Towards Dynamically Monitoring Android Applications on Non-rooted Devices in the Wild

Tang, Xiaoxiao; Lin, Yan; Wu, Daoyuan; Gao, Debin

doi:10.1145/3212480.3212504

Cited by 11 publications

(5 citation statements)

References 24 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…By deploying NetMon to Google Play for a crowdsourcing study, we are among the first in this line of research. Other related works include Netalyzr [75] for studying middleboxes in cellular networks, FBS-Radar [56] for uncovering fake base stations in the wild, UpDroid [74] for monitoring sensitive API behaviors on nonrooted devices, and Haystack [69] for detecting mobile apps' privacy leakage via on-device app traffic analysis [80].…”

Section: Related Workmentioning

confidence: 99%

Understanding Open Ports in Android Applications: Discovery, Diagnosis, and Security Assessment

Wu¹,

Gao²,

Chang³

et al. 2019

Proceedings 2019 Network and Distributed System Security Symposium

Self Cite

View full text Add to dashboard Cite

Open TCP/UDP ports are traditionally used by servers to provide application services, but they are also found in many Android apps. In this paper, we present the first openport analysis pipeline, covering the discovery, diagnosis, and security assessment, to systematically understand open ports in Android apps and their threats. We design and deploy a novel ondevice crowdsourcing app and its server-side analytic engine to continuously monitor open ports in the wild. Over a period of ten months, we have collected over 40 million port monitoring records from 3,293 users in 136 countries worldwide, which allow us to observe the actual execution of open ports in 925 popular apps and 725 built-in system apps. The crowdsourcing also provides us a more accurate view of the pervasiveness of open ports in Android apps at 15.3%, much higher than the previous estimation of 6.8%. We also develop a new static diagnostic tool to reveal that 61.8% of the open-port apps are solely due to embedded SDKs, and 20.7% suffer from insecure API usages. Finally, we perform three security assessments of open ports: (i) vulnerability analysis revealing five vulnerability patterns in open ports of popular apps, e.g., Instagram, Samsung Gear, Skype, and the widely-embedded Facebook SDK, (ii) inter-device connectivity measurement in 224 cellular networks and 2,181 WiFi networks through crowdsourced network scans, and (iii) experimental demonstration of effective denial-of-service attacks against mobile open ports.

show abstract

Section: Related Workmentioning

confidence: 99%

Understanding Open Ports in Android Applications: Discovery, Diagnosis, and Security Assessment

Wu¹,

Gao²,

Chang³

et al. 2019

Proceedings 2019 Network and Distributed System Security Symposium

Self Cite

View full text Add to dashboard Cite

show abstract

“…In our analysis, for the first time in the literature, we find that non-movable interrupts, such as softirqs and rescheduling interrupts, play an important role in leaking application information. This finding is important as nearly all prior work studying interruptbased side channels [43,68] focuses on movable interrupts such as graphics and network interrupts. Linux provides convenient interfaces to block information leakage due to movable interrupts by isolating them from potential attackers.…”

Section: Introductionmentioning

confidence: 89%

“…In Linux, all reported interrupts are counted by the kernel and logged in the system file /proc/interrupts, which can be accessed by any process. Several attacks exploit such statistical information to monitor application activities [68], monitor keystroke timings and user behaviors on touch screens [15], and detect website content [48]. Fortunately, these attacks are easy to mitigate as one could simply disable non-privileged access to the interrupt pseudo-file.…”

Section: Related Work 71 Interrupt-related Attacksmentioning

confidence: 99%

There's always a bigger fish

Cook¹,

Drean²,

Behrens³

et al. 2022

Proceedings of the 49th Annual International Symposium on Computer Architecture

View full text Add to dashboard Cite

Machine learning has made it possible to mount powerful attacks through side channels that have traditionally been seen as challenging to exploit. However, due to the black-box nature of machine learning models, these attacks are often difficult to interpret correctly. Models that detect correlations cannot be used to prove causality or understand an attack's various sources of information leakage.In this paper, we show that a state-of-the-art website-fingerprinting attack powered by machine learning was only partially analyzed. In this attack, an attacker collects cache-sweeping traces, which measure the frequency at which the entire last-level cache can be accessed over time, while a victim loads a website. A neural network is then trained on these traces to predict websites accessed by the victim. The attack's usage of the cache led to a consensus that the attack exploited a cache-based side channel. However, we provide additional analysis contradicting this assumption and clarifying the mechanisms behind this powerful attack.We first replicate the website-fingerprinting attack without making any cache accesses, demonstrating that memory accesses are not crucial to the attack's success and may even inhibit its performance. We then search for the primary source of information leakage in our new attack by analyzing the effects of various isolation mechanisms and by instrumenting the Linux kernel. We ultimately find that this attack's success can be attributed primarily to system interrupts. Finally, we use this analysis to craft highly practical and effective defense mechanisms against our attack. CCS CONCEPTS• Security and privacy → Side-channel analysis and countermeasures; • Computing methodologies → Supervised learning by classification.

show abstract

“…Our on-device fuzzing in Sect. 4.1 is related to the general Android dynamic testing [44][45][46][47][48]. For example, SMV-Hunter [44] and FileCross [45] leveraged Android adb commands to dynamically test Android apps' security vulnerabilities.…”

Section: Related Workmentioning

confidence: 99%

“…AppIntent [46], further instrumented Android operating system for the effective dynamic testing of Android apps. Two crowdsourcing apps, UpDroid [47] and NetMon [48], were recently proposed to leverage crowds' user interaction for dynamic app tests in the wild. Besides general Android dynamic testing, the closest work to our Intent fuzzing is Intent-Fuzzer [49], which also leveraged Drozer for Intent fuzzing.…”

Section: Related Workmentioning

confidence: 99%

Understanding Android VoIP Security: A System-Level Vulnerability Assessment

En¹,

Deng

2020

Detection of Intrusions and Malware, and Vulnerability Assessment

Self Cite

View full text Add to dashboard Cite

VoIP is a class of new technologies that deliver voice calls over the packet-switched networks, which surpasses the legacy circuitswitched telecom telephony. Android provides the native support of VoIP, including the recent VoLTE and VoWiFi standards. While prior works have analyzed the weaknesses of VoIP network infrastructure and the privacy concerns of third-party VoIP apps, no efforts were attempted to investigate the (in)security of Android's VoIP integration at the system level. In this paper, we first demystify Android VoIP's protocol stack and all its four attack surfaces. We then propose a novel vulnerability assessment approach that assembles on-device Intent/API fuzzing, networkside packet fuzzing, and targeted code auditing. By testing Android from version 7.0 to the recent 9.0, we have discovered 8 zero-day Android VoIP vulnerabilities, all of which were confirmed by Google with bug bounty awards. The security consequences are serious, including denying voice calls, caller ID spoofing, unauthorized call operations, and remote code execution. To mitigate these vulnerabilities and further improve Android VoIP security, we uncover a new root cause that requires developers' attention during their design and implementation.

show abstract

Towards Dynamically Monitoring Android Applications on Non-rooted Devices in the Wild

Cited by 11 publications

References 24 publications

Understanding Open Ports in Android Applications: Discovery, Diagnosis, and Security Assessment

Understanding Open Ports in Android Applications: Discovery, Diagnosis, and Security Assessment

There's always a bigger fish

Understanding Android VoIP Security: A System-Level Vulnerability Assessment

Contact Info

Product

Resources

About