Elsevier

Computers & Security

Volume 70, September 2017, Pages 392-421
Computers & Security

Android inter-app communication threats and detection techniques

https://doi.org/10.1016/j.cose.2017.07.002Get rights and content

Abstract

With the digital breakthrough, smart phones have become very essential component for many routine tasks like shopping, paying bills, transferring money, instant messaging, emails etc. Mobile devices are very attractive attack surface for cyber thieves as they hold personal details (accounts, locations, contacts, photos) and have potential capabilities for eavesdropping (with cameras/microphone, wireless connections). Android, being the most popular, is the target of malicious hackers who are trying to use Android app as a tool to break into and control device. Android malware authors use many anti-analysis techniques to hide from analysis tools. Academic researchers and commercial anti-malware companies are putting great effort to detect such malicious apps. They are making use of the combinations of static, dynamic and behavior-based analysis techniques.

Despite of all the security mechanisms provided by Android, apps can carry out malicious actions through inter-app communication. One such inter-app communication threats is collusion. In collusion, malicious functionality is divided across multiple apps. Each participating app accomplishes its part and communicate information to another app through Inter Component Communication (ICC). ICC does not require any special permissions. Also there is no compulsion to inform user about the communication. Each participating app needs to request a minimal set of privileges, which may make it appear benign to current state-of-the-art techniques that analyze one app at a time.

There are many surveys on app analysis techniques in Android; however they focus on single-app analysis. This survey highlights several inter-app communication threats, in particular collusion among multiple-apps. In this paper, we present Android vulnerabilities that may be exploited for carrying privilege escalation attacks, privacy leakage and collusion attacks. We cover the existing threat analysis, scenarios, and a detailed comparison of tools for intra- and inter-app analysis. To the best of our knowledge this is the first survey on inter-app communication threats, app collusion and state-of-the-art detection tools in Android.

Introduction

Nowadays, mobile devices such as smartphones, are widely used for social networking, online shopping, banking, etc. Mobile applications are increasingly playing an essential role in our daily life, making the safety guards in mobile operating systems an important concern for researchers and practitioners. Android is the most popular mobile operating system, with 84% of the worldwide smartphone sales to end users in first quarter of 2016 (IDCReport), and over 50 billion app downloads so far. The large popularity of Android and its open nature made it a primary target of hackers who are now developing malicious apps at an industrial scale (Bugiel et al, 2011, Dietz et al, 2011, Elish et al, 2015, Enck, 2011, Enck et al, 2014, Li et al, 2015a, Lu et al, 2012, Shekhar et al, 2012).

An Android app consists of components and uses a special interaction mechanism to perform Inter-Component Communication (ICC). ICC enables modular design and reuse of functionality across apps and app components. In Android, ICC communication model is implemented as a message-passing system, where messages are encapsulated as Intent objects. Through Intents, an app (or app component) can utilize functionality exposed by another app (or app component), e.g., by passing a message to the browser to render content or to a navigation app to display a location and provide directions to it. This light communication model has been used by developers to design rich application scenarios by reusing existing functionality. Unfortunately, because many Android developers have limited expertise in security, the ICC mechanism has brought a number of vulnerabilities (Chin et al, 2011, Enck et al, 2014, Felt et al, 2011, Li et al, 2015a, Sbirlea et al, 2013, Schlegel et al, 2011). Some of the ICC vulnerabilities viz. Activity hijacking vulnerability (where a malicious Activity is launched in place of the intended Activity), Intent spoofing vulnerability (where a malicious app sends Intents to an exported component which originally does not expect Intents from that app) etc.

Different research efforts have investigated weaknesses from various perspectives (Bhandari et al, 2016, Bosu et al, 2017, Chen et al, 2017, Li et al, 2015b, Liu et al, 2017, Ravitch et al, 2014, Sadeghi et al, 2015), including detection of information leaks, analysis of the least-privilege principle, and enhancements to Android protection mechanisms. Despite the significant progress, such security techniques are substantially intended to detect and mitigate vulnerabilities in a single app (Arp et al, 2014, Bhandari et al, 2015, Chin et al, 2011, Gordon et al, 2015, Wei et al, 2014), but fail to identify vulnerabilities that arise due to the interaction of multiple apps. Vulnerabilities due to the interaction of multiple apps, such as collusion attacks and privilege escalation chaining, cannot be detected by techniques that analyze a single app in isolation. Thus, there is a pressing need for security analysis techniques in such rapidly growing domains to take into account such communication vulnerabilities.

The principle of malware collusion has been recently described in a few research papers (Bagheri et al, 2015, Bosu et al, 2017, Bugiel et al, 2011, Chen et al, 2017, Fang et al, 2014, Felt et al, 2011, Liu et al, 2017, Marforio et al, 2012, Markmann et al, 2013, Schlegel et al, 2011) as the next step that malware writers may evolve into. Collusion refers to the scenario where two or more applications possibly (not necessary) developed by the same developer, interact with each other to perform malicious tasks. The danger of malware collusion is that each colluding malware only needs to request a minimal set of privileges, which may make it appear benign under single-app analysis mechanisms (Bagheri et al, 2015, Bosu et al, 2017, Elish et al, 2015, Liu et al, 2017). The scenario could be think of as two utility apps one for cab booking and another is a browser app. Now cab booking app needs to access client's location and browser app needs to connect with the internet. Lets assume that both the apps are developed by same adversary and he intentionally puts a communication channel between these two apps. Whenever user invokes cab booking app, along with serving to the user, it also sends location information to the browser app. Since browser has the access to internet, it can easily send the location information of the user to any command and control (C&C) server. Malware writers have strong incentives to write colluding malware.

The wide usage of ICC calls in benign app pairs make accurate classification quite challenging (Bosu et al, 2017, Elish et al, 2015, Octeau et al, 2016). Academia and industry researchers have proposed solutions and frameworks to analyze, and detect the collusion attacks (Bagheri et al, 2015, Bhandari et al, 2016, Bhandari et al, 2017, Bosu et al, 2017, Bugiel et al, 2011, Chen et al, 2017, Klieber et al, 2014, Li et al, 2015a, Li et al, 2015b, Liu et al, 2017, Ravitch et al, 2014). Some of these are even available as open-source as (Bosu et al, 2017, Klieber et al, 2014, Li et al, 2015a, Li et al, 2015b). The solutions can be characterized using three broad types of analysis: Static analysis, dynamic analysis and policy enforcement based analysis.

In (Bosu et al., 2017), authors propose a tool named DIALDroid, as the most recent state-of-the-art inter-app ICC analysis tool for large scale detection of collusion and privilege escalation. They also provide the first inter-app collusion real-apps benchmark of 30 apps. Till now, this is the most efficient tool available in the literature for inter-app vulnerability detection. MR-Droid (Liu et al., 2017) aims to detect inter-app communication threats specifically intent hijacking, intent spoofing and collusion. It proposes a MapReduce based framework to scale up compositional app analysis. DidFail (Klieber et al., 2014) is another state-of-the-art to detect intra-component and inter-component information flow in a set of apps. In (Bugiel et al., 2011), authors propose XMandroid, that is the first approach for detecting collusion attacks in Android platforms. It claims to identify privilege escalation in case of pending intents and transmission channels between dynamically built components such as broadcast receivers. FUSE (Ravitch et al., 2014) is a tool that starts by single-app static analysis accompanied with lint tool to mitigate limitations of static analysis followed by multi-app information flow analysis. IccTA (Li et al., 2015b) is a static taint analyzer to detect privacy leaks between components in Android apps. If combined with APKCombiner (Li et al., 2015a), it can also detect inter-app leakage paths.

This survey paper aims to present a general review about inter-app communication threats in particular, collusion attacks in Android framework. It provides a better understanding of the key research challenges. We present an abstract definition of collusion and highlight its origin. Along the way, we cover the Android model, the communication and permission model of Android and the main vulnerabilities that lead to a possible collusion attack. We also cover the existing threat analysis and a detailed comparison of techniques for intra and inter-app analysis. This review gives an insight into the strengths and shortcomings of the known tools and provides a clear comparison for the researchers between these tools. Finally, we present an insight into our future research directions.

This survey paper is organized as follows. Section 2 presents Android model. In Section 3, we present the Inter Process Communication (IPC) model as one of the key features of programming model in Android. Then, in Section 4, we present Android security risks. In Section 5, we elaborate collusion by providing a formal definition and cases where collusion attack is possible followed by the main challenges to detect collusion attack. In Section 6, we review the inter application analysis. Section 7 recalls state-of-art approaches, a thorough comparison between them for collusion detection and lessons learned. In Section 8, we conclude the paper and we present an insight into our future research directions.

Section snippets

Android

Android is developed under the Android Open Source Project (AOSP), promoted by the Open Handset Alliance (OHA) and maintained by Google (Wikipedia). Android is developed on top of Linux kernel due to its robust driver model, efficient memory, process management, and networking support for the core services. Linux Kernel is customized specifically for the embedded environment consisting of limited resources.

Android apps are written in java; however, the native code and shared libraries are

Inter-component communication

Inter Process Communication (IPC) is known as Inter Component Communication (ICC) in Android (Enck et al., 2009). It is the key feature of Android programming model. It allows a component of an application to access user's data and can transfer it to another component of same or other application within the same device, or to an external server. ICC helps to eliminate duplication of functionality in different applications. Developers can leverage data and services provided by other

Android security risks and consequences

Android ensures security through its sandbox model, application signing and the permission model for managing IPC effectively and efficiently. In spite of these measures, Android is vulnerable to many security risks. According to the recent OWASP mobile security report (Google, 2016), out of 91 reported security risks, 85 are recorded to be present in Android. This makes Android security a serious concern. These risks are outcome of either maliciously exploiting the legitimate procedures

Collusion

The Android security model is designed to protect data, applications and devices from security threats. It is guarding apps by combining app signing, sandboxing, and permissions. Unfortunately, these restrictions can be bypassed by colluding apps. The combined permission of these apps allow them to carry out attack, that could not be possible by a single app. Let us consider the following example where a collusion consists of one app permitted to access some personal data, and this app passes

Inter-application analysis

This Section discusses the main defense techniques for inter-app analysis: static, dynamic and policy based.

State-of-the-art approaches

In the following Section, we present different experimental approaches for the detection of intra and inter-application communication vulnerabilities.

Conclusions

Android is a modern operating system for smartphones with expanding market share. The main security mechanisms of Android are application sandboxing, application signing, and a permission framework to control access to (sensitive) resources. Android's security framework exhibits serious shortcomings: The burden of approving application permissions is delegated to the end-user who in general does not care much about the impact of prompted permissions on his privacy and security. Hence, malware

Acknowledgments

This study has been carried out with financial support from the Department of Information Technology, Government of India Project Grant 1000109932 “Security Analysis Framework for Android Platform” and the French National Research Agency (ANR) of the French State in the frame of the “Investments for the future” Programme IdEx Bordeaux – CPU (ANR-10-IDEX-03-02).

Shweta Bhandari received the Masters of Technology degree in computer science from the Devi Ahilya University, Indore, in 2013. She is currently pursuing Ph.D. in the Department of Computer Science and Engineering, MNIT Jaipur under the supervision of Prof. Manoj Singh Gaur, Indian Institute of Technology Jammu and Dr. Akka Zemmari, University of Bordeaux, Talence, France. Her main research interest is in the area of security and privacy, with a special emphasis on security in Android.

References (121)

  • D. Arp et al.

    Drebin: effective and explainable detection of android malware in your pocket

  • S. Arzt et al.

    Flowdroid: precise context, flow, field, object-sensitive and lifecycle-aware taint analysis for android apps

  • I.M. Asavoae et al.

    Towards automated android app collusion detection

  • K.W.Y. Au et al.

    Pscout: analyzing the android permission specification

  • G.S. Babil et al.

    On the effectiveness of dynamic taint analysis for protecting against private information leaks on android-based devices

  • M. Backes et al.

    Android security framework: enabling generic and extensible access control on android

    (2014)
  • H. Bagheri et al.

    Covert: compositional analysis of android inter-app permission leakage

    IEEE TransSoftw Eng

    (2015)
  • D. Barrera et al.

    A methodology for empirical analysis of permission-based security models and its application to android

  • D. Barrera et al.

    Understanding and improving app installation security mechanisms through empirical analysis of android

  • A. Bartel et al.

    Automatically securing permission-based software by reducing the attack surface: an application to android

  • A. Bartel et al.

    Dexpler: converting android dalvik bytecode to jimple for static analysis with soot

  • S. Bhandari et al.

    Draco: droid analyst combo an android malware analysis framework

  • S. Bhandari et al.

    Intersection automata based model for android application collusion

  • S. Bhandari et al.

    Poster: detecting inter-app information leakage paths

  • A. Bhavani

    Cross-site scripting attacks on android webview

    Int J Comput Sci Netw

    (2013)
  • T. Book et al.

    A case of collusion: a study of the interface between ad libraries and their apps

  • A. Bosu et al.

    Collusive data leak and more: large-scale threat analysis of inter-app communications

  • S. Bugiel et al.

    Xmandroid: a new android evolution to mitigate privilege escalation attacks

    (2011)
  • S. Bugiel et al.

    Practical and lightweight domain isolation on android

  • S. Bugiel et al.

    Towards taming privilege-escalation attacks on android

  • S. Bugiel et al.

    Flexible and fine-grained mandatory access control on android for diverse security and privacy policies

  • D. Callahan

    The program summary graph and flow-sensitive interprocedual data flow analysis

  • D. Ceara et al.

    Detecting software vulnerabilities-static taint analysis

    (2009)
  • ChenH. et al.

    Toward detecting collusive ranking manipulation attackers in mobile app markets

  • ChenQ.A. et al.

    Peeking into your app without actually seeing it: ui state inference and novel android attacks

  • E. Chin et al.

    Analyzing inter-application communication in android

  • J. Clarke-Salt

    SQL injection attacks and defense

    (2009)
  • Contagio Minidump
  • M. Conti et al.

    Crepe: context-related policy enforcement for android

  • V. Costamagna et al.

    Artdroid: a virtual-method hooking framework on android art runtime

  • M. Das et al.

    Esp: path-sensitive program verification in polynomial time

  • L. De Moura et al.

    Z3: an efficient smt solver

  • Dedexer
  • M. Dietz et al.

    Quire: lightweight provenance for smart phone operating systems

  • A. Egners et al.

    Messing with android's permission model

  • K.O. Elish et al.

    User-centric dependence analysis for identifying malicious mobile apps

  • K.O. Elish et al.

    On the need of precise inter-app icc classificationfor detecting android malware collusions

  • K.O.M. Elish

    User-intention based program analysis for android security

    (2015)
  • W. Enck

    Defending users against smartphone apps: techniques and future directions

  • W. Enck et al.

    Mitigating android software misuse before it happens

    (2008)
  • Cited by (0)

    Shweta Bhandari received the Masters of Technology degree in computer science from the Devi Ahilya University, Indore, in 2013. She is currently pursuing Ph.D. in the Department of Computer Science and Engineering, MNIT Jaipur under the supervision of Prof. Manoj Singh Gaur, Indian Institute of Technology Jammu and Dr. Akka Zemmari, University of Bordeaux, Talence, France. Her main research interest is in the area of security and privacy, with a special emphasis on security in Android.

    Wafa Ben Jaballah is a security researcher at Thales Group, France. She received her Ph.D. degree from the University of Bordeaux. Before joining Thales, she held a research position at Orange Labs. She was also a Post-Doc Researcher at the University of Bordeaux, France. Her main research interest is in the area of IoT security and network security. She has been a Visiting Researcher at the University of Padua (2012–2017).

    Vineeta Jain received the Masters of Technology degree in computer science from the Maulana Azad National Institute of Technology Bhopal, in 2013. She is currently pursuing Ph.D. in the Department of Computer Science and Engineering, MNIT Jaipur, under the supervision of Prof. Manoj Singh Gaur, Indian Institute of Technology Jammu and Prof. Mohamed Mosbah from the University of Bordeaux, Talence, France. Her research interests include the area of security and privacy, with a special emphasis on security in Android.

    Dr. Vijay Laxmi received her Master's in Computer Science and Engg. from Indian Institute of Technology Delhi and Ph.D. from University of Southampton, UK. She has been a faculty in Department of Computer Science and Engineering, Malaviya National Institute of Technology Jaipur, India. Her research interests include Information security, Malware analysis, Security and QoS provisioning in wireless Networks.

    Dr. Akka Zemmari has received his Ph.D. degree from the University of Bordeaux, France, in 2000. He is an associate professor in computer science since 2001 at University of Bordeaux, France. His research interests include distributed algorithms and systems, graphs, randomized algorithms, machine learning and security.

    Prof. Manoj Singh Gaur completed his Master's degree in Computer Science and Engineering from Indian Institute of Science Bangalore, India and Ph.D. from University of Southampton, UK. Prof. Gaur has been a faculty in Department of Computer Science and Engineering, Malaviya National Institute of Technology Jaipur, India and currently Director, IIT Jammu. His research areas include Networks-on-Chip, Computer and network security, Multimedia streaming in wireless networks.

    Mohamed Mosbah is a full Professor in computer science at the Polytechnic Institute of Bordeaux, France. He obtained his Ph.D. from the University of Bordeaux, in 1993. He carries his research in LaBRI, a research Laboratory in computer science common with the University of Bordeaux and CNRS, where he is currently the Deputy Director. His research interests include distributed algorithms and systems, formal models, security, and ad hoc and sensor networks. He participated in several national and European research projects, including collaborations with industry.

    Mauro Conti is an Associate Professor at the University of Padua, Italy. He obtained his Ph.D. from Sapienza University of Rome, Italy, in 2009. After his Ph.D., he was a Post-Doc Researcher at Vrije University Amsterdam, Netherlands. He has been Visiting Researcher at GMU (2008), UCLA (2010), UCI (2012, 2013, 2014, and 2017), and TU Darmstadt (2013). He has been awarded with a Marie Curie Fellowship (2012) by the European Commission, and with a Fellowship by the German DAAD (2013). His main research interest is in the area of security and privacy. He is Senior Member of the IEEE.

    View full text