Inter-app communication in Android

Ahmad, Waqar; Kästner, Christian; Sunshine, Joshua; Aldrich, Jonathan

doi:10.1145/2901739.2901762

Cited by 16 publications

(7 citation statements)

References 37 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Researchers have also contributed to improve the security of the Android ecosystem by analyzing security vulnerabilities and proposing improvements to current security models [12], [16], [17], [22], [25]- [32], [32]- [35]; however, while the focus of the academic research has been the security of the applicationsthe closest component to the user-, the core of the Android ecosystem (i.e., the Android OS) has received little attention.…”

Section: A Malware and Vulnerabilitiesmentioning

confidence: 99%

“…1) Security in Android Applications: Android malware and vulnerabilities in Android apps are characterized by a novel set of flaws that exploit user level weaknesses and the issues in security mechanisms of the Android OS. For instance, Androidspecific attacks include (i) privileges/permissions escalation through pairs of infected apps that exploit inter-application communication or misconfigured apps [10]- [12], [35], [36], (ii) applications tapjacking/hijacking by apps repackaging and substitution [26], (iii) information leaking through covert channels [37], [38], (iv) SSL vulnerabilities in hybrid [33] and native apps [32], (v) security issues introduced by third party libraries [34], and (vi) security issues introduced by OS customizations [28]. These novel attacks, in addition to classic security attacks induced by malware (e.g., DoS), have been widely studied by the community and several approaches have been proposed for their detection and mitigation, such as TaintDroid [39], COVERT [10], [11], FlowDroid [40], MudFlow [41], Chabada [42], Q-Floid [43], and AppInspector [44].…”

Section: A Malware and Vulnerabilitiesmentioning

confidence: 99%

“…As a contribution from the research community, substantial effort has been recently invested in the analysis and detection of malware and vulnerabilities at the applications level (see e.g., [10]- [12]). However, (i) few works have focused on the vulnerabilities at the OS level [13]- [17], the underlying platform on which any app runs, and (ii) most of the studies have just focused on a limited number of vulnerabilities.…”

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

An Empirical Study on Android-Related Vulnerabilities

Linares‐Vásquez

Bavota

Escobar‐Velásquez

2017

2017 IEEE/ACM 14th International Conference on Mining Software Repositories (MSR)

View full text Add to dashboard Cite

Mobile devices are used more and more in everyday life. They are our cameras, wallets, and keys. Basically, they embed most of our private information in our pocket. For this and other reasons, mobile devices, and in particular the software that runs on them, are considered first-class citizens in the software-vulnerabilities landscape. Several studies investigated the software-vulnerabilities phenomenon in the context of mobile apps and, more in general, mobile devices. Most of these studies focused on vulnerabilities that could affect mobile apps, while just few investigated vulnerabilities affecting the underlying platform on which mobile apps run: the Operating System (OS). Also, these studies have been run on a very limited set of vulnerabilities.In this paper we present the largest study at date investigating Android-related vulnerabilities, with a specific focus on the ones affecting the Android OS. In particular, we (i) define a detailed taxonomy of the types of Android-related vulnerability; (ii) investigate the layers and subsystems from the Android OS affected by vulnerabilities; and (iii) study the survivability of vulnerabilities (i.e., the number of days between the vulnerability introduction and its fixing). Our findings could help OS and apps developers in focusing their verification & validation activities, and researchers in building vulnerability detection tools tailored for the mobile world.

show abstract

Section: A Malware and Vulnerabilitiesmentioning

confidence: 99%

Section: A Malware and Vulnerabilitiesmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

An Empirical Study on Android-Related Vulnerabilities

Linares‐Vásquez

Bavota

Escobar‐Velásquez

2017

2017 IEEE/ACM 14th International Conference on Mining Software Repositories (MSR)

View full text Add to dashboard Cite

show abstract

“…In addition to securing the ICC-based communication, Shekhar et al proposed a separation of concerns to reduce the susceptibility for manipulation of Android apps, by explicitly restricting advertising frameworks [21]. Ahmad et al elaborated on problematic ICC design decisions on Android, and found that missing consistent message types and conformance checking, unpredictable message interactions, and a lack of coherent versioning could break inter-app communication and pose a severe risk [4]. They recommend a centralized message-type repository that immediately provides feedback to developers through the IDE.…”

Section: Related Workmentioning

confidence: 99%

Security code smells in Android ICC

et al. 2018

View full text Add to dashboard Cite

Android Inter-Component Communication (ICC) is complex, largely unconstrained, and hard for developers to understand. As a consequence, ICC is a common source of security vulnerability in Android apps. To promote secure programming practices, we have reviewed related research, and identified avoidable ICC vulnerabilities in Android-run devices and the security code smells that indicate their presence. We explain the vulnerabilities and their corresponding smells, and we discuss how they can be eliminated or mitigated during development. We present a lightweight static analysis tool on top of Android Lint that analyzes the code under development and provides just-in-time feedback within the IDE about the presence of such smells in the code. Moreover, with the help of this tool we study the prevalence of security code smells in more than 700 open-source apps, and manually inspect around 15% of the apps to assess the extent to which identifying such smells uncovers ICC security vulnerabilities.

show abstract

“…The digital forensic used in criminal investigation and evidence, for example, is unproven and is highly criticised in legal proceedings [4]. Such non-rigorous specifications can cause interpretation issues, most commonly developers often choosing undocumented practices that can lead to applications vulnerable to security and privacy threats [1]. A typical consequence of misinterpreting the informal documentation may lead to a scenario where an application developer may incautiously expose a component to third party applications [23].…”

mentioning

confidence: 99%

CrashSafe: a formal model for proving crash-safety of Android applications

Khan

Ullah

Ahmad

et al. 2018

Hum. Cent. Comput. Inf. Sci.

View full text Add to dashboard Cite

IntroductionMobile devices have become an indispensable part of modern life style. Originally designed and built to facilitate remote communications such as phone calls and text messaging, mobile devices now support portable computing, context-aware communication, enhanced user interaction, and high-connectivity systems [36]. The operating system-that powers-up mobile devices-enables the execution of third party applications (apps for short) that support a variety of tasks on the go [21]. These capabilities of modern mobile devices make them smart and open up the gate for a multitude of applications that support a variety of tasks that includes but not limited to mobile commerce, health monitoring, and location querying [12]. There are thousands of mobile AbstractEach software application running on Android powered devices consists of application components that communicate with each other to support application's functionality for enhanced user experience of mobile computing. Application components inside Android system communicate with each other using inter-component communication mechanism based on messages called intents. An android application crashes if it invokes an intent that can not be received by (or resolved to) any application on the device. Application crashes represent a severe fault that relates to compromised users' experience, consequently resulting in decreased ratings, usage trends and revenues for such applications. To address this issue-by formally proving crash-safety property of Android applications-we have defined a formal model of Android inter-component communication using Coq theorem prover. The mathematical model defined in theorem prover allows one to prove the properties of inter-component communication system and check the correctness of the proof in an automated way. To demonstrate the significance of the formal model developed, we carried proof of crash-safety of Android applications using Coq tool. The proposed solution named CrashSafe supports a formal approach that enables one to (i) check the correctness of inter-component communication in Android systems and (ii) establish a formal foundation for other tools to assess Android applications' reliability and safety.

show abstract

Inter-app communication in Android

Cited by 16 publications

References 37 publications

An Empirical Study on Android-Related Vulnerabilities

An Empirical Study on Android-Related Vulnerabilities

Security code smells in Android ICC

CrashSafe: a formal model for proving crash-safety of Android applications

Contact Info

Product

Resources

About