【论文笔记】2022年四大顶会 Android安全相关论文

Jouzzy

已于 2023-12-07 19:43:04 修改

阅读量995

点赞数 1

分类专栏：论文笔记文章标签： android 论文阅读安全

于 2023-03-22 05:57:52 首次发布

原文链接：https://www.sigsac.org/ccs/CCS2022/program/accepted-papers.html

版权

论文笔记专栏收录该内容

5 篇文章 2 订阅

订阅专栏

CCS′22

列表：https://www.sigsac.org/ccs/CCS2022/program/accepted-papers.html

Detecting and Measuring Misconfigured Manifest in Android Apps

Yuqing Yang (The Ohio State University); Mohamed Elsabagh (Kryptowire); Chaoshun Zuo (The Ohio State University); Ryan Johnson (Kryptowire); Angelos Stavrou (Kryptowire); Zhiqiang Lin (The Ohio State University)

标签：清单文件错误配置，误用，Android漏洞，数据泄露，组件安全

Android 应用程序的清单文件对于应用程序安全至关重要，因为它声明了敏感的应用程序配置，例如访问应用程序组件所需的访问权限。令人惊讶的是，我们注意到许多广泛使用的应用程序（有些应用程序的下载量超过 5 亿次）在其清单文件中包含可能导致严重安全问题的错误配置。
本文介绍了 ManiScope，这是一种在给定 Android APK 时自动检测清单文件配置错误的工具。关键思想是通过使用新颖的 domain-aware NLP 技术和规则从清单文档中提取 ManiScope 约束来构建清单 XML 模式，并根据模式检查清单文件是否存在错误配置。
我们实现了 ManiScope。我们分别从 Google Play 的 1,853,862 个应用程序中识别出 609,428 个 (33.20%) 配置错误的 Android 应用程序，以及从 4,580 个三星固件的 692,106 个预装应用程序中识别出 246,658 个 (35.64%) 配置错误的应用程序。其中，84,117 个（13.80%）错误配置的 Google Play 应用程序和 56,611 个（22.95%）错误配置的预装应用程序具有各种安全隐患，包括应用程序欺诈、消息欺骗、秘密数据泄露和组件劫持。

The manifest file of an Android app is crucial for app security as it declares sensitive app configurations, such as access permissions required to access app components. Surprisingly, we noticed a number of widely-used apps (some with over 500 million downloads) containing misconfigurations in their manifest files that can result in severe security issues. This paper presents ManiScope, a tool to automatically detect misconfigurations of manifest files when given an Android APK. The key idea is to build a manifest XML Schema by extracting ManiScope constraints from the manifest documentation with novel domain-aware NLP techniques and rules, and validate manifest files against the schema to detect misconfigurations. We have implemented ManiScope, with which we have identified 609,428 (33.20%) misconfigured Android apps out of 1,853,862 apps from Google Play, and 246,658 (35.64%) misconfigured ones out of 692,106 pre-installed apps from 4,580 Samsung firmwares, respectively. Among them, 84,117 (13.80%) of misconfigured Google Play apps and 56,611 (22.95%) of misconfigured pre-installed apps have various security implications including app defrauding, message spoofing, secret data leakage, and component hijacking.

Freely Given Consent? Studying Consent Notice of Third-Party Tracking and Its Violations of GDPR in Android Apps

Trung Tin Nguyen (CISPA Helmholtz Center for Information Security; Saarland University); Michael Backes (CISPA Helmholtz Center for Information Security); Ben Stock (CISPA Helmholtz Center for Information Security)

标签：隐私保护，合规

欧盟通用数据保护条例 (GDPR) 于 2018 年 5 月通过，要求对处理用户个人数据的同意必须是自由提供的、具体的、知情的和明确的。虽然之前的工作表明这通常不是通过自动网络流量分析给出的，但没有工作系统地研究当前的mobile apps中 同意通知（consent notices）是如何被实现的，以及这些实现是否符合GDPR。

为了缩小这种research gap，我们对 Android app中第三方实施的同意通知进行了首次大规模研究，以了解当前的做法和违反GDPR的现状。具体来说，我们提出了一种主要是自动化且可扩展的方法来识别当前实现的同意通知，并将其应用于一组 239,381 个 Android 应用程序。因此，我们认识到四种广泛实施的机制可以与来自 13,082 个应用程序的同意用户界面进行交互。然后，我们开发了一种工具，可以根据已识别的机制，自动检测不同同意条件下，被发送到互联网的用户个人数据。这样做，我们发现 30,160 个应用程序甚至没有尝试实施与第三方数据控制者共享用户个人数据的同意通知，这些控制者根据 GDPR 要求明确同意。相比之下，在实施同意通知的 13,082 个应用程序中，我们发现 2,688 个 (20.54%) 应用程序至少违反了 GDPR 的一项同意要求，例如试图欺骗用户接受所有数据共享，甚至在用户明确选择时继续传输数据出去。为了让开发人员能够解决问题，我们会发送电子邮件通知受影响的开发人员并从他们的回复中收集见解。我们的研究表明，迫切需要更透明地处理个人数据，并支持开发人员努力遵守法规，确保用户可以就其数据做出自由和知情的选择。

Adopted in May 2018, the European Union’s General Data Protection Regulation (GDPR) requires the consent for processing users’ personal data to be freely given, specific, informed, and unambiguous. While prior work has shown that this often is not given through automated network traffic analysis, no research has systematically studied how consent notices are currently implemented and whether they conform to GDPR in mobile apps.

To close this research gap, we perform the first large-scale study into consent notices for third-party tracking in Android apps to understand the current practices and the current state of GDPR’s consent violations. Specifically, we propose a mostly automated and scalable approach to identify the currently implemented consent notices and apply it to a set of 239,381 Android apps. As a result, we recognize four widely implemented mechanisms to interact with the consent user interfaces from 13,082 apps. We then develop a tool that automatically detects users’ personal data sent out to the Internet with different consent conditions based on the identified mechanisms. Doing so, we find 30,160 apps do not even attempt to implement consent notices for sharing users’ personal data with third-party data controllers, which mandate explicit consent under GDPR. In contrast, out of 13,082 apps implemented consent notices, we identify 2,688 (20.54%) apps violate at least one of the GDPR consent requirements, such as trying to deceive users into accepting all data sharing or even continuously transmitting data when users have explicitly opted out. To allow developers to address the problems, we send emails to notify affected developers and gather insights from their responses. Our study shows the urgent need for more transparent processing of personal data and supporting developers in this endeavor to comply with legislation, ensuring users can make free and informed choices regarding their data.

（已精读）※ Hidden in Plain Sight: Exploring Encrypted Channels in Android apps

Sajjad Pourali (Concordia University); Nayanamana Samarasinghe (Concordia University); Mohammad Mannan (Concordia University)

标签：协议分析，密码学，隐私泄露检测

好像是说很多app会通过非HTTP信道以及应用层自定义加密算法完成隐私信息的传输，从而泄露用户的隐私信息。本文对这种情况进行了测量。

我一开始觉得这篇比较有趣，就细读了一下。
这篇文章并没有使用很复杂的程序分析技术来识别custom encryption operation，而是基于AndroidViewClient开发了一个“增强版的Monkey”，再基于UI控件触发app的各种行为，再使用frida、tcpdump、mitmproxy等工具记录日志（比如密码学API调用、文件操作、network traffic），再进行分析（比如多台设备多次触发，观察key是否变化，以确定fixed key这种misuse）。本文不专门处理代码混淆。
可以说，本文几乎是纯动态分析。本文最难实现的部分应该是UI interactor，也就是触发UI空间的那部分。这部分的设计还是很值得参考的。
感觉本文的insight十分正点，实验过程也非常完备，用到的工具基本都是易于二次开发的开源工具。实验没有太奇绝的地方，但胜在处理细致、过程完善、逻辑通畅。而且工具也开源了。

随着 Android 操作系统中隐私功能的改进，侵犯隐私的app可能会逐渐将重点转移到 非标准和隐蔽的信道（non-standard and covert channels），以泄露私人用户/设备信息。此类泄漏在很大程度上无法被最先进的隐私分析工具检测到，这些工具通常只善于分析常规 HTTP 和 HTTPS 信道带来的隐私泄露。

在这项研究中，我们设计并实现了 ThirdEye，以提高当前隐私分析工具的洞察能力。这种提升体现在对各种非标准和隐蔽信道上发生的隐私泄露的检测。信道所用到的协议包括 TCP/UDP 上的任何协议（而不只是 HTTP/S），以及在 HTTP/S 和非 HTTP 协议上使用多层自定义加密的协议。除了通过网络泄露隐私，我们还考虑通过存储泄露隐私的隐蔽信道，这些信道也利用自定义加密层。

我们使用 ThirdEye 分析了 Androidrank 中各类别的 12,598 个热门应用，发现 2887/12,598 (22.92%) 个应用使用自定义加密/解密进行网络传输和在共享设备存储中存储内容，2465/2887 (85.38%)这些应用程序的一部分通过网络发送了可以对用户进行指纹识别的设备信息（例如，广告 ID、已安装应用程序列表）。此外，299个应用程序通过HTTP/非HTTP协议传输不安全的加密内容； 22 个通过 HTTPS 使用身份验证令牌的应用程序恰好通过不安全（尽管自定义加密）的 HTTP/非 HTTP 信道公开它们。我们发现了具有多级混淆的非标准和隐蔽信道（例如，对数据加密后再通过HTTPS发送、多级嵌套加密），以及易受攻击的密钥和加密算法的使用。我们的发现可以为非标准和隐蔽信道不断发展的领域提供有价值的见解，并有助于激发针对此类隐私泄露和安全问题的新对策。

As privacy features in Android operating system improve, privacy-invasive apps may gradually shift their focus to non-standard and covert channels for leaking private user/device information. Such leaks also remain largely undetected by state-of-the-art privacy analysis tools, which are very effective in uncovering privacy exposures via regular HTTP and HTTPS channels. In this study, we design and implement, ThirdEye, to significantly extend the visibility of current privacy analysis tools, in terms of the exposures that happen across various non-standard and covert channels, i.e., via any protocol over TCP/UDP (beyond HTTP/S), and using multi-layer custom encryption over HTTP/S and non-HTTP protocols. Besides network exposures, we also consider covert channels via storage media that also leverage custom encryption layers. Using ThirdEye, we analyzed 12,598 top-apps in various categories from Androidrank, and found that 2887/12,598 (22.92%) apps used custom encryption/decryption for network transmission and storing content in shared device storage, and 2465/2887 (85.38%) of those apps sent device information (e.g., advertising ID, list of installed apps) over the network that can fingerprint users. Besides, 299 apps transmitted insecure encrypted content over HTTP/non-HTTP protocols; 22 apps that used authentication tokens over HTTPS, happen to expose them over insecure (albeit custom encrypted) HTTP/non-HTTP channels. We found non-standard and covert channels with multiple levels of obfuscation (e.g., encrypted data over HTTPS, encryption at nested levels), and the use of vulnerable keys and cryptographic algorithms. Our findings can provide valuable insights into the evolving field of non-standard and covert channels, and help spur new countermeasures against such privacy leakage and security issues.

※※ Uncovering Intent based Leak of Sensitive Data in Android Framework

Hao Zhou (The Hong Kong Polytechnic University); Xiapu Luo (The Hong Kong Polytechnic University); Haoyu Wang (Huazhong University of Science and Technology); Haipeng Cai (Washington State University; Pullman)

标签：组件安全，Android漏洞

目测是一篇关于组件间数据流安全的文章，关注OS和app之间的intent传递，发现了一些漏洞。

为了防止未经授权的应用程序检索敏感数据，Android framework强制执行基于权限的访问控制。然而，人们早就知道，为了绕过访问控制，无权的app可以拦截有权app发送的 Intent 对象，并携带检索到的敏感数据。

我们发现 Android 框架中有一个新的攻击面，未经授权的应用程序可以利用它来违反访问控制。具体来说，我们发现Android Framework发送的部分携带敏感数据的Intent对象可以被未授权的app接收，从而导致敏感数据泄露。在本文中，我们对新的攻击面进行了首次系统调查，即 Android 框架中基于intent的敏感数据泄漏。为了自动发现 Android 框架中的此类漏洞，我们设计和开发了一个名为 LeakDetector 的新工具，它可以找到 Android 框架发送的 Intent 对象，这些对象可以被未经授权的应用程序接收并携带敏感数据。

将LeakDetector应用于10个商用Android系统，我们发现它可以有效地发现Android框架中基于Intent的敏感数据泄漏。具体来说，我们发现了 36 个此类数据泄漏的可利用案例，这些案例可以被未经授权的应用程序滥用以窃取敏感数据，从而违反访问控制。在撰写本文时，其中 16 个已得到谷歌、三星和小米的确认，我们收到了这些移动供应商的漏洞赏金奖励。

To prevent unauthorized apps from retrieving the sensitive data, Android framework enforces a permission based access control. However, it has long been known that, to bypass the access control, unauthorized apps can intercept the Intent objects which are sent by authorized apps and carry the retrieved sensitive data. We find that there is a new (previously unknown) attack surface in Android framework that can be exploited by unauthorized apps to violate the access control. Specifically, we discover that part of Intent objects that are sent by Android framework and carry sensitive data can be received by unauthorized apps, resulting in the leak of sensitive data. In this paper, we conduct the first systematic investigation on the new attack surface namely the Intent based leak of sensitive data in Android framework. To automatically uncover such kind of vulnerability in Android framework, we design and develop a new tool named LeakDetector, which finds the Intent objects sent by Android framework that can be received by unauthorized apps and carry the sensitive data. Applying LeakDetector to 10 commercial Android systems, we find that it can effectively uncover the Intent based leak of sensitive data in Android framework. Specifically, we discover 36 exploitable cases of such kind of data leak, which can be abused by unauthorized apps to steal the sensitive data, violating the access control. At the time of writing, 16 of them have been confirmed by Google, Samsung, and Xiaomi, and we received bug bounty rewards from these mobile vendors.

（已精读）※ Understanding Real-world Threats to Deep Learning Models in Android Apps

Zizhuang Deng (SKLOIS; Institute of Information Engineering; Chinese Academy of Sciences & School of Cyber Security; University of Chinese Academy of Sciences); Kai Chen (SKLOIS; Institute of Information Engineering; Chinese Academy of Sciences & School of Cyber Security; University of Chinese Academy of Sciences & Beijing Academy of Artificial Intelligence); Guozhu Meng (SKLOIS; Institute of Information Engineering; Chinese Academy of Sciences & School of Cyber Security; University of Chinese Academy of Sciences); Xiaodong Zhang (SKLOIS; Institute of Information Engineering; Chinese Academy of Sciences & School of Cyber Security; University of Chinese Academy of Sciences); Ke Xu (Huawei International Pte Ltd); Yao Cheng (Huawei International Pte Ltd)

标签：机器学习，对抗样本

目测是研究如何对安卓app中的深度学习模型实施对抗攻击。攻击包括模型的自动提取、捕获输入输出、对抗样本的生成和验证等步骤。

深度学习（DL）以其卓越的性能而闻名，已在许多app中得到广泛使用，同时也为模型带来了各种威胁。一种主要威胁来自对抗性攻击。多年来，研究人员对这种威胁进行了深入研究，并提出了数十种创建对抗样本 (AE) 的方法。但大多数方法仅在有限的模型和数据集（例如 MNIST、CIFAR-10）上进行评估。因此，攻击真实世界 DL 模型的有效性尚不清楚。在本文中，我们对 针对真实世界 DNN 模型的对抗攻击 进行了首次系统研究，并提供了一个名为 RWM 的真实世界模型数据集。

特别地，我们设计了一套方法来使当前的 AE 生成算法 适应各种现实世界的 DL 模型，包括从 Android 应用程序中自动提取 DL 模型，捕获应用程序中 DL 模型的输入和输出，生成对抗样本 并通过观察应用程序的执行来验证它们。对于黑盒 DL 模型，我们设计了一种基于语义的方法来构建合适的数据集，并在执行基于传输的攻击时使用它们来训练替代模型。在分析了从 62,583 个真实世界应用程序中收集的 245 个 DL 模型后，我们有一个独特的机会来了解真实世界 DL 模型与当代 AE 生成算法之间的差距。令我们惊讶的是，目前的 AE 生成算法只能直接攻击 6.53% 的模型。受益于我们的方法，成功率提升至 47.35%。

Famous for its superior performance, deep learning (DL) has been popularly used within many applications, which also at the same time attracts various threats to the models. One primary threat is from adversarial attacks. Researchers have intensively studied this threat for several years and proposed dozens of approaches to create adversarial examples (AEs). But most of the approaches are only evaluated on limited models and datasets (e.g., MNIST, CIFAR-10). Thus, the effectiveness of attacking real-world DL models is not quite clear. In this paper, we perform the first systematic study of adversarial attacks on real-world DNN models and provide a real-world model dataset named RWM. Particularly, we design a suite of approaches to adapt current AE generation algorithms to the diverse real-world DL models, including automatically extracting DL models from Android apps, capturing the inputs and outputs of the DL models in apps, generating AEs and validating them by observing the apps’ execution. For black-box DL models, we design a semantic-based approach to build suitable datasets and use them for training substitute models when performing transfer-based attacks. After analyzing 245 DL models collected from 62,583 real-world apps, we have a unique opportunity to understand the gap between real-world DL models and contemporary AE generation algorithms. To our surprise, the current AE generation algorithms can only directly attack 6.53% of the models. Benefiting from our approach, the success rate upgrades to 47.35%.

※ Watch Out for Race Condition Attacks When Using Android External Storage

Shaoyong Du (State Key Laboratory of Mathematical Engineering and Advanced Computing); Xin Liu (State Key Laboratory of Mathematical Engineering and Advanced Computing); Guoqing Lai (State Key Laboratory of Mathematical Engineering and Advanced Computing); Xiangyang Luo (State Key Laboratory of Mathematical Engineering and Advanced Computing)

标签：存储安全，误用，Android漏洞检测，条件竞争

感觉这个描述很有趣，目测，尽管scoped storage早已被推出，但本文针对的是未部署scoped storage的情形。

目前，Android app 严重依赖外部存储。竞争条件是由不适当的文件操作引入的。通过竞争条件，恶意应用程序可以操纵文件内容并诱导受害应用程序执行意外操作，我们称之为竞争条件攻击。竞争条件攻击会导致一系列安全问题，之前的工作已经实现了其中的一些。从 Android 10 开始，谷歌引入了 scoped storage 来防御基于外部存储的攻击。然而，考虑到目前不同安卓版本的市场份额，要在每台设备上部署scoped storage还有很长的路要走。

为了保护当前用户免受此类攻击，提高应用程序开发人员的安全意识至关重要。因此，我们对竞争条件攻击进行了全面调查，以了解其在 Android 应用程序中的现状。我们提出了一个名为 RECAST 的分析引擎，它收集外部存储上的文件操作事件并推断相关的文件操作过程。通过 RECAST，我们收集了超过 105,963 个文件的 5,359,339 个文件操作事件。从分析结果中我们发现，在有限的事件种类下，构成了数量庞大的唯一文件操作模式（1,977）。在这些文件操作模式中，时间窗口很常见，可以发起一系列攻击（94.26% 的测试文件都容易受到此问题的影响）。因此，竞争条件攻击已成为应用程序开发人员在使用 Android 外部存储时不可忽视的问题。

Currently, in Android, applications (apps for short) rely heavily on external storage to provide their services. Race conditions are introduced by the inappropriate file operations. Through race conditions, the malicious app can manipulate the file content and induce the victim app to perform unexpected actions, which we callrace condition attack. Race condition attack can cause a series of security problems and prior work has already implemented some of them. From Android 10, Google has introduced scoped storage to defend against attacks based on external storage. However, considering current market shares of different Android versions, it is still a long way to have scoped storage deployed on each device. To protect current users from this kind of attack, it is essential to raise app developers’ security awareness.

Therefore, we conduct a comprehensive survey on race condition attack to learn about its current status over Android apps. We propose an analysis engine, named RECAST, which gathers file operation events on external storage and infers the associated file operation processes. With RECAST, we collect 5,359,339 file operation events over 105,963 files. From the analysis result, we find that, with the limited kinds of events, a tremendous number of unique file operating patterns (1,977) are constituted. Over these file operating patterns, the time window is much common and available to launch a series of attacks (94.26% of the tested files are vulnerable to this problem). Consequently, race condition attack has become a non-negligible issue for app developers when using Android external storage.

Collect Responsibly But Deliver Arbitrarily?: A Study on Cross-User Privacy Leakage in Mobile Apps

Shuai Li (Fudan University); Zhemin Yang (Fudan University); Nan Hua (Fudan University); Peng Liu (The Pennsylvania State University); Xiaohan Zhang (Fudan University); Guangliang Yang (Fudan University); Min Yang (Fudan University)

近年来，现代移动应用程序越来越多地表现为用户之间的平台，应用程序用户可以自由、方便地相互连接。在这些平台上，丰富而多样的数据通常跨用户交付，这为用户带来了巨大的便利和丰富的服务，但也引入了隐私安全问题。虽然以前的工作主要研究了移动应用程序中非法个人数据收集问题，但很少关注这种新兴的用户之间平台特性的安全性，因此在这方面提供了相对有限的隐私风险理解。

本文重点研究用户之间平台特性的安全性，揭示了其引起的尚未充分研究但关键的隐私风险，即由跨用户个人数据过度交付（简称XPO）带来的风险。本文首次揭示了这种XPO风险在野外的情况、普遍性和严重性评估。为了实现这一目标，我们设计了一种新型的自动化风险检测框架，名为XPOChecker，它利用机器学习和程序分析的优势，在用户之间连接期间广泛而精确地识别潜在的隐私风险，并判断传递的数据是否合法。通过将XPOChecker应用于13,820个真实的热门Android应用程序，我们发现XPO在实践中普遍存在，有1,902个应用程序（13.76%）受到影响。除了暴露多样化的个人隐私数据引起的严重而广泛的隐私侵犯外，我们还展示了XPO攻击可以使隐私保护机制失效，泄露商业机密，甚至可以恢复受害者的敏感成员身份，可能带来个人安全威胁。此外，我们还首次确认了iOS应用中存在XPO风险。最后，为了帮助理解和预防XPO，我们已负责任地启动了两次通知活动，通知受影响的应用程序开发者，并从开发者反馈

Recent years have witnessed the interesting trend that modern mobile apps perform more and more likely as user-to-user platforms, where app users can be freely and conveniently connected. Upon these platforms, rich and diverse data is often delivered across users, which brings users great conveniences and plentiful services, but also introduces privacy security concerns. While prior work has primarily studied illegitimate personal data collection problems in mobile apps, few paid little attention to the security of this emerging user-to-user platform feature, thus providing a rather limited understanding of the privacy risks in this aspect.

In this paper, we focus on the security of the user-to-user platform feature and shed light on its caused insufficiently-studied but critical privacy risk, which is brought forward by cross-user personal data over-delivery (denoted as XPO). For the first time, this paper reveals the landscape of such XPO risk in wild, along with prevalence and severity assessment. To achieve this, we design a novel automated risk detection framework, named XPOChecker, that leverages the advantages of machine learning and program analysis to extensively and precisely identify potential privacy risks during user-to-user connections, and regulate whether the delivered data is legitimate or not. By applying XPOChecker on 13,820 real-world popular Android apps, we find that XPO is prevalent in practice, with 1,902 apps (13.76%) being affected. In addition to the mere exposure of diverse private user data which causes serious and broad privacy infringement, we demonstrate that the XPO exploits can invalidate privacy preservation mechanisms, leak business secrets, and even restore the sensitive membership of victims which potentially poses personal safety threats. Furthermore, we also confirm the existence of XPO risks in iOS apps for the first time. Last, to help understand and prevent XPO, we have responsibly launched two notification campaigns to inform the developers of the affected apps, with the conclusion of five underlying lessons from developers’ feedback. We hope our work can make up for the deficiency of the understandings of XPO, help developers avoid XPO, and motivate further researches.

USENIX Security′22

列表：
https://www.usenix.org/conference/usenixsecurity22/summer-accepted-papers
https://www.usenix.org/conference/usenixsecurity22/fall-accepted-papers
https://www.usenix.org/conference/usenixsecurity22/winter-accepted-papers

（已精读）※※ Identity Confusion in WebView-based Mobile App-in-app Ecosystems

Lei Zhang, Zhibo Zhang, and Ancong Liu, Fudan University; Yinzhi Cao, Johns Hopkins University; Xiaohan Zhang, Yanjun Chen, Yuan Zhang, Guangliang Yang, and Min Yang, Fudan University

Distinguished Paper Award Winner

这篇是关于小程序身份混淆的研究，也是Security22的12篇杰出论文之一。
核心就是超级应用对小程序的身份校验存在可以被绕过的情况，导致恶意小程序代码可以调用特权API，实现权限跃升、隐私泄露、钓鱼攻击等攻击效果。

文章提出了三大类共8种身份混淆漏洞，包括Domain Name Confusion、App ID Confusion、Capability Confusion等类型。
我感觉其中最好玩的是Domain Name Confusion里面的Racing Condition类型的漏洞（文章中称为Timing-based Confusion），感觉这类漏洞的发现需要一定的web经验，而且相应的自动化分析也需要仔细设计。

另外就是这篇文章提到了小程序hidden API的问题（API冰山现象）。这个小问题后来也被OSU 林老师团队单独作为一个研究问题研究了一下，发表于CCS′23。这也说明本文的研究内容很丰富，工作量很大。

Mobile applications (apps) often delegate their own functions to other parties, which makes them become a super ecosystem hosting these parties. Therefore, such mobile apps are being called super-apps, and the delegated parties are subsequently called sub-apps, behaving like “app-in-app”. Sub-apps not only load (third-party) resources like a normal app, but also have access to the privileged APIs provided by the super-app. This leads to an important research question—determining who can access these privileged APIs.

Real-world super-apps, according to our study, adopt three types of identities—namely web domains, sub-app IDs, and capabilities—to determine privileged API access. However, existing identity checks of these three types are often not well designed, leading to a disobey of the least privilege principle. That is, the granted recipient of a privileged API is broader than intended, thus defined as an “identity confusion” in this paper. To the best of our knowledge, no prior works have studied this type of identity confusion vulnerability.

In this paper, we perform the first systematic study of identity confusion in real-world app-in-app ecosystems. We find that confusions of the aforementioned three types of identities are widespread among all 47 studied super-apps. More importantly, such confusions lead to severe consequences such as manipulating users’ financial accounts and installing malware on a smartphone. We responsibly reported all of our findings to developers of affected super-apps, and helped them to fix their vulnerabilities.

A Large-scale Temporal Measurement of Android Malicious Apps: Persistence, Migration, and Lessons Learned

Yun Shen and Pierre-Antoine Vervier, Norton Research Group; Gianluca Stringhini, Boston University

We study the temporal dynamics of potentially harmful apps (PHAs) on Android by leveraging 8.8M daily on-device detections collected among 11.7M customers of a popular mobile security product between 2019 and 2020. We show that the current security model of Android, which limits security products to run as regular apps and prevents them from automatically removing malicious apps opens a significant window of opportunity for attackers. Such apps warn users about the newly discovered threats, but users do not promptly act on this information, allowing PHAs to persist on their device for an average of 24 days after they are detected. We also find that while app markets remove PHAs after these become known, there is a significant delay between when PHAs are identified and when they are removed: PHAs persist on Google Play for 77 days on average and 34 days on third party marketplaces. Finally, we find evidence of PHAs migrating to other marketplaces after being removed on the original one. This paper provides an unprecedented view of the Android PHA landscape, showing that current defenses against PHAs on Android are not as effective as commonly thought, and identifying multiple research directions that the security community should pursue, from orchestrating more effective PHA takedowns to devising better alerts for mobile security products.

※ FReD: Identifying File Re-Delegation in Android System Services

Sigmund Albert Gorski III, Seaver Thorn, and William Enck, North Carolina State University; Haining Chen, Google

Android平台的安全性受益于特权中间件，该中间件提供对受保护资源的间接访问。将功能分离到许多不同的服务中，并通过精心调整文件访问控制策略来缓解软件漏洞的影响，进一步增强了这种体系结构。然而，如果这些服务通过远程过程调用（RPC）接口不当地重新委派文件访问给第三方应用程序，这些服务可能会变成混淆的代理。在本文中，我们提出了一个名为FReD的静态程序分析工具，它识别了基于Java的系统服务RPC接口与服务的Java和C/C++部分中打开的文件路径之间的映射。然后，它将Linux层文件访问控制策略与Android层权限策略相结合，以识别潜在的文件重新委派。我们使用FReD来分析三个运行Android 10的设备，并识别出12个可由第三方应用程序访问的混淆代理。这些漏洞包括五个中危CVE，证明了半自动方法发现访问控制实施中微妙缺陷的效用。

The security of the Android platform benefits greatly from a privileged middleware that provides indirect access to protected resources. This architecture is further enhanced by privilege separating functionality into many different services and carefully tuning file access control policy to mitigate the impact of software vulnerabilities. However, these services can become confused deputies if they improperly re-delegate file access to third-party applications through remote procedure call (RPC) interfaces. In this paper, we propose a static program analysis tool called FReD, which identifies a mapping between Java-based system service RPC interfaces and the file paths opened within the Java and C/C++ portions of the service. It then combines the Linux-layer file access control policy with the Android-layer permission policy to identify potential file re-delegation. We use FReD to analyze three devices running Android 10 and identify 12 confused deputies that are accessible from third-party applications. These vulnerabilities include five CVEs with moderate severity, demonstrating the utility of semi-automated approaches to discover subtle flaws in access control enforcement.

FOAP: Fine-Grained Open-World Android App Fingerprinting

Jianfeng Li, Hao Zhou, Shuohan Wu, and Xiapu Luo, The Hong Kong Polytechnic University; Ting Wang, Pennsylvania State University; Xian Zhan, The Hong Kong Polytechnic University; Xiaobo Ma, Xi’an Jiaotong University

Despite the widespread adoption of encrypted communication for mobile apps, adversaries can still identify apps or infer selected user activities of interest from encrypted mobile traffic via app fingerprinting (AF) attacks. However, most existing AF techniques only work under the closed-world assumption, thereby suffering potential precision decline when faced with apps unseen during model training. Moreover, serious privacy leakage often occurs when users conduct some sensitive operations, which are closely associated with specific UI components. Unfortunately, existing AF techniques are too coarse-grained to acquire such fine-grained sensitive information. In this paper, we take the first step to identify method-level fine-grained user action of Android apps in the open-world setting and present a systematic solution, dubbed FOAP, to address the above limitations. First, to effectively reduce false positive risks in the open-world setting, we propose a novel metric, named structural similarity, to adaptively filter out traffic segments irrelevant to the app of interest. Second, FOAP achieves fine-grained user action identification via synthesizing traffic and binary analysis. Specifically, FOAP identifies user actions on specific UI components through inferring entry point methods correlated with them. Extensive evaluations and case studies demonstrate that FOAP is not only reasonably accurate but also practical in fine-grained user activity inference and user privacy analysis.

（已精读）※ SARA: Secure Android Remote Authorization

Abdullah Imran, Habiba Farrukh, Muhammad Ibrahim, Z. Berkay Celik, and Antonio Bianchi, Purdue University

这是一篇防护类的工作，是对一种Remote Authorization方案的设计。
这里的Remote Authorization指的主要是User Authentication 和 Device Attestation

核心的motivation是，目前主流安卓设备上的，基于TEE的API都有所局限：
(1) Android Confirmation Prompt 在 secure UI 上显示（能保证不被覆盖），但是没有authentication功能
(2) Biometric Prompt 不在secure UI 上显示（不能保证不被覆盖），但有authentication功能
因此基于这两者（Android Protected Confirmation 和 BiometricPrompt API）实现的Remote Authorization都有局限性。
作者通过一个简单的协议设计（利用最基本的签名和挑战响应），将Protected Confirmation API 和 BiometricPrompt API 结合，实现了一套Remote Authorization机制，该机制能保证Prompt 不被覆盖，且具备authentication功能。

Modern smartphones are equipped with Trusted Execution Environments (TEEs), offering security features resilient even against attackers able to fully compromise the normal operating system (e.g., Linux in Android devices). The academic community, as well as the smartphone manufacturers, have proposed to use TEEs to strengthen the security of authorization protocols. However, the usage of these protocols has been hampered by both practicality issues and lack of completeness in terms of security.

To address these issues, in this paper, we design, implement, and evaluate SARA (Secure Android Remote Authorization),an Android library that uses the existing TEE-powered Android APIs to implement secure, end-to-end remote authorization for Android apps. SARA is practical in its design, as it makes use of Android APIs and TEE features that are already present in modern Android devices to implement a novel secure authorization protocol. In fact, SARA does not require any modifications to the Android operating system nor to the code running in TrustZone (the TEE powering existing Android devices). For this reason, it can be readily used in existing apps running on existing smartphones. Moreover, SARA is designed to ensure that even developers that have no experience in implementing security protocols can make use of it within their apps. At the same time, SARA is secure, since it allows implementing authorization protocols that are resilient even against attackers able to achieve root privileges on a compromised Android device.

We first evaluate SARA by conducting a user study to ascertain its usability. Then, we prove SARA’s security features by formally verifying its security protocol using ProVerif.

Oakland′22

（已精读）Exploit the Last Straw That Breaks Android Systems

Lei Zhang (Fudan University, China), Keke Lian (Fudan University, China), Haoyu Xiao (Fudan University, China), Zhibo Zhang (Fudan University, China), Peng Liu (The Pennsylvania State University, United States of America), Yuan Zhang (Fudan University, China), Min Yang (Fudan University, China), Haixin Duan (Tsinghua University, China)

本文是一篇Attack类的论文，介绍了一种针对Android OS的DoS攻击，攻击面是Binder。对应的漏洞属于Memory consumption vulnerability。
攻击存在的原因包括：
（1）Inconsistent Life Cycle：Binder通讯建立后，Client可以清空本地数据，但是Server需要暂存数据以应对Client的下一次请求。这导致Server端的内存消耗更大。在基于Binder的System Service中，Service进程通常作为Binder Server。
（2）Limited Memory Usage：系统给每个进程（包括System Server进程）分配的内存空间是有限的。例如，当系统进程的堆内存使用量超过512MB时，会出现OOM错误，安卓系统的保护机制被触发，系统会重启
（3）Lack of Memory Size Check：AOSP中的一些系统服务的源码中，缺少对剩余内存大小的检查。

据此，本文提出了稻草攻击：也就是恶意app不断构造数据并发送给系统服务进程，导致系统服务进程的内存使用量越来越大，最终超过阈值，导致系统crash，从而实现Dos攻击。
这个过程就像不断给骆驼（系统服务进程）施加稻草，最终导致骆驼不堪重负（系统crash）。
为了检测AOSP中的这类漏洞，作者设计了一套基于Fuzz的检测方案。该方案主要关注AOSP的系统服务进程中，内存消耗相关的函数。

The Android system services usually play a critical role in running multiple important tasks, and delivering seamless user experiences, e.g., conveniently storing user data. In this paper, we conduct the first systematic security study on the data storing process in Android system services, and consequently discover a novel class of design flaws (named Straw), which can lead to serious DoS (Denial-of-Service) attacks, e.g., permanently crashing the whole victim Android device.

Then we propose a novel directed fuzzing based approach, called StrawFuzzer, to automatically vet all system services against the straw vulnerabilities. StrawFuzzer balances the tradeoff between path exploration and vulnerability exploitation. By applying StrawFuzzer on three Android systems with the latest security updates, we identified 35 unique straw vulnerabilities affecting 474 interfaces across 77 system services and successfully generated corresponding exploits, which can be used to conduct various permanent/temporary DoS attacks. We have reported our findings with suggestions for repairing the vulnerabilities to corresponding vendors. Up to now, Google has rated our vulnerability as high severity.

FSAFlow: Lightweight and Fast Dynamic Path Tracking and Control for Privacy Protection on Android Using Hybrid Analysis with State-Reduction Strategy

Zhi Yang (PLA Information Engineering University, Zhengzhou, China), Zhanhui Yuan (PLA Information Engineering University, Zhengzhou, China), Xingyuan Chen (PLA Information Engineering University, Zhengzhou, China), Shuyuan Jin (SUN YAT-SEN University, Guangzhou, China.), Lei Sun (PLA Information Engineering University, Zhengzhou, China), Xuehui Du (PLA Information Engineering University, Zhengzhou, China), Wenfa Li (Beijing Union University, Beijing, Chian)

Analyzing Ground-Truth Data of Mobile Gambling Scam

Geng Hong (Fudan University), Zhemin Yang (Fudan University), Sen Yang (Fudan University), Xiaojing Liao (Indiana University Bloomington), Xiaolin Du (Fudan University), Min Yang (Fudan University), Haixin Duan (Institute for Network Science and Cyberspace, Tsinghua University; Qi An Xin Group Corp.)

With the growth of mobile computing techniques, mobile gambling scams have seen a rampant increase in the recent past. In mobile gambling scams, miscreants deliver scamming messages via mobile instant messaging, host scam gambling platforms on mobile apps, and adopt mobile payment channels. To date, there is little quantitative knowledge about how this trending cybercrime operates, despite causing daily fraud losses estimated at more than $522,262 USD. This paper presents the first empirical study based on groundtruth data of mobile gambling scams, associated with 1,461 scam incident reports and 1,487 gambling scam apps, spanning from January 1, 2020 to December 31, 2020. The qualitative and quantitative analysis of this ground-truth data allows us to characterize the operational pipeline and full fraud kill chain of mobile gambling scams. In particular, we study the social engineering tricks used by scammers and reveal their effectiveness. Our work provides a systematic analysis of 1,068 confirmed Android and 419 iOS scam apps, including their development frameworks, declared permissions, compatibility, and backend network infrastructure. Perhaps surprisingly, our study unveils that public online app generators have been abused to develop gambling scam apps. Our analysis reveals several payment channels (ab)used by gambling scam app and uncovers a new type of money mule-based payment channel with the average daily gambling deposit of $400,000 USD. Our findings enable a better understanding of the mobile gambling scam ecosystem, and suggest potential avenues to disrupt these scam activities.

NDSS′22

列表：https://dblp.org/db/conf/ndss/ndss2022.html

PHYjacking: Physical Input Hijacking for Zero-Permission Authorization Attacks on Android

Xianbo Wang, Shangcheng Shi, Yikang Chen, Wing Cheong Lau

Nowadays, most mobile devices are equipped with various hardware interfaces such as touchscreen, fingerprint scanner, camera and microphone to capture inputs from the user. Many mobile apps use these physical interfaces to receive userinput for authentication/authorization operations including oneclick login, fingerprint-based payment approval, and face/voice unlocking. In this paper, we investigate the so-called PHYjacking attack where a victim is misled by a zero-permission malicious app to feed physical inputs to different hardware interfaces on a mobile device to result in unintended authorization. We analyze the protection mechanisms in Android for different types of physical input interfaces and introduce new techniques to bypass them. Specifically, we identify weaknesses in the existing protection schemes for the related system APIs and observe common pitfalls when apps implement physical-input-based authorization. Worse still, we discover a race-condition bug in Android that can be exploited even when app-based mitigations are properly implemented. Based on these findings, we introduce fingerprintjacking and facejacking techniques and demonstrate their impact on real apps. We also discuss the feasibility of launching similar attacks against NFC and microphone inputs, as well as effective tapjacking attacks against Single Sign-On apps. We have designed a static analyzer to examine 3000+ real-world apps and find 44% of them contain PHYjacking-related implementation flaws. We demonstrate the practicality and potential impact of PHYjacking via proof-of-concept implementations which enable unauthorized money transfer on a payment app with over 800 million users, user-privacy leak from a social media app with over 400 million users and escalating app permissions in Android 11.

如今，大多数移动设备都配备了各种硬件界面，如触摸屏、指纹扫描器、摄像头和麦克风，用于捕捉用户的输入。许多移动应用程序利用这些物理界面来接收用户输入，用于身份验证/授权操作，包括一键登录、指纹支付批准和面部/语音解锁。

在本文中，我们调查了一种被称为PHYjacking攻击的情况，受害者被一个零权限的恶意应用误导，向移动设备上的不同硬件接口提供物理输入，以导致非预期的授权操作。我们分析了Android中用于不同类型物理输入界面的保护机制，并介绍了绕过这些机制的新技术。具体来说，我们发现了现有保护方案中与相关系统API的弱点，并观察到应用程序在实现基于物理输入的授权时常见的陷阱。更糟糕的是，我们发现了Android中的竞争条件漏洞，即使应用程序层面的缓解措施得到正确实施，该漏洞仍然可以被利用。基于这些发现，我们介绍了指纹劫持和面部劫持技术，并展示了它们对真实应用程序的影响。我们还讨论了对NFC和麦克风输入发起类似攻击的可行性，以及对单点登录应用程序进行有效点击劫持攻击的方法。

我们设计了一个静态分析器，用于检查3000多个真实应用程序，发现其中44%的应用程序存在PHYjacking相关的实现缺陷。我们通过概念验证实现证明了PHYjacking的可行性和潜在影响，其中包括对一个拥有超过8亿用户的支付应用程序进行未经授权的资金转移，对一个拥有超过4亿用户的社交媒体应用程序进行用户隐私泄露以及在Android 11中升级应用程序权限等。

The Droid is in the Details: Environment-aware Evasion of Android Sandboxes

Brian Kondracki, Babak Amin Azad, Najmeh Miramirkhani, Nick Nikiforakis

Malware sandboxes have long been a valuable tool for detecting and analyzing malicious software. The proliferation of mobile devices and, subsequently, mobile applications, has led to a surge in the development and use of mobile device sandboxes to ensure the integrity of application marketplaces. In turn, to evade these sandboxes, malware has evolved to suspend its malicious activity when it is executed in a sandbox environment. Sophisticated malware sandboxes attempt to prevent sandbox detection by patching runtime properties indicative of malware- analysis systems.

In this paper, we propose a set of novel mobile-sandbox- evasion techniques that we collectively refer to as “environment- aware” sandbox detection. We explore the distribution of artifacts extracted from readily available APIs in order to distinguish real user devices from sandboxes. To that end, we identify Android APIs that can be used to extract environment-related features, such as artifacts of user configurations (e.g. screen brightness), population of files on the device (e.g. number of photos and songs), and hardware sensors (e.g. presence of a step counter).

By collecting ground truth data from real users and Android sandboxes, we show that attackers can straightforwardly build a classifier capable of differentiating between real Android devices and well-known mobile sandboxes with 98.54% accuracy. More- over, to demonstrate the inefficacy of patching APIs in sandbox environments individually, we focus on feature inconsistencies between the claimed manufacturer of a sandbox (Samsung, LG, etc.) and real devices from these manufacturers. Our findings emphasize the difficulty of creating robust sandbox environments regardless of their underlying platform being an emulated en- vironment, or an actual mobile device. Most importantly, our work signifies the lack of protection against “environment-aware” sandbox detection in state-of-the-art mobile sandboxes which can be readily abused by mobile malware to evade detection and increase their lifespan.

恶意软件沙箱长期以来一直是检测和分析恶意软件的宝贵工具。移动设备以及随后的移动应用的普及，导致了移动设备沙箱的开发和使用激增，以确保应用市场的完整性。为了逃避这些沙箱，恶意软件已经演变出在沙箱环境中执行时暂停其恶意活动的能力。复杂的恶意软件沙箱尝试通过修补与恶意软件分析系统相关的运行时属性来防止沙箱检测。

在本文中，我们提出了一种新的移动沙箱逃逸技术，我们统称为“环境感知”沙箱检测。我们通过探索从现成的API中提取的工件分布来区分真实用户设备和沙箱。为此，我们识别出可用于提取与环境相关特征的Android API，例如用户配置的文物（如屏幕亮度）、设备上的文件数量（如照片和歌曲数量）以及硬件传感器（如计步器的存在）。

通过收集来自真实用户和Android沙箱的真实数据，我们展示了攻击者能够直接构建一个分类器，能够以98.54%的准确率区分真实的Android设备和众所周知的移动沙箱。此外，为了展示在沙箱环境中单独修补API的无效性，我们着重研究了沙箱的声明制造商（三星、LG等）与这些制造商的真实设备之间的特征不一致性。我们的研究结果强调了创建强大的沙箱环境的困难，无论其基础平台是一个模拟环境还是一个实际的移动设备。最重要的是，我们的工作表明，现在的移动沙箱对于“环境感知”沙箱检测缺乏保护，这可以被移动恶意软件轻易滥用以逃避检测并延长其寿命。