Slides
The Android operating system builds upon already well-established permission systems but complements them by allowing application components to be reused within and across applications through a single communication mechanism, called the Intent mechanism. In this paper, we describe techniques that we developed for statically detecting Android application vulnerability to attacks that obtain unauthorized access to permission-protected information. We address three kinds of such attacks, known as confused deputy, permission collusion, and Intent spoofing. We show that application vulnerability to these attacks can be detected using taint analysis. Based on this technique, we developed PermissionFlow, a tool for discovering vulnerabilities in the byte code and configuration of Android applications.
To enable PermissionFlow analysis, we developed a static technique for automatic identification of permission-protected information sources in permission-based systems. This technique identifies application programming interfaces (APIs) whose execution leads to permission checking and considers these APIs to be sources of taint. Based on this approach, we developed Permission Mapper, a component of PermissionFlow that improves on previous work by performing fully automatic identification of such APIs for Android Java code.
Our automated analysis of popular applications found that 56% of the most popular 313 Android applications actively use intercomponent information flows. Among the tested applications, PermissionFlow found four exploitable vulnerabilities. By helping ensure the absence of inter-application permission leaks, we believe that the proposed analysis will be highly beneficial to the Android ecosystem and other mobile platforms that may use similar analyses in the future.