Paper Info
Title
NIVAnalyzer: A Tool for Automatically Detecting and Verifying Next-Intent Vulnerabilities in Android Apps
Abstract
In the Android system design, any app can start another app's public components to facilitate code reuse by sending an asynchronous message called Intent. In addition, Android also allows an app to have private components that should only be visible to the app itself. However, malicious apps can bypass this system protection and directly invoke private components in vulnerable apps through a class of newly discovered vulnerability, which is called next-intent vulnerability. In this paper, we design an intent flow analysis strategy which accurately tracks the intent in smali code to statically detect next-intent vulnerabilities efficiently and effectively on a large scale. We further propose an automated approach to dynamically verify the discovered vulnerabilities by generating exploit apps. Then we implement a tool named NIVAnalyzer and evaluate it on 20,000 apps downloaded from Google Play. As the result, we successfully confirms 190 vulnerable apps, some of which even have millions of downloads. We also confirmed that an open-source project and a third-party SDK, which are still used by other apps, have next intent vulnerabilities.
Year
DOI
Venue
2017
10.1109/ICST.2017.56
2017 IEEE International Conference on Software Testing, Verification and Validation (ICST)
Keywords
Field
DocType
Android,Intent,vulnerability,static and dynamic analysis,tool
Asynchronous communication,World Wide Web,Android (operating system),Computer security,Computer science,Systems design,System protection,Exploit,Code reuse,Vulnerability,Humanoid robot
Conference
ISSN
ISBN
Citations 
2381-2834
978-1-5090-6032-0
3
PageRank 
References 
Authors
0.40
6
8
Name
Order
Citations
PageRank
Junjie Tang130.74
Xingmin Cui2242.64
Ziming Zhao332230.52
Shanqing Guo413427.26
Xinshun Xu539032.51
Chengyu Hu613228.60
Tao Ban710225.58
Bing Mao891.21