PIVATool- a fast and precise tool for analysis and detection of PendingIntent vulnerabilities

Document Type : Original Article

Authors

1 Computer Engineering Department, Engineering Faculty, Bu-Ali Sina University

2 Computer Engineering Department, Engineering Faculty,, Bu-Ali SIna University

Abstract

Inter-component communication and specifically pendingintents have expanded the development of android application. Although PendingIntent is used in many android applications, its improper use carries risks and can lead to various attacks such as denial of service, Privilege escalation and data leakage. Therefore, it is important to detect vulnerabilities associated with PendingIntent before android apps are published by Android app stores. One of the challenges of analyzing and detecting vulnerabilities for Android markets is the running duration of the vulnerability detection tools. In this paper, a new method has been proposed to detect vulnerabilities associated with PendingIntent. PIVATool is a tool based on static analysis for detecting PendingIntent-related vulnerabilities that takes less time to detect vulnerabilities without compromising precise. For evaluation, PIVATool is compared with PIAnalyzer tool. The results on 51 selected program benchmarks showed that PIVATool detects vulnerabilities on average 27% faster than PIAnalyzer with the same precise.

Keywords


[1]       S. Rani and K. S. Dhindsa, “Android Malware Detection in Official and Third Party Application Stores,” International Journal of Advanced Networking and Applications, vol. 9, no. 4, pp. 3506-3509, 2018.##
[2]      M. Deypir, “Estimating Security Risks of Android Apps Using Information Gain,” Electronic and Cyber Defense, vol. 5, no. 1, pp. 73-83, 2017. [Online]. Available: https://ecdj.ihu.ac.ir/article_200138_30b9b8eeec05f9d21c00f3f4a40d6274.pdf.##
[3]      A. K. Jha, S. Lee, and W. J. Lee, “Modeling and test case generation of inter-component communication in Android,” in 2015 2nd ACM International Conference on Mobile Software Engineering and Systems, IEEE, pp. 113-116. 2015.##
[4]      A. Sadeghi, R. Jabbarvand, N. Ghorbani, H. Bagheri, and S. Malek, “A temporal permission analysis and enforcement framework for android,” in Proceedings of the 40th International Conference on Software Engineering, pp.      846-857, 2018.##
[5]       S. Dhavale and B. Lokhande, “Comnoid: information leakage detection using data flow analysis on android devices,” International Journal of Computer Applications, vol. 134, no. 7, pp. 15-20, 2016.##
[6]       S. Bugiel, L. Davi, A. Dmitrienko, T. Fischer, and A.-R. Sadeghi, “Xmandroid: A new android evolution to mitigate privilege escalation attacks,” Technische Universität Darmstadt, Technical Report TR-2011-04, 2011.##
[7]       P. Gadient, M. Ghafari, P. Frischknecht, and O. Nierstrasz, “Security code smells in Android ICC,” Empirical software engineering, vol. 24, no. 5, pp. 3046-3076, 2019.##
[8]      R. Hay, O. Tripp, and M. Pistoia, “Dynamic detection of inter-application communication vulnerabilities in Android,” in Proceedings of the 2015 International Symposium on Software Testing and Analysis, pp. 118-128, 2015.##
[9]       S. Groß, A. Tiwari, and C. Hammer, “Pianalyzer: A precise approach for pendingintent vulnerability analysis,” in European Symposium on Research in Computer Security, Springer, pp. 41-59, 2018.##
[10]    B. Rashidi and C. J. Fung, “A Survey of Android Security Threats and Defenses,” J. Wirel. Mob. Networks Ubiquitous Comput. Dependable Appl., vol. 6, no. 3, pp. 3-35, 2015.##
[11]    J. A. Shaheen, M. A. Asghar, and A. Hussain, “Android OS with its Architecture and Android Application with Dalvik Virtual Machine Review,” International Journal of Multimedia and Ubiquitous Engineering, vol. 12, no. 7, pp. 19-30, 2017.##
[12]    E. Chin, A. P. Felt, K. Greenwood, and D. Wagner, “Analyzing inter-application communication in Android,” in Proceedings of the 9th international conference on Mobile systems, applications, and services, pp. 239-252, 2011.##
[13]    P. Bhiwani and C. Parekh, “Different Android Vulnerabilities,” Advances in Computational Sciences and Technology, vol. 10, no. 5, pp. 1449-1455, 2017.##
[14]    PendingIntent.html, “http://developer.android.com/reference/android/app/,” 2013.##
[15]   J. Mitra and V.-P. Ranganath, “Ghera: A repository of android app vulnerability benchmarks,” in Proceedings of the 13th International Conference on Predictive Models and Data Analytics in Software Engineering, pp. 43-52, 2017.##
[16]   L. Li et al., “Iccta: Detecting inter-component privacy leaks in android apps,” in 2015 IEEE/ACM 37th IEEE International Conference on Software Engineering, IEEE, vol. 1, pp. 280-291, 2015.##
[17]   S. Bhandari et al., “Android app collusion threat and mitigation techniques,” arXiv preprint arXiv:1611.10076, 2016.##
Volume 9, Issue 2 - Serial Number 34
Serial No. 34, Summer Quarterly
June 2021
Pages 75-83
  • Receive Date: 01 August 2020
  • Revise Date: 04 October 2020
  • Accept Date: 26 October 2020
  • Publish Date: 22 June 2021