A tale of four gates: privilege escalation and permission bypasses on android through app components

Abdulla Aldoseri; David Oswald; Robert Chiper

doi:10.1007/978-3-031-17146-8_12

A tale of four gates: privilege escalation and permission bypasses on android through app components

Abdulla Aldoseri^*, David Oswald, Robert Chiper

^*Corresponding author for this work

Computer Science

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

142 Downloads (Pure)

Abstract

Android apps interact and exchange data with other apps through so-called app components. Previous research has shown that app components can cause application-level vulnerabilities, for example leading to data leakage across apps. Alternatively, apps can (intentionally or accidentally) expose their permissions (e.g. for camera and microphone) to other apps that lack these privileges. This causes a confused deputy situation, where a less privileged app exposes its app components, which use these permissions, to the victim app. While previous research mainly focused on these issues, less attention has been paid to how app components can affect the security and privacy guarantees of Android OS. In this paper, we demonstrate two according vulnerabilities, affecting recent Android versions. First, we show how app components can be used to leak data from and, in some cases, take full control of other Android user profiles, bypassing the dedicated lock screen. We demonstrate the impact of this vulnerability on major Android vendors (Samsung, Huawei, Google and Xiaomi). Secondly, we found that app components can be abused by spyware to access sensors like the camera and the microphone in the background up to Android 10, bypassing mitigations specifically designed to prevent this behaviour. Using a two-app setup, we find that app components can be invoked stealthily to e.g. periodically take pictures and audio recordings in the background. Finally, we present Four Gates Inspector, our open-source static analysis tool to systematically detect such issues for a large number of apps with complex codebases. Our tool successfully identified exposed components issues in 34 out 5,783 apps with average analysis runtime of 4.3 s per app and, detected both known malware samples and unknown samples downloaded from the F-Droid repository. We responsibly disclosed all vulnerabilities presented in this paper to the affected vendors, leading to several CVE records and a currently unresolved high-severity issue in Android 10 and earlier.

Original language	English
Title of host publication	Computer Security – ESORICS 2022
Subtitle of host publication	27th European Symposium on Research in Computer Security, Copenhagen, Denmark, September 26–30, 2022, Proceedings, Part II
Editors	Vijayalakshmi Atluri, Roberto Di Pietro, Christian D. Jensen, Weizhi Meng
Publisher	Springer
Pages	233–251
Number of pages	19
Edition	1
ISBN (Electronic)	9783031171468
ISBN (Print)	9783031171451
DOIs	https://doi.org/10.1007/978-3-031-17146-8_12
Publication status	Published - 22 Sept 2022

Publication series

Name	Lecture Notes in Computer Science
Publisher	Springer
Volume	13555
ISSN (Print)	0302-9743
ISSN (Electronic)	1611-3349

Access to Document

10.1007/978-3-031-17146-8_12

AldoseriA2022Privilege
This version of the contribution has been accepted for publication, after peer review (when applicable) but is not the Version of Record and does not reflect post-acceptance improvements, or any corrections. The Version of Record is available online at: http://dx.doi.org/10.1007/978-3-031-17146-8_12. Use of this Accepted Version is subject to the publisher’s Accepted Manuscript terms of use: https://www.springernature.com/gp/open-research/policies/accepted-manuscript-terms
Accepted author manuscript, 344 KBLicence: Other (please specify with Rights Statement)

Cite this

Aldoseri, A., Oswald, D., & Chiper, R. (2022). A tale of four gates: privilege escalation and permission bypasses on android through app components. In V. Atluri, R. Di Pietro, C. D. Jensen, & W. Meng (Eds.), Computer Security – ESORICS 2022: 27th European Symposium on Research in Computer Security, Copenhagen, Denmark, September 26–30, 2022, Proceedings, Part II (1 ed., pp. 233–251). (Lecture Notes in Computer Science; Vol. 13555). Springer. https://doi.org/10.1007/978-3-031-17146-8_12

Aldoseri, Abdulla ; Oswald, David ; Chiper, Robert. / A tale of four gates : privilege escalation and permission bypasses on android through app components. Computer Security – ESORICS 2022: 27th European Symposium on Research in Computer Security, Copenhagen, Denmark, September 26–30, 2022, Proceedings, Part II. editor / Vijayalakshmi Atluri ; Roberto Di Pietro ; Christian D. Jensen ; Weizhi Meng. 1. ed. Springer, 2022. pp. 233–251 (Lecture Notes in Computer Science).

@inproceedings{ccc2ba4089b341579f79068c68128cd0,

title = "A tale of four gates: privilege escalation and permission bypasses on android through app components",

abstract = "Android apps interact and exchange data with other apps through so-called app components. Previous research has shown that app components can cause application-level vulnerabilities, for example leading to data leakage across apps. Alternatively, apps can (intentionally or accidentally) expose their permissions (e.g. for camera and microphone) to other apps that lack these privileges. This causes a confused deputy situation, where a less privileged app exposes its app components, which use these permissions, to the victim app. While previous research mainly focused on these issues, less attention has been paid to how app components can affect the security and privacy guarantees of Android OS. In this paper, we demonstrate two according vulnerabilities, affecting recent Android versions. First, we show how app components can be used to leak data from and, in some cases, take full control of other Android user profiles, bypassing the dedicated lock screen. We demonstrate the impact of this vulnerability on major Android vendors (Samsung, Huawei, Google and Xiaomi). Secondly, we found that app components can be abused by spyware to access sensors like the camera and the microphone in the background up to Android 10, bypassing mitigations specifically designed to prevent this behaviour. Using a two-app setup, we find that app components can be invoked stealthily to e.g. periodically take pictures and audio recordings in the background. Finally, we present Four Gates Inspector, our open-source static analysis tool to systematically detect such issues for a large number of apps with complex codebases. Our tool successfully identified exposed components issues in 34 out 5,783 apps with average analysis runtime of 4.3 s per app and, detected both known malware samples and unknown samples downloaded from the F-Droid repository. We responsibly disclosed all vulnerabilities presented in this paper to the affected vendors, leading to several CVE records and a currently unresolved high-severity issue in Android 10 and earlier.",

author = "Abdulla Aldoseri and David Oswald and Robert Chiper",

year = "2022",

month = sep,

day = "22",

doi = "10.1007/978-3-031-17146-8_12",

language = "English",

isbn = "9783031171451",

series = "Lecture Notes in Computer Science",

publisher = "Springer",

pages = "233–251",

editor = "Vijayalakshmi Atluri and {Di Pietro}, Roberto and Jensen, {Christian D.} and Weizhi Meng",

booktitle = "Computer Security – ESORICS 2022",

edition = "1",

}

Aldoseri, A, Oswald, D & Chiper, R 2022, A tale of four gates: privilege escalation and permission bypasses on android through app components. in V Atluri, R Di Pietro, CD Jensen & W Meng (eds), Computer Security – ESORICS 2022: 27th European Symposium on Research in Computer Security, Copenhagen, Denmark, September 26–30, 2022, Proceedings, Part II. 1 edn, Lecture Notes in Computer Science, vol. 13555, Springer, pp. 233–251. https://doi.org/10.1007/978-3-031-17146-8_12

A tale of four gates: privilege escalation and permission bypasses on android through app components. / Aldoseri, Abdulla; Oswald, David; Chiper, Robert.
Computer Security – ESORICS 2022: 27th European Symposium on Research in Computer Security, Copenhagen, Denmark, September 26–30, 2022, Proceedings, Part II. ed. / Vijayalakshmi Atluri; Roberto Di Pietro; Christian D. Jensen; Weizhi Meng. 1. ed. Springer, 2022. p. 233–251 (Lecture Notes in Computer Science; Vol. 13555).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

TY - GEN

T1 - A tale of four gates

T2 - privilege escalation and permission bypasses on android through app components

AU - Aldoseri, Abdulla

AU - Oswald, David

AU - Chiper, Robert

PY - 2022/9/22

Y1 - 2022/9/22

N2 - Android apps interact and exchange data with other apps through so-called app components. Previous research has shown that app components can cause application-level vulnerabilities, for example leading to data leakage across apps. Alternatively, apps can (intentionally or accidentally) expose their permissions (e.g. for camera and microphone) to other apps that lack these privileges. This causes a confused deputy situation, where a less privileged app exposes its app components, which use these permissions, to the victim app. While previous research mainly focused on these issues, less attention has been paid to how app components can affect the security and privacy guarantees of Android OS. In this paper, we demonstrate two according vulnerabilities, affecting recent Android versions. First, we show how app components can be used to leak data from and, in some cases, take full control of other Android user profiles, bypassing the dedicated lock screen. We demonstrate the impact of this vulnerability on major Android vendors (Samsung, Huawei, Google and Xiaomi). Secondly, we found that app components can be abused by spyware to access sensors like the camera and the microphone in the background up to Android 10, bypassing mitigations specifically designed to prevent this behaviour. Using a two-app setup, we find that app components can be invoked stealthily to e.g. periodically take pictures and audio recordings in the background. Finally, we present Four Gates Inspector, our open-source static analysis tool to systematically detect such issues for a large number of apps with complex codebases. Our tool successfully identified exposed components issues in 34 out 5,783 apps with average analysis runtime of 4.3 s per app and, detected both known malware samples and unknown samples downloaded from the F-Droid repository. We responsibly disclosed all vulnerabilities presented in this paper to the affected vendors, leading to several CVE records and a currently unresolved high-severity issue in Android 10 and earlier.

AB - Android apps interact and exchange data with other apps through so-called app components. Previous research has shown that app components can cause application-level vulnerabilities, for example leading to data leakage across apps. Alternatively, apps can (intentionally or accidentally) expose their permissions (e.g. for camera and microphone) to other apps that lack these privileges. This causes a confused deputy situation, where a less privileged app exposes its app components, which use these permissions, to the victim app. While previous research mainly focused on these issues, less attention has been paid to how app components can affect the security and privacy guarantees of Android OS. In this paper, we demonstrate two according vulnerabilities, affecting recent Android versions. First, we show how app components can be used to leak data from and, in some cases, take full control of other Android user profiles, bypassing the dedicated lock screen. We demonstrate the impact of this vulnerability on major Android vendors (Samsung, Huawei, Google and Xiaomi). Secondly, we found that app components can be abused by spyware to access sensors like the camera and the microphone in the background up to Android 10, bypassing mitigations specifically designed to prevent this behaviour. Using a two-app setup, we find that app components can be invoked stealthily to e.g. periodically take pictures and audio recordings in the background. Finally, we present Four Gates Inspector, our open-source static analysis tool to systematically detect such issues for a large number of apps with complex codebases. Our tool successfully identified exposed components issues in 34 out 5,783 apps with average analysis runtime of 4.3 s per app and, detected both known malware samples and unknown samples downloaded from the F-Droid repository. We responsibly disclosed all vulnerabilities presented in this paper to the affected vendors, leading to several CVE records and a currently unresolved high-severity issue in Android 10 and earlier.

U2 - 10.1007/978-3-031-17146-8_12

DO - 10.1007/978-3-031-17146-8_12

M3 - Conference contribution

SN - 9783031171451

T3 - Lecture Notes in Computer Science

SP - 233

EP - 251

BT - Computer Security – ESORICS 2022

A2 - Atluri, Vijayalakshmi

A2 - Di Pietro, Roberto

A2 - Jensen, Christian D.

A2 - Meng, Weizhi

PB - Springer

ER -

Aldoseri A, Oswald D, Chiper R. A tale of four gates: privilege escalation and permission bypasses on android through app components. In Atluri V, Di Pietro R, Jensen CD, Meng W, editors, Computer Security – ESORICS 2022: 27th European Symposium on Research in Computer Security, Copenhagen, Denmark, September 26–30, 2022, Proceedings, Part II. 1 ed. Springer. 2022. p. 233–251. (Lecture Notes in Computer Science). doi: 10.1007/978-3-031-17146-8_12

A tale of four gates: privilege escalation and permission bypasses on android through app components

Abstract

Publication series

Access to Document

Fingerprint

Cite this