SecComp: Towards Practically Defending Against Component Hijacking in Android Applications
作者: Robert H. Deng , Debin Gao , Daoyuan Wu , Yingjiu Li
DOI:
关键词:
摘要: Cross-app collaboration via inter-component communication is a fundamental mechanism on Android. Although it brings the benefits such as functionality reuse and data sharing, threat called component hijacking also introduced. By vulnerable in victim apps, an attack app can escalate its privilege for originally prohibited operations. Many prior studies have been performed to understand mitigate this issue, but remains serious open problem Android ecosystem due no effective defense deployed wild. In paper, we present our vision practically defending against apps. First, argue that fundamentally prevent hijacking, need switch from previous mindset (i.e., performing system-level control or repackaging apps after they are already released) more proactive version aims help security-inexperienced developers make secure components first place. To end, propose embed into library (SecComp), which performs in-app mandatory access behalf of components. An important factor SecComp be find possible devise set practical policies stop hijacking. Furthermore, allow design custom policies, beyond by-default generic support fine-grained control. We overcome challenges implement preliminary prototype, stops with very low performance overhead. hope future research fully implements eventually real-world get rid
arxiv.org
harvard.edu参考文章(32)
Damien Octeau, William Enck, Patrick McDaniel, Swarat Chaudhuri, A study of android application security usenix security symposium. pp. 21- 21 ,(2011)
Sven Bugiel, Ahmad-Reza Sadeghi, Stephan Heuser, Flexible and fine-grained mandatory access control on Android for diverse security and privacy policies usenix security symposium. pp. 131- 146 ,(2013)
Ross Anderson, Hassen Saïdi, Rubin Xu, Aurasium: practical policy enforcement for Android applications usenix security symposium. pp. 27- 27 ,(2012)
Damien Octeau, Yves Le Traon, Eric Bodden, Alexandre Bartel, Patrick McDaniel, Jacques Klein, Somesh Jha, Effective inter-component communication mapping in Android with Epicc: an essential step towards holistic security analysis usenix security symposium. pp. 543- 558 ,(2013)
Alexander Moshchuk, Adrienne Porter Felt, Helen J. Wang, Erika Chin, Steven Hanna, Permission re-delegation: attacks and defenses usenix security symposium. pp. 22- 22 ,(2011)
Michael Backes, Sven Bugiel, Sebastian Gerling, Philipp von Styp-Rekowsky, Android security framework: extensible multi-layered access control on Android annual computer security applications conference. pp. 46- 55 ,(2014) , 10.1145/2664243.2664265
Wu Zhou, Yajin Zhou, Xuxian Jiang, Peng Ning, Detecting repackaged smartphone applications in third-party android marketplaces Proceedings of the second ACM conference on Data and Application Security and Privacy - CODASKY '12. pp. 317- 326 ,(2012) , 10.1145/2133601.2133640
Daniel Luchaup, Damien Octeau, Patrick McDaniel, Somesh Jha, Matthew Dering, Composite constant propagation: application to Android inter-component communication analysis international conference on software engineering. ,vol. 1, pp. 77- 88 ,(2015) , 10.5555/2818754.2818767
Long Lu, Zhichun Li, Zhenyu Wu, Wenke Lee, Guofei Jiang, CHEX Proceedings of the 2012 ACM conference on Computer and communications security - CCS '12. pp. 229- 240 ,(2012) , 10.1145/2382196.2382223
Sven Bugiel, Lucas Davi, Alexandra Dmitrienko, Stephan Heuser, Ahmad-Reza Sadeghi, Bhargava Shastry, Practical and lightweight domain isolation on Android Proceedings of the 1st ACM workshop on Security and privacy in smartphones and mobile devices - SPSM '11. pp. 51- 62 ,(2011) , 10.1145/2046614.2046624