Computer Science ›› 2016, Vol. 43 ›› Issue (9): 192-196.doi: 10.11896/j.issn.1002-137X.2016.09.038

Previous Articles     Next Articles

Approach of Android Applications Intent Injection Vulnerability Detection Based on Static Taint Analysis

WANG Yun-chao, WEI Qiang and WU Ze-hui   

  • Online:2018-12-01 Published:2018-12-01

Abstract: As a message carrier in the process of component communication of Android application,Intent can be malformed by an attacker,leading to security risk of malicious component injection.A detection approach based on static taint analysis was presented.On the basis of building call graph and control flow graph of Android application,by trackingthe taint propagation with in and between components,the potential Intent injection vulnerability can be detected.This method is used to test four types of benchmark and fifty third-party applications,and the experimental results show the feasibility and effectiveness of the proposed approach.

Key words: Android,Static taint analysis,Call graph,Control flow graph,Intent injection vulnerability

[1] Maji A K,Arshad F,Bagchi S,et al.An empirical study of the robustness of inter-component communication in Android[C]∥2012 42nd Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN).IEEE,2012:1-12
[2] Sasnauskas R,Regehr J.Intent fuzzer:crafting intents of death[C]∥Proceedings of the 2014 Joint International Workshop on Dynamic Analysis (WODA) and Software and System Perfor-mance Testing,Debugging,and Analytics (PERTEA).ACM,2014:1-5
[3] Chin E,Felt A P,Greenwood K,et al.Analyzing inter-application communication in Android[C]∥Proceedings of the 9th International Conference on Mobile Systems,Applications,and Services.ACM,2011:239-252
[4] Lu L,Li Z,Wu Z,et al.Chex:statically vetting android apps for component hijacking vulnerabilities[C]∥Proceedings of the 2012 ACM Conference on Computer and Communications Securi-ty.ACM,2012:229-240
[5] Octeau D,McDaniel P,Jha S,et al.Effective inter-component communication mapping in android with epicc:An essential step towards holistic security analysis[C]∥USENIX Security 2013.2013:543-558
[6] Sagiv M,Reps T,Horwitz S.Precise interprocedural data flow analysis with applications to constant propagation[J].Theoretical Computer Science,1996,167(1):131-170
[7] Gallingani D,Gjomemo R,Venkatakrishnan V N,et al.Static detection and automatic exploitation of intent message vulnerabilities in Android applications.http://www.ieee-security.org/TC/spw2015/Most/papers/s3p1.pdf
[8] Enck W,Octeau D,McDaniel P,et al.A Study of Android Application Security.http://www.usenix.org/legacy/events/secll/tech/full_papers/Enck.pdf
[9] Takeshi Terada/Mitsui Bussan Secure Directions,Inc.Attacking Android browsers via intent scheme URLs.http://www.mbsd.jp/whitepaper/InterScheme.pdf
[10] Wang R,Xing L,Wang X F,et al.Unauthorized origin crossing on mobile platforms:Threats and mitigation[C]∥Proceedings of the 2013 ACM SIGSAC Conference on Computer & Communications Security.ACM,2013:635-646
[11] Lam P,Bodden E,Lhoták O,et al.The Soot framework for Java program analysis:a retrospective[C]∥Cetus Users and Compi-ler Infastructure Workshop (CETUS 2011).2011
[12] Bartel A,Klein J,Le Traon Y,et al.Dexpler:converting android dalvikbytecode to jimple for static analysis with soot[C]∥Proceedings of the ACM SIGPLAN International Workshop on State of the Art in Java Program Analysis.ACM,2012:27-38
[13] Luo T,Hao H,Du W,et al.Attacks on WebView in the Android system[C]∥Proceedings of the 27th Annual Computer Security Applications Conference.ACM,2011:343-352

No related articles found!
Viewed
Full text


Abstract

Cited

  Shared   
  Discussed   
No Suggested Reading articles found!