CHARACTERIZATION, DETECTION AND EXPLOITATION OF DATA INJECTION VULNERABILITIES IN ANDROID BEHNAZ HASSANSHAHI B.Eng., AUT (Iran), 2010 A THESIS SUBMITTED FOR THE DEGREE OF DOCTOR OF PHILOSOPHY DEPARTMENT OF COMPUTER SCIENCE NATIONAL UNIVERSITY OF SINGAPORE 2016 Acknowledgment First, I would like to express my appreciation to Dr. Roland Yap for supervising me during my PhD journey. He has always been supportive and encouraging. I specially thank him for helping me to develop a critical thinking mindset for solving problems. I have to thank my husband for motivating me all these years and being with me through the good times and bad times. I would also like to thank my family, specially my parents for always believing in me and helping me to chase my dreams. To all my friends who have been my second family in Singapore, thank you for being on my side. I cannot list all your names here, but you are always on my mind. I would like to thank the members of my thesis committee for reading this thesis and giving comments. I would also like to thank the co-authors of my research papers, Dr. Zhenkai Liang, Dr. Prateek Saxena and Yaoqi Jia. It has been a pleasure working with you. i ii Contents 1 Introduction1 1.1 A New Analysis Framework for Android...............2 1.2 Web-to-Application Channel in Android...............2 1.3 Database Attacks in Android Apps..................4 1.4 Contributions and Thesis Organization................4 2 Preliminaries7 2.1 Android Applications..........................7 2.1.1 Android Components......................8 2.1.2 Android Manifest File.....................8 2.1.3 Message Passing in Android..................9 2.2 Android Architecture.......................... 10 2.3 Android Security............................ 12 3 A Framework for Detection and Exploitation of Vulnerabilities in Android 15 3.1 Motivating Example.......................... 17 3.2 Approach and Design.......................... 21 3.3 Source-Sink Pair Identification..................... 24 3.4 Control Flow Graph Construction & Reachability Analysis..... 25 3.4.1 Control Flow Graph Construction............... 26 3.4.2 Reachability Analysis...................... 27 3.5 Symbolic Execution and Static Flow Refinement........... 28 3.5.1 Mitigating the Path Explosion Problem............ 30 iii 3.5.2 Further Optimizations..................... 34 3.5.3 Interaction with the Environment............... 36 3.6 Attack Validation and Concrete Value Propagation......... 38 3.7 Evaluation................................ 40 3.8 Related Work: Analysis of Java and Android Programs....... 44 3.8.1 Static Information Flow Analysis............... 44 3.8.2 Symbolic Execution....................... 46 3.8.3 Dynamic Analysis........................ 48 3.9 Summary................................ 48 4 Web-to-Application Injection Attacks on Android 51 4.1 Web-to-Application Injection Attacks on Android.......... 52 4.1.1 Intent Hyperlinks and URI Intents.............. 52 4.1.2 Web-to-App Injection Attacks................. 59 4.1.3 Categories of W2AI Vulnerabilities.............. 59 4.1.4 A Vulnerable App Example.................. 63 4.2 Web-to-App Channel from a Software Engineering Perspective... 64 4.2.1 Browsable Activities as the Main Entry Points........ 65 4.2.2 Intent Hyperlinks Loaded in the WebViews.......... 66 4.2.3 W2AI Vulnerabilities due to Code Reuse........... 67 4.2.4 Design Problems of Web-to-App Channel........... 69 4.3 Detection and Exploitation of W2AI Vulnerabilities......... 72 4.3.1 Source-Sink Pair Identification for W2AI Attacks...... 72 4.3.2 Symbolic Execution....................... 72 4.3.3 W2AI Attack Validation.................... 73 4.4 Experimental Results for W2AI Vulnerability Detection....... 74 4.4.1 Prevalence of W2AI Vulnerabilities in Apps......... 75 4.4.2 Effectiveness of W2AIScanner in Detecting W2AI Vulnera- bilities.............................. 76 4.4.3 Reporting Vulnerabilities to Vendors............. 77 4.4.4 Case Studies........................... 78 4.5 Related Work: Attacks on Android Apps............... 80 iv 4.5.1 Over-Privileged Malware.................... 80 4.5.2 Privilege Escalation....................... 81 4.5.3 HTML5 and WebView Injection Attacks........... 81 4.5.4 Web-to-App Injection Attacks................. 82 4.6 Summary................................ 83 5 Detecting and Characterizing Database Attacks in Android Apps 85 5.1 Overview................................. 86 5.1.1 Public Database Attacks.................... 87 5.1.2 Private Database Attacks................... 88 5.2 Motivating Examples.......................... 89 5.2.1 Vulnerable Public Database Example............. 92 5.2.2 Vulnerable Private Database Example............ 93 5.3 Threat Model.............................. 94 5.4 Detection and Exploitation of Database Vulnerabilities....... 94 5.4.1 Source-Sink Pair Identification for Database Attacks.... 95 5.4.2 Constructing the Control Flow Graph and Reachability Analysis............................. 96 5.4.3 Symbolic Execution for Detecting Database Attacks..... 97 5.4.4 Database Attack Validation.................. 105 5.5 Experimental Results for Database Vulnerability Detection..... 109 5.5.1 Database Vulnerability Detection Results........... 109 5.5.2 Case Studies........................... 111 5.5.3 Comparing DBDroidScanner and ContentScope....... 112 5.6 Related Work.............................. 116 5.7 Summary................................ 118 6 Conclusion and Future Work 121 Bibliography 132 Appendix A Translating Jimple IR to SMT-LIB Format 135 v vi Summary Android is a popular mobile platform for which a huge number of apps (applica- tions) have been developed during the past few years. However, the complexity in Android programming increases the possibility for developers to introduce vul- nerabilities. In this thesis, we present a novel analysis framework to detect and confirm data injection vulnerabilities in benign Android apps. We study two im- portant classes of such vulnerabilities and use our analysis framework to show that many existing apps are vulnerable. As we are able to find many such vulnerabil- ities, we believe that a significant number of Android apps can be exploited by such attacks. First, we develop an automated vulnerability detection system for Android apps which not only finds data injection vulnerabilities but also confirms them with a proof-of-concept zero-day exploit. Our tool employs a novel combination of static dataflow analysis and symbolic execution with dynamic testing. We also use several optimizations to tame the path explosion problem in symbolic execution. We show through experiments that this design significantly enhances the detection accuracy compared with an existing state-of-the-art analysis. Next, we present a detailed study of a new class of application vulnerabilities in Android that allows a malicious web attacker to exploit app vulnerabilities. It can be a significant threat as no malicious apps are needed on the device and the remote attacker has full control on the web-to-app communication channel. Analyzing real apps from the official Google Play store { we found many confirmed vulnerabilities which suggest that these attacks are easy to mount and developers do not adequately protect apps against them. Finally, we conduct a systematic study of the attacks targeting databases in be- nign Android apps. We present a comprehensive classification of database attacks. vii These attacks can be triggered either from content providers or intents received throughout the app. In order to detect and exploit zero-day database vulnerabili- ties, we utilize our analysis framework and extend it with models for symbolically executing operations on the URI-based objects that are involved in database man- agement. We evaluate our analysis framework by analyzing real-world Android applications and generating the corresponding proof-of-concept exploits. We find both public and private database vulnerabilities in real-world apps. We also show new ways to exploit the previously reported and fixed vulnerabilities. viii List of Tables 4.1 Security control matrix for W2AI attack in Android development frameworks................................ 69 4.2 Overall statistics of vulnerable apps in each W2AI attack category. 75 4.3 Representative vulnerable apps for each W2AI vulnerability category. 78 4.4 Sinks and policies/settings for representative apps........... 78 5.1 This table shows SMT formulas for modeling methods of URI-based classes................................... 101 5.2 Overall statistics of apps vulnerable to the database attacks..... 110 5.3 Public and private database vulnerabilities in representative apps of [ZJ13]................................. 113 A.1 Translating representative Java methods to SMT-LIB(v2) syntax.. 136 List of Figures 3.1 The code snippet is chosen from the WorkNet (kr.go.keis.worknet version 3.1.0) app which is vulnerable to data injection attacks. This app may obtain parameters from the malicious intents. There are three classes separated by dashed lines: MainActivity, MyWebView and MyRunnable. MainActivity is the browsable activ- ity, MyRunnable is an inner class of MainActivity and methods are shown in boxes............................. 18 3.2 CFG for the motivating example in figure 3.1. The gray box con- tains the lifecycle methods of the MainActivity. This graph con- tains a call cycle which is painted in red. The IrrMethod() method represents irrelevant methods which do not affect the data depen- dency analysis but contribute