on demystifying the android application framework - · pdf fileon demystifying the android...
TRANSCRIPT
![Page 1: On Demystifying the Android Application Framework - · PDF fileOn Demystifying the Android Application Framework: Re-Visiting Android Permission Specification Analysis ... • Study](https://reader031.vdocument.in/reader031/viewer/2022022001/5a79a5997f8b9a5a438dddc2/html5/thumbnails/1.jpg)
On Demystifying the Android Application Framework:Re-Visiting Android Permission Specification Analysis
Michael Backes, Sven Bugiel, Erik Derr, Patrick McDaniel, Damien Octeau, and Sebastian Weisgerber
USENIX Security Symposium
Austin, August 12th, 2016
![Page 2: On Demystifying the Android Application Framework - · PDF fileOn Demystifying the Android Application Framework: Re-Visiting Android Permission Specification Analysis ... • Study](https://reader031.vdocument.in/reader031/viewer/2022022001/5a79a5997f8b9a5a438dddc2/html5/thumbnails/2.jpg)
Erik Derr - USENIX Sec 2016 - On Demystifying the Android Application Framework: Re-Visiting Android Permission Specification Analysis
Motivation
• Application framework internals still largely a black box
• How do internals influence platform security and user-privacy
• Every security analysis requires a solid foundation
• How to analyze the target in the first place?
• Any platform-specific peculiarities
that impede a static analysis?
2
![Page 3: On Demystifying the Android Application Framework - · PDF fileOn Demystifying the Android Application Framework: Re-Visiting Android Permission Specification Analysis ... • Study](https://reader031.vdocument.in/reader031/viewer/2022022001/5a79a5997f8b9a5a438dddc2/html5/thumbnails/3.jpg)
Erik Derr - USENIX Sec 2016 - On Demystifying the Android Application Framework: Re-Visiting Android Permission Specification Analysis
Motivation
• Lot of work established such knowledge for apps
• Entry points (Chex, FlowDroid)
• Generation of a static runtime model (FlowDroid, R-Droid, Epicc)
• Sources/sinks (SuSi)
• Yet, such a knowledge base is missing for the
application framework
• System services provide core functionality
• Existing knowledge from app analysis can not be transferred
3
![Page 4: On Demystifying the Android Application Framework - · PDF fileOn Demystifying the Android Application Framework: Re-Visiting Android Permission Specification Analysis ... • Study](https://reader031.vdocument.in/reader031/viewer/2022022001/5a79a5997f8b9a5a438dddc2/html5/thumbnails/4.jpg)
Erik Derr - USENIX Sec 2016 - On Demystifying the Android Application Framework: Re-Visiting Android Permission Specification Analysis
Contributions
4
• Systematic methodology on how to statically analyze
the application framework
• How to enumerate framework entry points
• How to generate a precise static runtime model
• Re-Visiting permission specification analysis
• More precise permission mappings for SDK / framework
• Study internals of Android‘s permission system
• How to classify sensitive operations guarded by permission checks
• Where are permissions checked?
![Page 5: On Demystifying the Android Application Framework - · PDF fileOn Demystifying the Android Application Framework: Re-Visiting Android Permission Specification Analysis ... • Study](https://reader031.vdocument.in/reader031/viewer/2022022001/5a79a5997f8b9a5a438dddc2/html5/thumbnails/5.jpg)
How to analyze the framework
![Page 6: On Demystifying the Android Application Framework - · PDF fileOn Demystifying the Android Application Framework: Re-Visiting Android Permission Specification Analysis ... • Study](https://reader031.vdocument.in/reader031/viewer/2022022001/5a79a5997f8b9a5a438dddc2/html5/thumbnails/6.jpg)
Erik Derr - USENIX Sec 2016 - On Demystifying the Android Application Framework: Re-Visiting Android Permission Specification Analysis
Analysis Ingredients
6
How to enumerate framework entry points?
How to generate a static model that approximatesruntime behavior?
What are the sensitive sinks within the framework?
#1
#2
#3
![Page 7: On Demystifying the Android Application Framework - · PDF fileOn Demystifying the Android Application Framework: Re-Visiting Android Permission Specification Analysis ... • Study](https://reader031.vdocument.in/reader031/viewer/2022022001/5a79a5997f8b9a5a438dddc2/html5/thumbnails/7.jpg)
Erik Derr - USENIX Sec 2016 - On Demystifying the Android Application Framework: Re-Visiting Android Permission Specification Analysis
Framework Entry Points (#1)
• What functionality is exposed to app layer?
• Key observation: Functionality only exposed via Binder-IPC
• Entry class enumeration via class hierarchy analysis
7
IInterface
AIDL-IF Non-AIDL-IF
Proxy Stub Native
Service AMS
Proxy
extends extends
extendsextends
implements implements implements implements
![Page 8: On Demystifying the Android Application Framework - · PDF fileOn Demystifying the Android Application Framework: Re-Visiting Android Permission Specification Analysis ... • Study](https://reader031.vdocument.in/reader031/viewer/2022022001/5a79a5997f8b9a5a438dddc2/html5/thumbnails/8.jpg)
Erik Derr - USENIX Sec 2016 - On Demystifying the Android Application Framework: Re-Visiting Android Permission Specification Analysis
Static Runtime Model (#2)
• Framework services follow the principle of separation of duty
• Highly responsive to process simultaneous queries from
multiple clients (apps)
• Various concurrency pattern that complicate static analysis
• Handler
• AsyncChannel (framework only)
• StateMachines (framework only)
8
![Page 9: On Demystifying the Android Application Framework - · PDF fileOn Demystifying the Android Application Framework: Re-Visiting Android Permission Specification Analysis ... • Study](https://reader031.vdocument.in/reader031/viewer/2022022001/5a79a5997f8b9a5a438dddc2/html5/thumbnails/9.jpg)
Erik Derr - USENIX Sec 2016 - On Demystifying the Android Application Framework: Re-Visiting Android Permission Specification Analysis
Static Runtime Model - Handler
• Many services have a dedicated handler to process messages in a
separate thread
9
public void enable() {Message msg = mHandler.obtainMessage(MESSAGE_ENABLE)mHandler.sendMessage(msg);
}
class BluetoothHandler extends Handler {public void handleMessage(Message msg) {
switch (msg.what) {case MESSAGE_ENABLE: // do_enablecase MESSAGE_DISABLE: // do_disable// other cases
}}}
Runtime
typeMessage
code
Path
sensitivity
![Page 10: On Demystifying the Android Application Framework - · PDF fileOn Demystifying the Android Application Framework: Re-Visiting Android Permission Specification Analysis ... • Study](https://reader031.vdocument.in/reader031/viewer/2022022001/5a79a5997f8b9a5a438dddc2/html5/thumbnails/10.jpg)
Erik Derr - USENIX Sec 2016 - On Demystifying the Android Application Framework: Re-Visiting Android Permission Specification Analysis
Protected Resources (#3)
10
• Concept of sources/sinks a list of APIs is no longer applicable
• Analysis now shifts into the framework API
• How do we classify sensitive functionality?
• Consider permission checks as guards of sensitive operations
• Protected resources are security-sensitive operations
that have a tangible side-effect on
• the system state or
• use of privacy
![Page 11: On Demystifying the Android Application Framework - · PDF fileOn Demystifying the Android Application Framework: Re-Visiting Android Permission Specification Analysis ... • Study](https://reader031.vdocument.in/reader031/viewer/2022022001/5a79a5997f8b9a5a438dddc2/html5/thumbnails/11.jpg)
Erik Derr - USENIX Sec 2016 - On Demystifying the Android Application Framework: Re-Visiting Android Permission Specification Analysis
Taxonomy of Protected Resource Types
11
Protected resource
Method invocation
Field update
Return value
Throw instruction
Native method
invocation
Broadcast sender
Throw
RuntimeException
• No ground truth so far, thus we manually investigated 35 entry
points from different services
• Diversity of operations forced us to create higher-level classification
on operation types
![Page 12: On Demystifying the Android Application Framework - · PDF fileOn Demystifying the Android Application Framework: Re-Visiting Android Permission Specification Analysis ... • Study](https://reader031.vdocument.in/reader031/viewer/2022022001/5a79a5997f8b9a5a438dddc2/html5/thumbnails/12.jpg)
Use-Case: Permission Analysis
![Page 13: On Demystifying the Android Application Framework - · PDF fileOn Demystifying the Android Application Framework: Re-Visiting Android Permission Specification Analysis ... • Study](https://reader031.vdocument.in/reader031/viewer/2022022001/5a79a5997f8b9a5a438dddc2/html5/thumbnails/13.jpg)
Erik Derr - USENIX Sec 2016 - On Demystifying the Android Application Framework: Re-Visiting Android Permission Specification Analysis
More Effort = Better Results?
• Generating precise graphs requires a lot of resources
• Do we perform better than existing work?
• Re-visit Android permission mappings!
• Why? Still, one of the major security mechansim
• Important for app developers & security research
• Compare with state-of-the-art tool PScout (API 16)
13
![Page 14: On Demystifying the Android Application Framework - · PDF fileOn Demystifying the Android Application Framework: Re-Visiting Android Permission Specification Analysis ... • Study](https://reader031.vdocument.in/reader031/viewer/2022022001/5a79a5997f8b9a5a438dddc2/html5/thumbnails/14.jpg)
Erik Derr - USENIX Sec 2016 - On Demystifying the Android Application Framework: Re-Visiting Android Permission Specification Analysis
Android Permission Mappings - Framework
14
Permission checks
Data-flow
Framework / undocumented map
Framework entry point List of required permissions
com.android.phone.PhoneInterfaceManager.getDeviceId() android.permission.READ_PHONE_STATE
• Map framework entry points
to required permissions
• Approach: Forward
control-flow slicing
• String analysis to resolve
permission strings
![Page 15: On Demystifying the Android Application Framework - · PDF fileOn Demystifying the Android Application Framework: Re-Visiting Android Permission Specification Analysis ... • Study](https://reader031.vdocument.in/reader031/viewer/2022022001/5a79a5997f8b9a5a438dddc2/html5/thumbnails/15.jpg)
Erik Derr - USENIX Sec 2016 - On Demystifying the Android Application Framework: Re-Visiting Android Permission Specification Analysis
Framework API Mapping
15
32304
1012
0 5000 10000 15000 20000 25000 30000 35000
# m
app
ings
axplorerPScout
# of API to permission mappings
• PScout includes normal + dangerous permissions
• axplorer additionally includes system + systemOrSignatures
permissions
![Page 16: On Demystifying the Android Application Framework - · PDF fileOn Demystifying the Android Application Framework: Re-Visiting Android Permission Specification Analysis ... • Study](https://reader031.vdocument.in/reader031/viewer/2022022001/5a79a5997f8b9a5a438dddc2/html5/thumbnails/16.jpg)
Erik Derr - USENIX Sec 2016 - On Demystifying the Android Application Framework: Re-Visiting Android Permission Specification Analysis
Framework API Mapping
16
32304
1012
0 5000 10000 15000 20000 25000 30000 35000
# m
app
ings
axplorerPScout
• Less false mappings
• Reduced over-approximation
through more precise call-graphs
• Entrypoint definition ensures
valid mappings
![Page 17: On Demystifying the Android Application Framework - · PDF fileOn Demystifying the Android Application Framework: Re-Visiting Android Permission Specification Analysis ... • Study](https://reader031.vdocument.in/reader031/viewer/2022022001/5a79a5997f8b9a5a438dddc2/html5/thumbnails/17.jpg)
Erik Derr - USENIX Sec 2016 - On Demystifying the Android Application Framework: Re-Visiting Android Permission Specification Analysis
Android Permission Mappings - SDK
17
SDKPermission checks
IPC Data-flow
Framework / undocumented map
SDK / documented map
![Page 18: On Demystifying the Android Application Framework - · PDF fileOn Demystifying the Android Application Framework: Re-Visiting Android Permission Specification Analysis ... • Study](https://reader031.vdocument.in/reader031/viewer/2022022001/5a79a5997f8b9a5a438dddc2/html5/thumbnails/18.jpg)
Erik Derr - USENIX Sec 2016 - On Demystifying the Android Application Framework: Re-Visiting Android Permission Specification Analysis
SDK Mapping (1)
18
Number of permissions required by documented APIs
314
34
4 0 0 0 0
365
4633
419
1 10
50
100
150
200
250
300
350
400
1 2 3 4 5 6 7
axplorer (total: 352)
PScout (total: 469)
![Page 19: On Demystifying the Android Application Framework - · PDF fileOn Demystifying the Android Application Framework: Re-Visiting Android Permission Specification Analysis ... • Study](https://reader031.vdocument.in/reader031/viewer/2022022001/5a79a5997f8b9a5a438dddc2/html5/thumbnails/19.jpg)
Erik Derr - USENIX Sec 2016 - On Demystifying the Android Application Framework: Re-Visiting Android Permission Specification Analysis
SDK Mapping (1)
19
314
344 0 0 0 0
365
4633
419
1 10
50
100
150
200
250
300
350
400
1 2 3 4 5 6 7
axplorer (total: 352)
PScout (total: 469)
• Connecting SDK to framework
eliminates false-mappings
• Mappings with non-entry methods
are ruled out
• Path-sensitivity in Handler
eliminates outliers
![Page 20: On Demystifying the Android Application Framework - · PDF fileOn Demystifying the Android Application Framework: Re-Visiting Android Permission Specification Analysis ... • Study](https://reader031.vdocument.in/reader031/viewer/2022022001/5a79a5997f8b9a5a438dddc2/html5/thumbnails/20.jpg)
Erik Derr - USENIX Sec 2016 - On Demystifying the Android Application Framework: Re-Visiting Android Permission Specification Analysis
SDK Mapping (2)
20
20
21
45
62
9
10
83
18
21
30
45
48
58
61
0 10 20 30 40 50 60 70 80 90
ACCESS_COARSE_LOCATION
ACCESS_FINE_LOCATION
WAKE_LOCK
BLUETOOTH
BROADCAST_STICKY
SET_WALLPAPER
NFC
axplorer
PScout
Number of documented APIs that require a specific permission
![Page 21: On Demystifying the Android Application Framework - · PDF fileOn Demystifying the Android Application Framework: Re-Visiting Android Permission Specification Analysis ... • Study](https://reader031.vdocument.in/reader031/viewer/2022022001/5a79a5997f8b9a5a438dddc2/html5/thumbnails/21.jpg)
Erik Derr - USENIX Sec 2016 - On Demystifying the Android Application Framework: Re-Visiting Android Permission Specification Analysis
SDK Mapping (2)
21
20
21
45
62
9
10
83
18
21
30
45
48
58
61
0 10 20 30 40 50 60 70 80 90
ACCESS_COARSE_LOCATION
ACCESS_FINE_LOCATION
WAKE_LOCK
BLUETOOTH
BROADCAST_STICKY
SET_WALLPAPER
NFC
axplorer
PScout
• Manually validated the top 4
permissions
• Differences due to SDK analysis
• Context class difficult to get right
(>100 direct and indirect subclasses)
![Page 22: On Demystifying the Android Application Framework - · PDF fileOn Demystifying the Android Application Framework: Re-Visiting Android Permission Specification Analysis ... • Study](https://reader031.vdocument.in/reader031/viewer/2022022001/5a79a5997f8b9a5a438dddc2/html5/thumbnails/22.jpg)
Erik Derr - USENIX Sec 2016 - On Demystifying the Android Application Framework: Re-Visiting Android Permission Specification Analysis
Permission Locality
22
• Services follow the principle of separation of duty
• How are permission checks distributed?
• Across API versions ~20% of permissions are checked
in >1 class and at most in 10 classes
• This equally affects all protection levels (dangerous, system,..)
• There is a trend towards more checks in more classes
in newer Android versions
![Page 23: On Demystifying the Android Application Framework - · PDF fileOn Demystifying the Android Application Framework: Re-Visiting Android Permission Specification Analysis ... • Study](https://reader031.vdocument.in/reader031/viewer/2022022001/5a79a5997f8b9a5a438dddc2/html5/thumbnails/23.jpg)
Erik Derr - USENIX Sec 2016 - On Demystifying the Android Application Framework: Re-Visiting Android Permission Specification Analysis
Permission Locality
23
• Locality measured in terms of number of distinct classes that
check a given permission
• High permission locality
Permission is checked/enforced at a single service
• SET_WALLPAPER is only enforced at WallpaperManagerService
• Low permission locality
Permission is enforced at different (possibly unrelated) services
![Page 24: On Demystifying the Android Application Framework - · PDF fileOn Demystifying the Android Application Framework: Re-Visiting Android Permission Specification Analysis ... • Study](https://reader031.vdocument.in/reader031/viewer/2022022001/5a79a5997f8b9a5a438dddc2/html5/thumbnails/24.jpg)
Erik Derr - USENIX Sec 2016 - On Demystifying the Android Application Framework: Re-Visiting Android Permission Specification Analysis
Low Permission Locality
24
• Framework API 16 (4.1.1)
• Permission: READ_PHONE_STATE
• Level: dangerous
internal.telephony. PhoneSubInfo
phone. PhoneInterfaceManager
server. TelephonyRegistry
server.net. NetworkPolicyManagerService
![Page 25: On Demystifying the Android Application Framework - · PDF fileOn Demystifying the Android Application Framework: Re-Visiting Android Permission Specification Analysis ... • Study](https://reader031.vdocument.in/reader031/viewer/2022022001/5a79a5997f8b9a5a438dddc2/html5/thumbnails/25.jpg)
Erik Derr - USENIX Sec 2016 - On Demystifying the Android Application Framework: Re-Visiting Android Permission Specification Analysis
internal.telephony.PhoneSubInfoProxy
• Framework API 22 (5.1)
• Permission: READ_PHONE_STATE
• Level: dangerous
Low Permission Locality
25
internal.telephony. PhoneSubInfoProxy
phone. PhoneInterfaceManager
server. TelephonyRegistry
server.net. NetworkPolicyManagerService
internal.telephony. SubscriptionController
![Page 26: On Demystifying the Android Application Framework - · PDF fileOn Demystifying the Android Application Framework: Re-Visiting Android Permission Specification Analysis ... • Study](https://reader031.vdocument.in/reader031/viewer/2022022001/5a79a5997f8b9a5a438dddc2/html5/thumbnails/26.jpg)
Erik Derr - USENIX Sec 2016 - On Demystifying the Android Application Framework: Re-Visiting Android Permission Specification Analysis
Permission Locality
26
• Locality steadily decreases between new Android versions
• Impedes understanding the big picture of Android permissions
• Single enforcement point for permissions?
• Facilitates policy generation for access control frameworks (ASM/ASF)
• How to establish?
• Identify owning class/service for each permission
• Dedicated permission check method that is exposed via IInterface
![Page 27: On Demystifying the Android Application Framework - · PDF fileOn Demystifying the Android Application Framework: Re-Visiting Android Permission Specification Analysis ... • Study](https://reader031.vdocument.in/reader031/viewer/2022022001/5a79a5997f8b9a5a438dddc2/html5/thumbnails/27.jpg)
Erik Derr - USENIX Sec 2016 - On Demystifying the Android Application Framework: Re-Visiting Android Permission Specification Analysis
Conclusion
• Comprehensive and systematic methodology on how to analyze
Android‘s application framework
• First high-level classification of protected resource types
• Re-Visited permission analysis
• Improved on prior results of SDK / framework mappings
• Permission locality improves understanding of permission system
• Check out www.axplorer.org
27