Vulnerable Implicit Service

Lei, Lingguang; He, Yi; Sun, Kun; Jing, Jiwu; Wang, Yuewu; Li, Qi; Weng, Jian

doi:10.1145/3133956.3133975

Cited by 7 publications

(6 citation statements)

References 21 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…In this context Tuncay et al [58] found that the coexistence of certain app permissions can lead to unintentional loss of privacy. Our focus also differs from the goal of tools like DroidSafe [22] and ISA [25].…”

Section: Android App Analysismentioning

confidence: 99%

MAPS: Scaling Privacy Compliance Analysis to a Million Apps

Zimmeck

Story

Smullen

et al. 2019

Proceedings on Privacy Enhancing Technologies

124

141

View full text Add to dashboard Cite

The app economy is largely reliant on data collection as its primary revenue model. To comply with legal requirements, app developers are often obligated to notify users of their privacy practices in privacy policies. However, prior research has suggested that many developers are not accurately disclosing their apps’ privacy practices. Evaluating discrepancies between apps’ code and privacy policies enables the identification of potential compliance issues. In this study, we introduce the Mobile App Privacy System (MAPS) for conducting an extensive privacy census of Android apps. We designed a pipeline for retrieving and analyzing large app populations based on code analysis and machine learning techniques. In its first application, we conduct a privacy evaluation for a set of 1,035,853 Android apps from the Google Play Store. We find broad evidence of potential non-compliance. Many apps do not have a privacy policy to begin with. Policies that do exist are often silent on the practices performed by apps. For example, 12.1% of apps have at least one location-related potential compliance issue. We hope that our extensive analysis will motivate app stores, government regulators, and app developers to more effectively review apps for potential compliance issues.

show abstract

Section: Android App Analysismentioning

confidence: 99%

MAPS: Scaling Privacy Compliance Analysis to a Million Apps

Zimmeck

Story

Smullen

et al. 2019

Proceedings on Privacy Enhancing Technologies

124

141

View full text Add to dashboard Cite

show abstract

“…ICC category includes vulnerabilities originating due to the weak validation of Intents, PendingIntents, Services, Broadcasts (Simple, Ordered, and Sticky Broadcast), and Path Permissions. These features may be attacked in two different ways: (1) Spoofing attacks [11] and (2) Hijacking attacks [12]. Spoofing attack facilitates unintended invocation and occurs when a component registers an intent-filter but does not validate the identity of the sender or data provided by the sender.…”

Section: Icc Vulnerabilitiesmentioning

confidence: 99%

“…As shown in Listing 11, the component DownloadService obtains FILENAME through Intent (line 2). It reads the data from specified file (lines 4-10) present in internal storage and further copies this data to external storage (lines [12][13][14]. A taint analysis-based solution will mark this as vulnerable considering flow from getStringExtra (source) to OutputStream.write (Sink).…”

Section: Fp-validation (False Positive Validation)mentioning

confidence: 99%

“…A good discussion on detection and exploitation of Intent message vulnerabilities using taint analysis is presented in Reference [58]. Lei et al [12] worked on vulnerabilities owing to invocation of services through implicit Intents. Android forbids implicit service invocations since version 5.0, however, the authors show that latest Play Store apps were still using implicit Intents.…”

Section: Related Workmentioning

confidence: 99%

“…Feature Technique FPs Automated Patching FNs OpenCCE [53] API, Parameter Low ✗ High CogniCrypt [1] API, Parameter Low ✗ High Sadeghi et al [54] T A L o w ✗ High Lei et al [12] R A L o w ✗ High SEALANT [2] DFA, Pattern Matching High ✗ High AppSealer [25] TA High ✓ High MAS [30] A P I H i g h ✗ High CHEX [55] D F A H i g h ✗ High SMV-HUNTER [56] Hybrid Low ✗ High Androbugs [29] Based on Androguard Average ✗ High JAADS [33] TA High ✗ High AndroidLint [57] XML Parsing High ✗ High Vulvet…”

Section: Frameworkmentioning

confidence: 99%

See 2 more Smart Citations

Vulvet

et al. 2020

View full text Add to dashboard Cite

Data security and privacy of Android users is one of the challenging security problems addressed by the security research community. A major source of the security vulnerabilities in Android apps is attributed to bugs within source code, insecure APIs, and unvalidated code before performing sensitive operations. Specifically, the major class of app vulnerabilities is related to the categories such as inter-component communication (ICC), networking, web, cryptographic APIs, storage, and runtime-permission validation. A major portion of current contributions focus on identifying a smaller subset of vulnerabilities. In addition, these methods do not discuss how to remove detected vulnerabilities from the affected code. In this work, we propose a novel vulnerability detection and patching framework, Vulvet, which employs static analysis approaches from different domains of program analysis for detection of a wide range of vulnerabilities in Android apps. We propose an additional lightweight technique, FP-Validation, to mitigate false positives in comparison to existing solutions owing to over-approximation. In addition to improved detection, Vulvet provides an automated patching of apps with safe code for each of the identified vulnerability using bytecode instrumentation. We implement Vulvet as an extension of Soot. To demonstrate the efficiency of our proposed framework, we analyzed 3,700 apps collected from various stores and benchmarks consisting of various weak implementations. Our results indicate that Vulvet is able to achieve vulnerability detection with 95.23% precision and 0.975 F-measure on benchmark apps; a significant improvement in comparison to recent works along with successful patching of identified vulnerabilities. CCS Concepts: • Security and privacy → Domain-specific security and privacy architectures;

show abstract

Scalable online vetting of Android apps for measuring declared SDK versions and their consistency with API calls

Gao

2021

Empir Software Eng

View full text Add to dashboard Cite

Vulnerable Implicit Service

Cited by 7 publications

References 21 publications

MAPS: Scaling Privacy Compliance Analysis to a Million Apps

MAPS: Scaling Privacy Compliance Analysis to a Million Apps

Vulvet

Scalable online vetting of Android apps for measuring declared SDK versions and their consistency with API calls

Contact Info

Product

Resources

About