Analyzing inter-application communication in Android
MobiSys ’11 Proceedings of the 9th international conference on Mobile systems, applications, and services
Erika Chin University of California, Berkeley, Berkeley, CA, USA
Adrienne Porter Felt University of California, Berkeley, Berkeley, CA, USA
Kate Greenwood University of California, Berkeley, Berkeley, CA, USA
David Wagner University of California, Berkeley, Berkeley, CA, USA
This paper provides an analysis of possible security vulnerabilities that stem from the way applications pass data from one activity to another. Emphasis is placed on intent-based attacks, which are categorized as one of the following:
1. Broadcast theft: Ordered broadcasts can be exploited passively by an eavesdropping receiver, or actively as a kind of denial-of-service where the chain is broken by a malicious receiver.
2. Activity Hijacking: A malicious activity can be launched in place of a legitimate one.
3. Service Hijacking: A malicious service can be started in place of a legitimate one.
4. Special Intents: Pending intents carry permissions with them, which can be exploited by a malicious receiver.
5. Malicious Broadcast Injection: A receiver that accepts any intent without verifying the origin may operate on malicious data.
6. Malicious Activity/Service Launch: An activity/service that returns data may be launched by a malicious one, causing users to unknowingly pass sensitive data to the wrong application.
The authors developed ComDroid, which detects vulnerabilities in applications by analyzing code generated by disassembling Dalvik executable files. They scanned the top 50 applications from both the free and paid sections of the android market with ComDroid, and found that 57% showed signs of possible activity hijacking vulnerabilities, 14% were vulnerable to broadcast injection, and 12% were vulnerable to malicious activity launch.
Suggestions for avoiding these vulnerabilities are presented. The main argument is that intents are unsafe if used carelessly by programmers.