NIVAnalyzer: A Tool for Automatically Detecting and Verifying Next-Intent Vulnerabilities in Android Apps

Junjie Tang, Xingmin Cui, Shanqing Guo, Xinshun Xu, Chengyu Hu, Tao Ban, Bing Mao

Research output: Chapter in Book/Report/Conference proceedingConference contribution

7 Scopus citations

Abstract

In the Android system design, any app can start another app's public components to facilitate code reuse by sending an asynchronous message called Intent. In addition, Android also allows an app to have private components that should only be visible to the app itself. However, malicious apps can bypass this system protection and directly invoke private components in vulnerable apps through a class of newly discovered vulnerability, which is called next-intent vulnerability. In this paper, we design an intent flow analysis strategy which accurately tracks the intent in smali code to statically detect next-intent vulnerabilities efficiently and effectively on a large scale. We further propose an automated approach to dynamically verify the discovered vulnerabilities by generating exploit apps. Then we implement a tool named NIVAnalyzer and evaluate it on 20,000 apps downloaded from Google Play. As the result, we successfully confirms 190 vulnerable apps, some of which even have millions of downloads. We also confirmed that an open-source project and a third-party SDK, which are still used by other apps, have next intent vulnerabilities.

Original languageEnglish (US)
Title of host publicationProceedings - 10th IEEE International Conference on Software Testing, Verification and Validation, ICST 2017
PublisherInstitute of Electrical and Electronics Engineers Inc.
Pages492-499
Number of pages8
ISBN (Electronic)9781509060313
DOIs
StatePublished - May 15 2017
Event10th IEEE International Conference on Software Testing, Verification and Validation, ICST 2017 - Tokyo, Japan
Duration: Mar 13 2017Mar 17 2017

Publication series

NameProceedings - 10th IEEE International Conference on Software Testing, Verification and Validation, ICST 2017

Conference

Conference10th IEEE International Conference on Software Testing, Verification and Validation, ICST 2017
Country/TerritoryJapan
CityTokyo
Period3/13/173/17/17

Keywords

  • Android
  • Intent
  • Static and dynamic analysis
  • Tool
  • Vulnerability

ASJC Scopus subject areas

  • Software
  • Safety, Risk, Reliability and Quality

Fingerprint

Dive into the research topics of 'NIVAnalyzer: A Tool for Automatically Detecting and Verifying Next-Intent Vulnerabilities in Android Apps'. Together they form a unique fingerprint.

Cite this