SCLib: A Practical and Lightweight Defense against Component Hijacking in Android Applications

01/13/2018
by   Daoyuan Wu, et al.
0

Cross-app collaboration via inter-component communication is a fundamental mechanism on Android. Although it brings the benefits such as functionality reuse and data sharing, a threat called component hijacking is also introduced. By hijacking a vulnerable component in victim apps, an attack app can escalate its privilege for operations originally prohibited. Many prior studies have been performed to understand and mitigate this issue, but no defense is being deployed in the wild, largely due to the deployment difficulties and performance concerns. In this paper we present SCLib, a secure component library that performs in-app mandatory access control on behalf of app components. It does not require firmware modification or app repackaging as in previous works. The library-based nature also makes SCLib more accessible to app developers, and enables them produce secure components in the first place over fragmented Android devices. As a proof of concept, we design six mandatory policies and overcome unique implementation challenges to mitigate attacks originated from both system weaknesses and common developer mistakes. Our evaluation using ten high-profile open source apps shows that SCLib can protect their 35 risky components with negligible code footprint (less than 0.3 code) and nearly no slowdown to normal intra-app communications. The worst-case performance overhead to stop attacks is about 5

READ FULL TEXT

page 1

page 2

page 3

page 4

research
01/14/2019

Peel the onion: Recognition of Android apps behind the Tor Network

In this work we show that Tor is vulnerable to app deanonymization attac...
research
04/12/2018

Analysing Use of High Privileges in Android Applications

The number of Android smartphone and tablet users has experienced a rapi...
research
10/20/2020

Mascara: A Novel Attack Leveraging Android Virtualization

Android virtualization enables an app to create a virtual environment, i...
research
03/06/2021

Fine with "1234"? An Analysis of SMS One-Time Password Randomness in Android Apps

A fundamental premise of SMS One-Time Password (OTP) is that the used ps...
research
11/16/2021

NatiDroid: Cross-Language Android Permission Specification

The Android system manages access to sensitive APIs by permission enforc...
research
02/23/2022

AirGuard – Protecting Android Users From Stalking Attacks By Apple Find My Devices

Finder networks in general, and Apple's Find My network in particular, c...
research
06/23/2020

SIAT: A Systematic Inter-Component Communication Analysis Technology for Detecting Threats on Android

In this paper, we present the design and implementation of a Systematic ...

Please sign up or login with your details

Forgot password? Click here to reset