Detecting Passive Content Leaks and Pollution in Android Applications.
作者: Xuxian Jiang , Yajin Zhou
DOI:
关键词:
摘要: In this paper, we systematically study two vulnerabilities and their presence in existing Android applications (or “apps”). These are rooted an unprotected component, i.e., content provider, inside vulnerable apps. Because of the lack necessary access control enforcement, affected apps can be exploited to either passively disclose various types private in-app data or inadvertently manipulate certain security-sensitive settings configurations that may subsequently cause serious system-wide side effects (e.g., blocking all incoming phone calls SMS messages). To assess prevalence these vulnerabilities, analyze 62, 519 collected February 2012 from markets. Our results show among apps, 1, 279 (2.0%) 871 (1.4%) them susceptible respectively. addition, find 435 (0.7%) 398 (0.6%) accessible official Google Play some extremely popular with more than 10, 000, 000 installs. The a large number markets as well variety for leaks manipulation reflect severity vulnerabilities. address them, also explore examine possible mitigation solutions.
yajin.org 
ndss-symposium.org 参考文章(36)
Yajin Zhou, Xinwen Zhang, Xuxian Jiang, Vincent W. Freeh, Taming information-stealing smartphone applications (on Android) trust and trustworthy computing. pp. 93- 107 ,(2011) , 10.1007/978-3-642-21599-5_7
Damien Octeau, William Enck, Patrick McDaniel, Swarat Chaudhuri, A study of android application security usenix security symposium. pp. 21- 21 ,(2011)
Shashi Shekhar, Michael Dietz, Dan S. Wallach, AdSplit: separating smartphone advertising from applications usenix security symposium. pp. 28- 28 ,(2012)
David Brumley, Thanassis Avgerinos, Sang Kil Cha, Brent Lim Tze Hao, AEG: Automatic Exploit Generation network and distributed system security symposium. ,(2011) , 10.1184/R1/6468296.V1
Ross Anderson, Hassen Saïdi, Rubin Xu, Aurasium: practical policy enforcement for Android applications usenix security symposium. pp. 27- 27 ,(2012)
Manuel Egele, Christopher Kruegel, Engin Kirda, Giovanni Vigna, PiOS : Detecting privacy leaks in iOS applications network and distributed system security symposium. ,(2011)
Shashi Shekhar, Michael Dietz, Anhei Shu, Dan S. Wallach, Yuliy Pisetsky, Quire: lightweight provenance for smart phone operating systems usenix security symposium. pp. 23- 23 ,(2011)
Cristian Cadar, Daniel Dunbar, Dawson Engler, KLEE: unassisted and automatic generation of high-coverage tests for complex systems programs operating systems design and implementation. pp. 209- 224 ,(2008) , 10.5555/1855741.1855756
David Brumley, James Newsome, Dawn Song, Sting: An End-to-End Self-Healing System for Defending against Internet Worms Advances in Information Security. pp. 147- 170 ,(2007) , 10.1007/978-0-387-44599-1_7
Lok Kwong Yan, Heng Yin, DroidScope: seamlessly reconstructing the OS and Dalvik semantic views for dynamic Android malware analysis usenix security symposium. pp. 29- 29 ,(2012)