Analyzing inter-application communication in Android
作者: Erika Chin , Adrienne Porter Felt , Kate Greenwood , David Wagner
关键词: Open system (computing) 、 Application security 、 Open API 、 Reuse 、 Android (operating system) 、 Attack surface 、 Computer security 、 Message passing 、 End user 、 Computer science
摘要: Modern smartphone operating systems support the development of third-party applications with open system APIs. In addition to an API, Android also provides a rich inter-application message passing system. This encourages collaboration and reduces developer burden by facilitating component reuse. Unfortunately, is application attack surface. The content messages can be sniffed, modified, stolen, or replaced, which compromise user privacy. Also, malicious inject forged otherwise messages, lead breaches data violate security policies.We examine interaction identify risks in components. We provide tool, ComDroid, that detects communication vulnerabilities. ComDroid used developers analyze their own before release, reviewers Market, end users. analyzed 20 help found 34 exploitable vulnerabilities; 12 have at least one vulnerability.
acm.org
core.ac.uk
berkeley.edu
columbia.edu 参考文章(19)
Damien Octeau, William Enck, Patrick McDaniel, Swarat Chaudhuri, A study of android application security usenix security symposium. pp. 21- 21 ,(2011)
V. Benjamin Livshits, Monica S. Lam, Finding security vulnerabilities in java applications with static analysis usenix security symposium. pp. 18- 18 ,(2005)
Eric A. Brewer, Alexander Aiken, David A. Wagner, Jeffrey S. Foster, A First Step Towards Automated Detection of Buffer Overrun Vulnerabilities. network and distributed system security symposium. ,(2000)
Michael Howard, Jon Pincus, Jeannette M. Wing, Measuring Relative Attack Surfaces Springer, Boston, MA. pp. 109- 137 ,(2005) , 10.1007/0-387-24006-3_8
Steven M. Bellovin, Aviel D. Rubin, William R. Cheswick, Firewalls and Internet Security: Repelling the Wily Hacker ,(2003)
William Enck, Patrick McDaniel, Jaeyeon Jung, Byung-Gon Chun, Peter Gilbert, Anmol N. Sheth, Landon P. Cox, TaintDroid: an information-flow tracking system for realtime privacy monitoring on smartphones operating systems design and implementation. pp. 393- 407 ,(2010) , 10.5555/1924943.1924971
William Enck, Machigar Ongtang, Patrick McDaniel, On lightweight mobile phone application certification computer and communications security. pp. 235- 245 ,(2009) , 10.1145/1653662.1653691
Adam Barth, Collin Jackson, John C. Mitchell, Robust defenses for cross-site request forgery Proceedings of the 15th ACM conference on Computer and communications security - CCS '08. pp. 75- 88 ,(2008) , 10.1145/1455770.1455782
Pratyusa Manadhata, Jeannette Wing, Mark Flynn, Miles McQueen, Measuring the attack surfaces of two FTP daemons Proceedings of the 2nd ACM workshop on Quality of protection - QoP '06. pp. 3- 10 ,(2006) , 10.1145/1179494.1179497
Steve Vandebogart, Petros Efstathopoulos, Eddie Kohler, Maxwell Krohn, Cliff Frey, David Ziegler, Frans Kaashoek, Robert Morris, David Mazieres, None, Labels and event processes in the Asbestos operating system ACM Transactions on Computer Systems. ,vol. 25, pp. 11- ,(2007) , 10.1145/1314299.1314302