Systematic Detection of Capability Leaks in Stock Android Smartphones

Authors: Michael Grace, Yajin Zhou, Zhi Wang, Xuxian Jiang

Proceedings of the 19th Network and Distributed System Security Symposium (NDSS 2012)
San Diego, CA, February 2012

link: http://www.csc.ncsu.edu/faculty/jiang/pubs/NDSS12_WOODPECKER.pdf

This paper outlines the Woodpecker system. This system attempts to statically analysis apk packages from Android smartphone to search for permission violations. It achieves this by creating a control flow graph for several permissions and analyzing the function execution path for those permissions. By using the Android API along with analyzing the app’s Davlik bytecode Woodpecker is able to monitor Android API calls and their corresponding systems calls. In order to generate this type of monitoring and reporting at such a low level, the Android devices must be running a custom built version of the Operating System.

 

The results discovered several serious capability leaks in various smartphones, many released by major manufacturers such as HTC, Motorola, Samsung, and Google. These leaks enable the app to perform the following actions without explicitly requesting permission: the ability to wipe user data, send SMS messages, record conversations, and obtain GPS position.

 

These leaks are a result of the “Confused Deputy Problem.” This is a classic computer security problem where one program, without permission to perform a certain task, invokes another program, that does have permission, in order to complete the task. This shows that the current Android based permission based security model has several flaws. A vital source for these vulnerabilities is that the Android framework only checks the communication between the applications and the operating system. A validator tool is suggested that helps mediate inter-app communication to avoid this problem.

About Frank Sposaro

Frank was the initial student to start the mobile lab with Dr. Tyson. After working on the first project, iFall, he and Dr. Tyson designed the Mobile Programming course as FSU. The course is used as a training base to recruit new students into the lab. His thesis researches several medical related applications, including iFall. Frank then went on to implement the redesign of the “favorite contacts” for Android’s Ice Cream Sandwich at Google HQ in Mountain View, California. He currently acts as a tech lead in the lab getting infrastructure and project management tools setup. He has special focus on native Android coding and UI design.