life after app uninstallation: are the data still alive?

LifeafterAppUninstallation:AretheDataStillAlive?DataResidueAttacksonAndroid

XiaoZhang,Kailiang Ying,Yousra Aafer,Zhenshen Qiu,andWenliang Du

AppLife

Installation Interaction Uninstallation

But,whatif…

ArethereanydataleftafterapplicationuninstallationonAndroid?

Android App UninstallationWindows Residue

InDetails

Installation Interaction Uninstallation

ArethedatastillaliveafterapplicationuninstallationonAndroid?

AppXYZ (UID=10050)

/data/data/com.XYZ

/Android/data/com.XYZ

account.db |settings.db |packages.xml …

<10050,perms>|Clip data| token …

sharedfiles

/Android/data/com.XYZ

account.db |settings.db |packages.xml …

<10050,perms>|Clip data| token…

sharedfiles

AppXYZ (UID=10050)

/data/data/com.XYZ

FRAMEWORK

AppXYZ (UID=10050)

/data/data/com.XYZ

/Android/data/com.XYZ

/data/system/|/system/|/sys/|…

<10050,perms>

APPLICATION

SDCard

Whatcangowrong?

ArethedatastillaliveinAndroidsystemservicesafterapplicationuninstallation?

Methodology

ProtectionExamination Exploit

AttemptsDamage

Measurement

AttackDesignSystem Service

CollectionCandidateDatabase

ResidueInstances

FilteringManualAnalysis

Data Residue Harvest Damage Evaluation

Feedback

CandidateService

Savingdatatofiles,databases?Or

Savingdatainmemory?

Datacleanup(flaw)?

DataResidue

Yes

No

Vulnerabilityexploits

Findings

• 7securityvulnerabilitiesacknowledgedbyGooglewithMediumpriority

SampleExploits- I• CredentialStealing

SampleExploits- II• SettingsImpersonating

Android Framework

SpellCheckerModule

SampleExploits- II• SettingsImpersonating

Android Framework

Spell Checker Module

EvenMore…

Detailsareavailableat:https://sites.google.com/site/droidnotsecure/

Evaluation

• 2,373apps• 10devices

• 8Androidversions• 3playstores

FundamentalCauses

• DataResidueInstances<->MandatoryDesignPrincipleinBackend

• Exploits<->Signature-basedFrontend

Limitation• ManualAnalysis

• StaticAnalysis– AppLevel– Intelligence

• DynamicAnalysis– AppLevel– ExploitConditions

privateclass TextServicesMonitor extendsPackageMonitor {@OverridepublicvoidonSomePackagesChanged() {synchronized(mSpellCheckerMap){buildSpellCheckerMapLocked(mContext, mSpellCheckerList,

mSpellCheckerMap);//TODO:UpdateforeachlocaleSpellCheckerInfo sci =getCurrentSpellChecker(null);if(sci ==null) return;finalStringpackageName =sci.getPackageName();finalint change=isPackageDisappearing(packageName);if(//Packagedisappearing

change==PACKAGE_PERMANENT_CHANGE||change==PACKAGE_TEMPORARY_CHANGE

//Packagemodified||isPackageModified(packageName)) {

sci=findAvailSpellCheckerLocked(null, packageName);if(sci !=null) {setCurrentSpellCheckerLocked(sci.getId());

}}

}}

}

Conclusion

• DataResidueVulnerability• SystematicStudy• ComprehensiveEvaluation

• Triggermoreresearchefforts

Questions?

xzhang35@syr.eduhttps://sites.google.com/site/droidnotsecure/