Abstract
Android allows applications to communicate with system service via system service helper so that applications can use various functions wrapped in the system services. Meanwhile, system services leverage the service helpers to enforce security mechanisms, e.g. input parameter validation, to protect themselves against attacks. However, service helpers can be easily bypassed, which poses severe security and privacy threats to system services, e.g., privilege escalation, function execution without users’ interactions, system service crash, and DoS attacks. In this paper, we perform the first systematic study on such vulnerabilities and investigate their impacts. We develop a tool to analyze all system services in the newly released Android system. Among the 104 system services and over 3,400 system service methods in the system, we discover 22 vulnerable service interfaces that can be exploited to launch real-world attacks. Furthermore, we implement and construct attacks to demonstrate the impacts of these vulnerabilities. In particular, by utilizing these vulnerabilities, these attacks result in implicit user fingerprint authentication in background, NFC data retrieval in background, Bluetooth service crash, and Android system crash.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Android open source project. https://android.googlesource.com/
Android interface definition language. https://goo.gl/UFrnT3
Gray, J.: Why do computers stop and what can be done about it? In: Symposium on Reliability in Distributed Software and Database Systems (1986)
Android API reference: Binder. https://goo.gl/w2fXFH
Shao, Y., Chen, Q.A., Mao, Z.M., Ott, J., Qian, Z.: Kratos: discovering inconsistent security policy enforcement in the android framework. In: Proceedings of the 23rd NDSS (2016)
Au, K.W.Y., Zhou, Y.F., Huang, Z., Lie, D.: Pscout: analyzing the android permission specification. In: Proceedings of the 19th CCS (2012)
Compling with jack. https://goo.gl/o9RYX8
Dex2jar. https://goo.gl/skfQLl
Aho, A.V., Sethi, R., Ullman, J.D.: Compilers, Principles, Techniques, and Tools. Addison Wesley, Boston (1986)
Android API reference: Parcel.writeexception(). https://goo.gl/7zuXuR
Rasthofer, S., Arzt, S., Bodden, E.: A machine-learning approach for classifying and categorizing android sources and sinks. In: Proceedings of the 21st NDSS (2014)
Cai, L., Chen, H.: Touchlogger: inferring keystrokes on touch screen from smartphone motion. In: Proceedings of the 6th HotSec (2011)
Xu, Z., Bai, K., Zhu, S.: Taplogger: inferring user inputs on smartphone touchscreens using on-board motion sensors. In: Proceedings of the Fifth WISEC (2012)
Aviv, A.J., Sapp, B., Blaze, M., Smith, J.M.: Practicality of accelerometer side channels on smartphones. In: Proceedings of the 28th ACSAC (2012)
Cheng, Y., Ying, L., Jiao, S., Su, P., Feng, D.: Bind your phone number with caution: automated user profiling through address book matching on smartphone. In: Proceedings of the 8th ASIACCS (2013)
Bugiel, S., Davi, L., Dmitrienko, A., Fischer, T., Sadeghi, A.-R., Shastry, B.: Towards taming privilege-escalation attacks on android. In: Proceedings of the 19th NDSS (2012)
Bugiel, S., Davi, L., Dmitrienko, A., Fischer, T., Sadeghi, A.-R.: Xmandroid: a new android evolution to mitigate privilege escalation attacks. Technische Universität Darmstadt, Technical Report TR-2011-04 (2011)
Felt, A.P., Wang, H.J., Moshchuk, A., Hanna, S., Chin, E.: Permission re-delegation: attacks and defenses. In: Proceedings of the 20th USENIX Security (2011)
Davi, L., Dmitrienko, A., Sadeghi, A.-R., Winandy, M.: Privilege escalation attacks on android. In: Burmester, M., Tsudik, G., Magliveras, S., Ilić, I. (eds.) ISC 2010. LNCS, vol. 6531, pp. 346–360. Springer, Heidelberg (2011). doi:10.1007/978-3-642-18178-8_30
Dietz, M., Shekhar, S., Pisetsky, Y., Shu, A., Wallach, D.S.: Quire: lightweight provenance for smart phone operating systems. In: Proceedings of the 20th USENIX Security (2011)
Zhou, Y., Jiang, X.: Detecting passive content leaks and pollution in android applications. In: Proceedings of the 20th NDSS (2013)
Bianchi, A., Corbetta, J., Invernizzi, L., Fratantonio, Y., Kruegel, C., Vigna, G.: What the app is that? Deception and countermeasures in the android user interface. In: Proceedings of 36th IEEE Security and Privacy (2015)
Chin, E., Felt, A.P., Greenwood, K., Wagner, D.: Analyzing inter-application communication in android. In: Proceedings of the 9th MobiSys (2011)
Lu, L., Li, Z., Wu, Z., Lee, W., Jiang, G.: Chex: statically vetting android apps for component hijacking vulnerabilities. In: Proceedings of the 19th CCS (2012)
Huang, H., Zhu, S., Chen, K., Liu, P.: From system services freezing to system server shutdown in android: all you need is a loop in an app. In: Proceedings of the 22nd CCS (2015)
Cao, C., Gao, N., Liu, P., Xiang, J.: Towards analyzing the input validation vulnerabilities associated with android system services. In: Proceedings of the 31st ACSAC (2015)
Enck, W., Ongtang, M., McDaniel, P.: On lightweight mobile phone application certification. In: Proceedings of the 16th CCS (2009)
Fuchs, A.P., Chaudhuri, A., Foster, J.S.: Scandroid: automated security certification of android (2009)
Grace, M., Zhou, Y., Zhang, Q., Zou, S., Jiang, X.: Riskranker: scalable and accurate zero-day android malware detection. In: Proceedings of the 10th MobiSys (2012)
Grace, M.C., Zhou, W., Jiang, X., Sadeghi, A.-R.: Unsafe exposure analysis of mobile in-app advertisements. In: Proceedings of the Fifth WISEC (2012)
Zhou, W., Zhou, Y., Jiang, X., Ning, P.: Detecting repackaged smartphone applications in third-party android marketplaces. In: Proceedings of the Second CODASPY (2012)
Hanna, S., Huang, L., Wu, E., Li, S., Chen, C., Song, D.: Juxtapp: a scalable system for detecting code reuse among android applications. In: Flegel, U., Markatos, E., Robertson, W. (eds.) DIMVA 2012. LNCS, vol. 7591, pp. 62–81. Springer, Heidelberg (2013). doi:10.1007/978-3-642-37300-8_4
Androguard. http://code.google.com/p/androguard
Androbugs. http://www.androbugs.com
Acknowledgements
This work was partially supported by the National Natural Science Foundation of China under grants 61572278, 61502468, 61502469 and 61572483, the National Key R&D Program of China under grant 2016YFB0800102, and the National Basic Research Program of China (973 Program) under grant 2012CB315804.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2017 ICST Institute for Computer Sciences, Social Informatics and Telecommunications Engineering
About this paper
Cite this paper
Gu, Y., Cheng, Y., Ying, L., Lu, Y., Li, Q., Su, P. (2017). Exploiting Android System Services Through Bypassing Service Helpers. In: Deng, R., Weng, J., Ren, K., Yegneswaran, V. (eds) Security and Privacy in Communication Networks. SecureComm 2016. Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering, vol 198. Springer, Cham. https://doi.org/10.1007/978-3-319-59608-2_3
Download citation
DOI: https://doi.org/10.1007/978-3-319-59608-2_3
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-59607-5
Online ISBN: 978-3-319-59608-2
eBook Packages: Computer ScienceComputer Science (R0)