This work examines Android application interaction and identifies security risks in application components and provides a tool, ComDroid, that detects application communication vulnerabilities and found 34 exploitable vulnerabilities.
Abstract:
Modern smartphone operating systems support the development of third-party applications with open system APIs. In addition to an open API, the Android operating system also provides a rich inter-application message passing system. This encourages inter-application collaboration and reduces developer burden by facilitating component reuse. Unfortunately, message passing is also an application attack surface. The content of messages can be sniffed, modified, stolen, or replaced, which can compromise user privacy. Also, a malicious application can inject forged or otherwise malicious messages, which can lead to breaches of user data and violate application security policies.We examine Android application interaction and identify security risks in application components. We provide a tool, ComDroid, that detects application communication vulnerabilities. ComDroid can be used by developers to analyze their own applications before release, by application reviewers to analyze applications in the Android Market, and by end users. We analyzed 20 applications with the help of ComDroid and found 34 exploitable vulnerabilities; 12 of the 20 applications have at least one vulnerability.
TL;DR: PCSD, a lightweight tool for detection of Android malware by extracting statistical features from applications is proposed, which demonstrates the efficacy of PCSD to distinguish malicious and benign android applications.
TL;DR: In this article , a dynamic approach is proposed for automatic collision detection between communication applications, where the focus of the study is on the sharing of multiple type data and two predictive functions has been used in this manner.
TL;DR: This dissertation presents a meta-modelling system that automates the very labor-intensive and therefore time-heavy and therefore expensive and expensive process of manually cataloging and cataloging individual neurons in the brain.
TL;DR: This paper evaluates the OpenID standard and introduces three mobile strategies, two of which are validated using a prototype implementation and make OpenID more suitable for omnipresentmobile use.
TL;DR: TaintDroid as mentioned in this paper is an efficient, system-wide dynamic taint tracking and analysis system capable of simultaneously tracking multiple sources of sensitive data by leveraging Android's virtualized execution environment.
TL;DR: Using TaintDroid to monitor the behavior of 30 popular third-party Android applications, this work found 68 instances of misappropriation of users' location and device identification information across 20 applications.
TL;DR: The Kirin security service for Android is proposed, which performs lightweight certification of applications to mitigate malware at install time and indicates that security configuration bundled with Android applications provides practical means of detecting malware.
TL;DR: A horizontal study of popular free Android applications uncovered pervasive use/misuse of personal/ phone identifiers, and deep penetration of advertising and analytics networks, but did not find evidence of malware or exploitable vulnerabilities in the studied applications.
TL;DR: The first edition made a number of predictions, explicitly or implicitly, about the growth of the Web and the patterns of Internet connectivity vastly increased, and warned of issues posed by home LANs, and about the problems caused by roaming laptops.
Q1. What contributions have the authors mentioned in the paper "Analyzing inter-application communication in android" ?
In addition to an open API, the Android operating system also provides a rich inter-application message passing system. The authors examine Android application interaction and identify security risks in application components. The authors provide a tool, ComDroid, that detects application communication vulnerabilities. The authors analyzed 20 applications with the help of ComDroid and found 34 exploitable vulnerabilities ; 12 of the 20 applications have at least one vulnerability.
Q2. What type of analysis does ComDroid perform?
ComDroid specifically performs flowsensitive, intraprocedural static analysis, augmented with limited interprocedural analysis that follows method invocations to a depth of one method call.
Q3. What is the way to limit a component’s exposure to a set of trusted?
Requiring Signature or SignatureOrSystem permissions is an effective way of limiting a component’s exposure to a set of trusted applications.
Q4. Why do the authors treat Activities and their aliases as separate components?
The authors treat Activities and their aliases as separate components for the purpose of their analysis because an alias’s fields can increase the exposure surface of the component.
Q5. How can a receiver be dynamically created and registered?
Receivers can also be dynamically created and registered by calling registerReceiver(BroadcastReceiver receiver, IntentFilter filter).
Q6. What is the role of the Broadcast Intent in application exposure?
Their results indicate that Broadcast- and Activity- related Intents (both sending to and receiving from) play a large role in application exposure.
Q7. How does Android determine which Intents should be delivered to an exported component?
Android determines which Intents should be delivered to an exported component by matching each Intent’s fields to the component’s declaration.
Q8. What is the reason why iOS developers are unlikely to accidentally expose functionality?
iOS developers are unlikely to accidentally expose functionality because schemes are only used for public interfaces; different types of messages are used for internal communication.
Q9. What are the common bugs that are not also vulnerabilities?
Of the 181 warnings, the authors discovered 20 definite vulnerabilities, 14 spoofing vulnerabilities, and 16 common, unintentional bugs (that are not also vulnerabilities).
Q10. What is the way to make a component more secure?
To make components more secure, developers should avoid exporting components unless the component is specifically designed to handle requests from other applications.
Q11. How does a developer send an explicit Intent?
A developer sends an explicit Intent by specifying a recipient component name; the Intent is then delivered to the component with that name.