A tale of four gates: privilege escalation and permission bypasses on android through app components

Abdulla Aldoseri*, David Oswald, Robert Chiper

*Corresponding author for this work

Research output: Chapter in Book/Report/Conference proceedingConference contribution

195 Downloads (Pure)

Abstract

Android apps interact and exchange data with other apps through so-called app components. Previous research has shown that app components can cause application-level vulnerabilities, for example leading to data leakage across apps. Alternatively, apps can (intentionally or accidentally) expose their permissions (e.g. for camera and microphone) to other apps that lack these privileges. This causes a confused deputy situation, where a less privileged app exposes its app components, which use these permissions, to the victim app. While previous research mainly focused on these issues, less attention has been paid to how app components can affect the security and privacy guarantees of Android OS. In this paper, we demonstrate two according vulnerabilities, affecting recent Android versions. First, we show how app components can be used to leak data from and, in some cases, take full control of other Android user profiles, bypassing the dedicated lock screen. We demonstrate the impact of this vulnerability on major Android vendors (Samsung, Huawei, Google and Xiaomi). Secondly, we found that app components can be abused by spyware to access sensors like the camera and the microphone in the background up to Android 10, bypassing mitigations specifically designed to prevent this behaviour. Using a two-app setup, we find that app components can be invoked stealthily to e.g. periodically take pictures and audio recordings in the background. Finally, we present Four Gates Inspector, our open-source static analysis tool to systematically detect such issues for a large number of apps with complex codebases. Our tool successfully identified exposed components issues in 34 out 5,783 apps with average analysis runtime of 4.3 s per app and, detected both known malware samples and unknown samples downloaded from the F-Droid repository. We responsibly disclosed all vulnerabilities presented in this paper to the affected vendors, leading to several CVE records and a currently unresolved high-severity issue in Android 10 and earlier.
Original languageEnglish
Title of host publicationComputer Security – ESORICS 2022
Subtitle of host publication27th European Symposium on Research in Computer Security, Copenhagen, Denmark, September 26–30, 2022, Proceedings, Part II
EditorsVijayalakshmi Atluri, Roberto Di Pietro, Christian D. Jensen, Weizhi Meng
PublisherSpringer
Pages233–251
Number of pages19
Edition1
ISBN (Electronic)9783031171468
ISBN (Print)9783031171451
DOIs
Publication statusPublished - 22 Sept 2022

Publication series

NameLecture Notes in Computer Science
PublisherSpringer
Volume13555
ISSN (Print)0302-9743
ISSN (Electronic)1611-3349

Fingerprint

Dive into the research topics of 'A tale of four gates: privilege escalation and permission bypasses on android through app components'. Together they form a unique fingerprint.

Cite this