Biniam Fisseha Demissie, Davide Ghio, Mariano Ceccato, Andrea Avancini

Identifying Android inter app communication vulnerabilities using static and dynamic analysis


The Android platform is designed to facilitate inter-app integration and communication, so that apps can reuse functionalities implemented by other apps by resorting to delegation. Though this feature is usually mentioned to be the main reason for the popularity of Android, it also poses security risks to the end user. Malicious unprivileged apps can exploit the delegation model to access privileged tasks that are exposed by vulnerable apps.

In this paper, we present a particularly dangerous case of delegation, that we call the Android Wicked Delegation (AWiDe). Moreover, we compare two distinct approaches to automatically detect inadequate message validation, respectively based on static analysis and on dynamic analysis. We empirically validate our approaches on more than three hundred popular apps. Vulnerabilities detected by us lead to the implementation of successful proof-of-concept attacks, and the app developers have confirmed one of them.

PDF version of the paper.

Valid XHTML 1.0!

Maintainer: ceccato at fbk dot eu