2018 17th IEEE International Conference On Trust, Security And Privacy In Computing And Communications/ 12th IEEE International Conference On Big Data Science And Engineering
SDLI: Static Detection of Leaks across Intents Rocco Salvia Pietro Ferrara Fausto Spoto Agostino Cortesi School of Computing JuliaSoft SRL Universita` di Verona DAIS University of Utah Verona, Italy and JuliaSoft SRL Universita` Ca’ Foscari Salt Lake City, Utah, USA pietro.ferrara@ Verona, Italy Venice, Italy [email protected] juliasoft.com [email protected] [email protected]
Abstract—Intents are Android’s intra and inter-application real world apps from the Google Play marketplace, where its communication mechanism. They specify an action to perform, ability to deal with implicit intents uncovers dangerous flows. with extra data, and are sent to a receiver component or Finally, the analysis is soundy [9], since it inherits the power broadcast to many components. Components, in the same or in a distinct app, receive the intent if they are available to and precision but also the limitations of Julia [17], [10] and of perform the desired action. Hence, a sound static analyzer must most static tools that analyze real software (typically because be aware of information flows through intents. That can be of reflection and multithreading). achieved by considering intents as both source (when reading) This article is organized as follows. Sec. II discusses the and sink (when writing) of confidential data. But this is overly state of the art on intent analysis. Sec. III presents the structure conservative if the intent stays inside the same app or if the set of apps installed on the device is known in advance. In such cases, of Android apps and the use of intents. Sec. IV recalls Julia’s a sound approximation of the flow of intents leads to a more flow analysis and shows its application to Android. Sec. V precise analysis. This work describes SDLI, a novel static analyzer presents the novel intent analysis. Sec. VI reports experiments. that, for each app, creates an XML summary file reporting a Sec. VII concludes. description of the tainted information in outwards intents and of the intents the app is available to serve. SDLI discovers confidential information leaks when two apps communicate, by II. RELATED WORK matching their XML summaries, looking for tainted outwards intents of the first app that can be inwards intents of the Most analyses dealing with intents focus on a limited set second app. The tool is implemented inside Julia, an industrial of components only, typically activities. Some analyze the static analyzer. On some popular apps from the Google Play Android Dalvik (.dex) bytecode directly, others first translate it marketplace, it spots inter-apps leaks of confidential data, hence into Java bytecode or other intermediate language, then perform showing its practical effectiveness. Index Terms—Information Flow, Static Analysis, Abstract the analysis [16]. We now compare our approach to some of Interpretation, Android, Intent. the most notable tools. FlowDroid [2] performs taint analysis on .dex files. It collects I. INTRODUCTION sources and sinks using SuSi [15] and it considers any method This article reports design and implementation of a novel that sends intents as a sink and any call that extracts data intent analysis that detects sensitive information flows across from an intent as a source. It does not deal with implicit different Android applications (apps) and its integration inside intents nor with intent modifiers, unless they are constant the Julia static analyzer. Our analysis warns when an intent strings. Epicc [13] performs a sound static analysis of Android carries sensitive data from one app to another. Hence, it tracks apps in Java bytecode, translated from .dex code through intent flows both between components and between apps. It Dare [11]. It focuses on inter-component communication uses Julia’s flow analysis for tracking flows of tainted data, through intents, also between different apps. It deals with using an abstraction in terms of Boolean formulas to express intent filters statically specified in the manifest but also with all possible explicit flows of tainted data [5]. Starting from dynamically registered broadcast receivers. The analyzer does a set of sources of tainted user input, it establishes if tainted not always detect such receivers in a sound way, because of data flows into sensitive sinks. intrinsic limitations of the tool: no static fields, no reflection, SDLI is the implementation of such analysis, on top of the limited string analysis. IccTA [8] identifies sources and sinks Julia analyzer. For each app, SDLI computes a soundy XML with SuSi, like FlowDroid. It translates Dalvik bytecode into summary file reporting a description of the tainted information Jimple [18], by using Dexpler [3]. It can leverage on both in outwards intents and of the intents the app is available Epicc or its extension IC3 [12] to obtain the inter-component to serve. By matching pairs of XML files, one can discover communication methods and their parameters (IC3 is preferred leaks of confidential information when two apps communicate, due to its performance). It deals with the dynamic registration by checking if an output tainted intent can pass the app’s of broadcast receivers. Finally, IccTA applies FlowDroid to boundaries and reach another app. perform an intra-component taint analysis. The authors report The main novelty of our analysis is that it considers all kinds that IccTA performs also an inter-app communication, but do of Android’s components and both implicit and explicit intents. not show any result. In any case, IccTA inherits the same Moreover, it has been widely evaluated over a large set of limitations of Epicc and IC3.
2324-9013/18/31.00 ©2018 IEEE 1002 DOI 10.1109/TrustCom/BigDataSE.2018.00141 new this class Intent download = Intent( , DownloadService. ); 1 public class MainActivity extends Activity { download.setData(Uri.parse(fileUrl)); 2 public void sendMessage(View view) { startService(download); 3 String textMessage = telephonyManager.getDeviceId(); Fig. 1. Creation of an explicit intent for starting a DownloadService. 4 Intent send = new Intent(); 5 send.setAction(Intent.ACTION_SEND); 6 send.putExtra(Intent.EXTRA_TEXT, textMessage); 7 startActivity(send); III. ANDROID APPLICATIONS AND INTENTS 8} 9} This section describes the structure of Android apps Fig. 2. An activity with an event handler that creates an implicit in- and their communication model through intents. Exam- tent for sending a message. This is inside an app called App1. The constants Intent.EXTRA_TEXT="android.intent.extra.TEXT" ples are from https://developer.android.com/guide/components/ and Intent.ACTION_SEND="android.intent.action.SEND" are intents-filters.html, where the reader can find further detail. hardcoded in the Android OS. Android supports a modular definition of apps in terms of
1003 A. Flow Analysis for Java as taintAnalysis(sources, sinks)=leaks, where leaks are the program points where Julia issues a leak warning. Julia starts the analysis from a set of entry points and builds a semantical model of the execution of a Java program. Namely, B. Application to Android all methods reachable, recursively, from the entry points get The selection of the entry points is different in Android, analyzed. The selection of the entry points can be done in three where it is the OS duty to call the event handlers of the ways: (i) the entry points are the main methods; (ii) the entry components. Hence, Julia scans the Android manifest, looking points are the public methods (default); (iii) the entry points for XML elements declaring services, activities, receivers and are the public and the protected methods (library mode). content providers. For each of them, Julia creates a synthetic Among its checkers, Julia includes the injection checker method that simulates the component’s lifecycle (e.g.,an that implements the sound information flow analysis from [7]. activity starts with a call to onCreate(), followed by calls to It propagates tainted data along all possible information onStart(), onStop() and onResume()). That synthetic flows. Boolean variables stand for program variables. Boolean method is an entry point for the analysis [14]. formulas model explicit information flows. Namely, their A sound flow analysis must match intent creations with models form a sound overapproximation of all taintedness serving components, exploiting knowledge about the set of behaviors for the variables in scope at a given program point. apps installed on the device, and must track the propagation For instance, the abstraction of the load k bytecode, that of tainted extras. Both tasks need some analysis of the strings pushes on the operand stack the value of local variable k,isthe (ˇl ↔ sˆ )∧U used as intent target component or as keys for extras, that are Boolean formula k top , stating that the taintedness of not necessarily constants. This is complex since there are many the topmost stack element after this instruction is equal to the k alternative ways of creating intents and since the component taintedness of local variable before the instruction; all other resolution algorithm is rather involved. local variables and stack elements do not change (expressed U by a formula ); taintedness before and after an instruction V. T HE SDLI TOOL FOR FLOW ANALYSIS OF ANDROID is distinguished by using distinct hats for the variables. There SDLI, for each app, builds a summary XML file about the are such formulas for each bytecode instruction. Instructions flows of intents into and out of the app. By comparing the XML that might have side-effects (field updates, array writes and summaries for two apps App1 and App2, it is then possible to method calls) need some approximation of the heap, to model determine if tainted data flows out of App1 and enters App2. the possible effects of the updates. The analysis of sequential In that case, SDLI issues a warning. instructions is merged through a sequential composition of formulas. Loops and recursion are saturated by fixpoint. The Example 2: SDLI generates the following summary resulting analysis is a denotational, bottom-up taint analysis XML file for App1 in Fig. 2. It states that App1 sends implemented through efficient binary decision diagrams [4]. tainted data through an intent created at line 4 of method sendMessage() of class MainActivity, through the Native methods are a problem for any static analyzer and constructor of class Intent with no arguments. The intent has Julia is no exception. Julia has specific knowledge about the action android.intent.action.SEND and holds tainted behavior of a few frequently used native methods, such as data as extra for key android.intent.extra.TEXT: System.arraycopy(). For the others, it applies a worst case assumption. For the injection checker, the latter states
1004 1: function DUMP SUMMARY FOR(app) key(), that exploit standard allocation-based pointer analysis [1] 2: // collect a description of the extra’s keys that are tainted and string analysis to determine the possible strings used there. ←∅ 3: tKeys When this is not possible, is used instead, for soundness. For 4: tGetExtra ←∅ 5: repeat real world apps, this overapproximation is usually prohibitive 6: leaks ← taintAnalysis(sources ∪ tGetExtra, putExtra) in terms of number of false alarms. For this reason, on real 7: oldtKeys ← tKeys world apps the analysis considers only constant strings here. At 8: tKeys ← tKeys ∪ line 10, SDLI uses the abstract description of the tainted keys {a, k|pe ∈ ,a∈ (pe),k∈ (pe)} 9: leaks action key to compute which API method calls in app, that read an intent 10: tGetExtra ← tGetExtra ∪ tGetExtraFor(tKeys, app) 11: until oldtKeys = tKeys extra, could return tainted data. This is the goal of function 12: leaks ← taintAnalysis(sources ∪ tGetExtra, sinks) tGetExtraFor(), that uses the manifest of the app to determine 13: WARN AT(leaks) if the action of the abstract key is compatible with the intent 14: DUMP OUTWARDS FLOWS(tKeys, app) filters for the components of the app. Also in this case, pointer 15: DUMP INWARDS FLOWS(app) and string analyses are used to overapproximate the possible 16: end function keys used for reading the extra. This set tGetExtra is then used Fig. 4. SDLI’s algorithm that analyzes a single app and generates its intent as sources in the flow analysis at the next iteration (line 6), summary XML file. until no more keys can be considered as tainted (line 11). By matching this XML file with that in Ex. 2, SDLI concludes Once the fixpoint is reached, SDLI performs a final flow that the outwards tainted intent of App1 matches the inwards analysis using the Android sinks (line 12) and uses its results intent of App2. Hence, there is a potential flow of tainted data to generate warnings about intra-app leaks. Then, it dumps from App1 into App2, through intents. the tainted keys as
1005 App LOC SDLI App LOC SDLI Time Warns Time Warns Netflix 346K 25:32 156 3 249K 11:29 223 PianoTiles 335K 30:12 492 AliBaba 230K 5:53 1 Pinterest 383K OOM Amazon 354K 27:44 540 PjMask 254K 13:59 164 Booking 260K 10:28 65 Pokemon 248K 11:18 130 CandyCrash 239K 9:35 129 Pou 237K 9:32 16 CatsCrashArena 294K 19:02 265 Roll the Ball 323K 26:14 369 Chat&Cash 288K 21:07 132 Shazam 296K 15:08 37 ChickenScream 322K 25:19 268 Slither 290K 22:06 240 Clash of Clans 270K 17:35 160 Snapchat 141K 2:58 2 Faceapp 244K 09:07 25 Spotify 312K 21:01 51 Facebook 231K OOM Subito 232K 8:39 9 FacebookLite 266K 13:33 137 Subway Surfers 329K 23:52 325 FacebookMessenger 233K 8:58 55 SuperMario 273K 16:55 229 FifaMobile 212K 6:18 21 SuperOptCleaner 222K 7:59 11 FightList 311K 20:08 207 Telegram 315K 27:55 188 GooglePhoto 312K 20:40 113 Tiger Ball 208K 7:20 42 GooglePlayGames 330K 29:07 276 Fig. 5. Invalid number. Fig. 6. App selection. Fig. 7. Gmail is Tim Mobile 253K 11:44 86 GoogleTranslate 295K 25:37 146 launched. Twitter 161K 4:24 0 InfoTarga 243K 11:40 139 Vodafone 284K 14:50 73 Instagram 333K OOM To determine potential inter-app leakages of sensitive in- Waze 265K 9:37 58 Launcher 319K 21:12 259 WhatsApp 359K 35:43 320 formation, we matched the XML summaries for the 50 top Musically 195K 5:27 6 Wind 294K 18:24 115 6 MusicDownloader 262K 17:22 170 apps against that for Intent Analyser , a popular Android app Wish 332K 20:31 92 developed to let users understand which information can be Fig. 8. Results of the analysis of the 50 most popular apps on the Italian leaked by intercepting other apps’ intents. Google Play marketplace. OOM stands for out of memory. The analysis of Telegram yields 188 intra-app alarms. We Intent takePictureIntent = new Intent("IMAGE_CAPTURE"); only report those where we have manually verified that taint File image = AndroidUtilities.generatePicturePath(); information flows into a putExtra over an intent. Moreover, if (image != null){ takePictureIntent.putExtra("output", Uri.fromFile(image)); we have only considered alarms related to implicit flows, that startActivityForResult(takePictureIntent, ..); are more likely to induce security issues. We report an alarm } ... related to explicit intents, as an example. } Telegram v.3.10.1 Telegram invokes method sendLogs() in case of crash or when an inconsistent runtime state is detected. Such method col- 7 Telegram is a popular open source messaging app. When it lects all logs and sends them in an email as attachment. For that first runs, it asks the user to specify her telephone number. If purpose, Telegram asks the OS for all apps that can satisfy the Telegram deems the number illegal, it complains (Fig. 5) and action "android.intent.action.SEND_MULTIPLE". suggests to contact its technical support. This is achieved by cre- We have matched the XML summary file of Telegram ating an implicit intent with action Intent.ACTION_SEND, against those of our database of apps and found holding confidential data about the device: that Intent Analyser can serve intents with action Intent mailer = new Intent(Intent.ACTION_SEND); "android.intent.action.SEND_MULTIPLE".If mailer.putExtra(Intent.EXTRA_TEXT, "App version: " + version + chosen, it will show the sensitive information held in the "\nOS version: SDK " + Build.VERSION.SDK_INT + intent. This leak can be prevented by avoiding the use of "\nDevice Name: " + Build.MANUFACTURER + Build.MODEL + "\nLocale: " + Locale.getDefault()); implicit intents. For instance, one can upload the logs to a getParentActivity().startActivity remote server and share the latter’s address by email. (Intent.createChooser(mailer, "Send email...")); Gmail v.6.11.27.141872707 The call to Intent.createChooser() lets the user Gmail8 specifies, in its manifest, that it is avail- choose an app that can serve intents with action able to serve intents with action Intent.ACTION_SEND Intent.ACTION_SEND, if there are more (Fig. 6). The or Intent.ACTION_SEND_MULTIPLE, that get dis- interceptor can catch this intent and leaks the extra. Otherwise, patched to its ComposeActivityGmailExternal com- the intent is dispatched to another app that can serve it. ponent. That component is obfuscated. Its class ex- Gmail in one such app and can consequently serve the intent. tends ComposeActivityGmail, that extends cja, whose We ran Telegram as in Fig. 7 and actually reproduced the method a(Message) is reachable from an event handler leak. In the next code snippet, an implicit intent gets tainted of ComposeActivityGmailExternal. It accesses the for key "output". Julia detects that the return value of extra for key Intent.EXTRA_TEXT and it fills the body of generatePicturePath() is tainted since it can be used the email by calling method cja.a(String, boolean, to leak the path of the file on the file system. This is, however, boolean): the normal way for an app to ask access to the camera: Intent intent = getIntent(); public void openCamera() { String stringExtra2 = intent.getCharSequenceExtra("android.intent.extra.TEXT"); 6https://play.google.com/store/apps/details?id=com.apartapps.android. stringExtra2 = Html.toHtml intentanalyser 7https://telegram.org 8https://play.google.com/store/apps/details?id=com.google.android.gm
1006 (new SpannableString(stringExtra2)); SDLI, instantiated from Julia’s information flow analysis, // fill the textfield of the message of the email a(stringExtra2, true, false); ... detects inter-app communications that leak sensitive data. Experiments show that it scales to real world apps and, despite Being obfuscated, we could not check the method where these being heavily obfuscated, allows one to detect actually stringExtra2 is injected into the email body. However, reproducible leaks of confidential information in some of the SDLI signals that the information is leaked and we reproduced most popular apps in the Google Play marketplace. the leak in our device. This paves the way to information leaks SDLI confirmed that implicit intents are extremely dangerous, if other apps send confidential information through intents with since the receiver is not statically known. Google classified this action Intent.ACTION_SEND, as shown below. as a serious security issue and this is why Android 5.0 (API Google Play Games Accounts level 21) and later throw an exception at bindService() calls with an implicit intent. From the user perspective, an Google Play Games uses implicit intents to share implicit intent carrying confidential extras is a security issue if data between its components. For instance, method and only if another app is installed, that catches and leaks it. ClientUiProxyActivity.launchProxyIntent() broadcasts an intent with action CLIENT_PROXY, containing REFERENCES confidential data about the user’s accounts, stored there by [1] L. O. Andersen. Program Analysis and Specialization for the C method VideoCapturedPopup.handleClick(): Programming Language. PhD thesis, DIKU, University of Copenhagen, 1994. Context localContext = getContext(); [2] S. Arzt, S. Rasthofer, C. Fritz, E. Bodden, A. Bartel, J. Klein, Y. Le Traon, Account acc = this.mGamesContext.mClientContext.mResolvedAccount; ... D. Octeau, and P. McDaniel. FlowDroid: Precise Context, Flow, Field, intent.putExtra("com.google.android.gms.games.ACCOUNT", acc); Object-Sensitive and Lifecycle-aware Taint Analysis for Android Apps. ClientUiProxyActivity.launchProxyIntent(localContext, intent); In PLDI, 2014. [3] A. Bartel, J. Klein, Y. Le Traon, and M. Monperrus. Dexpler: Converting That intent was meant to stay inside the app’s boundaries. Android Dalvik Bytecode to Jimple for Static Analysis with Soot. In SOAP, 2012. However, being implicit, it might be intercepted by other apps, [4] R. Bryant. Symbolic Boolean Manipulation with Ordered Binary-Decision as it can be verified with Intent Analyser. A malware might Diagrams. ACM Computing Survey, 24(3):293–318, 1992. consequently gain access to all user accounts. [5] A. Cortesi, P. Ferrara, R. Halder, and M. Zanioli. Combining symbolic and numerical domains for information leakage analysis. Trans. Discussion Computational Science, pages 98–135, 2018. [6] P. Cousot and R. Cousot. Abstract Interpretation: A Unified Lattice Model The issues related to implicit intents with action for Static Analysis of Programs by Construction or Approximation of Fixpoints. In POPL, 1977. Intent.ACTION_SEND do not seem critical, since almost [7] M. D. Ernst, A. Lovato, D. Macedonio, C. Spiridon, and F. Spoto. all devices have Gmail installed. Hence the user should explic- Boolean Formulas for the Static Identification of Injection Attacks in itly select an untrusted app (malware) with the chooser, instead Java. In LPAR, 2015. [8] L. Li, A. Bartel, T. F. Bissyande,´ J. Klein, Y. Le Traon, S. Arzt, of Gmail, which seems unlikely. Similarly, the issue related to S. Rasthofer, E. Bodden, D. Octeau, and P. D. McDaniel. IccTA: Detecting implicit intents with action Intent.ACTION_INSERT does Inter-Component Privacy Leaks in Android Apps. In ICSE, 2015. not seem critical: there is, normally, a trusted receiver app for [9] B. Livshits, M. Sridharan, Y. Smaragdakis, O. Lhotak,´ J. N. Amaral, B. E. Chang, S. Z. Guyer, U. P. Khedker, A. Møller, and D. Vardoulakis. that intent, namely, the app dealing with the phone contacts. A In Defense of Soundiness: A Manifesto. Communications of the ACM, malware might be willing to serve the intent, in which case a 58(2):44–46, 2015. chooser will pop up. But it is unlikely that the user will choose [10] A. Mandal, A. Cortesi, P. Ferrara, F. Panarotto, and F. Spoto. Vulnerability analysis of android auto infotainment apps. In ACM CF, 2018. the malware, although it might simulate the expected behavior, [11] D. Octeau, S. Jha, and P. D. McDaniel. Retargeting Android Applications while actually leaking the information. The issue related to to Java Bytecode. In FSE, 2012. implicit intents with action CLIENT_PROXY seems definitely [12] D. Octeau, D. Luchaup, S. Jha, and P. D. McDaniel. Composite Constant Propagation and its Application to Android Program Analysis. IEEE critical, instead. That action is uncommon, it is strictly related Transactions on Software Engineering, 42(11):999–1014, 2016. to the internal logic of Google Games (rather than to a user [13] D. Octeau, P. D. McDaniel, S. Jha, A. Bartel, E. Bodden, J. Klein, request) and there exists just one available receiver among the and Y. Le Traon. Effective Inter-Component Communication Mapping in Android: An Essential Step towards Holistic Security Analysis. In 50 most popular Android apps: Google Games itself. Hence the USENIX Security, 2013. OS will automatically redirect the intent to it, without popping [14] E.´ Payet and F. Spoto. Static Analysis of Android Programs. Information up any chooser. But another app (such as Intent Analyser or & Software Technology, 54(11):1192–1201, 2012. [15] S. Rasthofer, S. Arzt, and E. Bodden. A Machine-learning Approach a malware), might easily intercept the intent. The user will for Classifying and Categorizing Android Sources and Sinks. In NDSS, then be faced to a puzzling question about the right app to 2014. choose for a non-understandable, never explicitly required [16] A. Sadeghi, H. Bagheri, J. Garcia, and S. Malek. A taxonomy and qualitative comparison of program analysis techniques for security action, and might randomly choose the malware. In this case, assessment of android software. IEEE Transactions on Software the programmers of Google Games should have used explicit Engineering, 43(6):492–530, 2017. intents instead. [17] F. Spoto. The Julia Static Analyzer for Java. In SAS, 2016. [18] R. Vallee-Rai,´ E. Gagnon, L. J. Hendren, P. Lam, P. Pominville, and VII. CONCLUSION V. Sundaresan. Optimizing Java Bytecode using the Soot Framework: Is It Feasible? In CC, 2000. The new static analysis described in this article tracks information flows through Android intents. Its implementation
1007