted Component App 3 Handles Action: BootCompleted System Notifier Action: BootCompleted

34. System Intent Spoofing: Failed Attack 34 Handles Action: BootCompleted Malicious Component Malicious App Action: BootCompleted Component App 1

35. System Intent Spoofing: Successful Attack 35 Handles Action: BootCompleted Malicious Component Malicious App Component App 1 To: App1.Component

36. Real World Example: ICE App  ICE App: Allows doctors access to medical information on phones  Contains a component that listens for the BootCompleted system broadcast  On receipt of the Intent, it exits the application and locks the screen 36

37. Real World Example: ICE 37

38. ComDroid

39.  Disassemble application DEX files using Dedexer tool Dedexer  Parses the disassembled output and logs potential component and Intent vulnerabilities

40. ComDroid

41.  Permission  Normal and Dangerous  Intent Analysis  Intents, IntentFilters, registers, sinks (e.g., sendBroadcast(), startActivity(), etc.) and components

42. ComDroid  Intent  Whether it has been made explicit  Whether it has an action  Whether it has any flags set  Whether it has any extra data  Sinks  Implicit or not?

43. ComDroid  Component Analysis  Public or not?  Main, launching Activity is public but is less likely to be attackable  registerReceiver()  With data / without data  System broadcast  Intent.getAction()  Misuse

44. ComDroid  Limitation and discussion  Do not distinguish between paths through if and switch statements  False negatives  Pending Intent  Future work

45. Evaluation