Ghost Installer in the Shadow: Security Analysis of App Installation on Android

被引:5
|
作者
Lee, Yeonjoon [1 ]
Li, Tongxin [2 ]
Zhang, Nan [1 ]
Demetriou, Soteris [3 ]
Zha, Mingming [4 ]
Wang, XiaoFeng [1 ]
Chen, Kai [4 ]
Zhou, Xiaoyong [5 ]
Han, Xinhui [2 ]
Grace, Michael [5 ]
机构
[1] Indiana Univ, Bloomington, IN 47405 USA
[2] Peking Univ, Beijing, Peoples R China
[3] Univ Illinois, Champaign, IL USA
[4] Chinese Acad Sci, Inst Informat Engn, Beijing, Peoples R China
[5] Samsung Res Amer, Mountain View, CA USA
来源
2017 47TH ANNUAL IEEE/IFIP INTERNATIONAL CONFERENCE ON DEPENDABLE SYSTEMS AND NETWORKS (DSN) | 2017年
基金
美国国家科学基金会;
关键词
D O I
10.1109/DSN.2017.33
中图分类号
TP3 [计算技术、计算机技术];
学科分类号
0812 ;
摘要
Android allows developers to build apps with app installation functionality themselves with minimal restriction and support like any other functionalities. Given the critical importance of app installation, the security implications of the approach can be significant. This paper reports the first systematic study on this issue, focusing on the security guarantees of different steps of the App Installation Transaction (AIT). We demonstrate the serious consequences of leaving AIT development to individual developers: most installers (e.g., Amazon AppStore, DTIgnite, Baidu) are riddled with various security-critical loopholes, which can be exploited by attackers to silently install any apps, acquiring dangerous-level permissions or even unauthorized access to system resources. Surprisingly, vulnerabilities were found in all steps of AIT. The attacks we present, dubbed Ghost Installer Attack (GIA), are found to pose a realistic threat to Android ecosystem. Further, we developed both a user-app-level and a system-level defense that are innovative and practical.
引用
收藏
页码:403 / 414
页数:12
相关论文
共 50 条
  • [21] Context Correlation for Automated Dynamic Android App Analysis to Improve Impact Rating of Privacy and Security Flaws
    Heid, Kris
    Heider, Jens
    RISKS AND SECURITY OF INTERNET AND SYSTEMS, CRISIS 2022, 2023, 13857 : 1 - 17
  • [22] AN APP BASED ON STATIC ANALYSIS FOR ANDROID RANSOMWARE
    Kanwal, Meet
    Thakur, Sanjeev
    Lashkari, Rishabh
    2017 8TH INTERNATIONAL CONFERENCE ON COMPUTING, COMMUNICATION AND NETWORKING TECHNOLOGIES (ICCCNT), 2017,
  • [23] AN APP BASED ON STATIC ANALYSIS FOR ANDROID RANSOMWARE
    Kanwal, Meet
    Thakur, Sanjeev
    2017 IEEE INTERNATIONAL CONFERENCE ON COMPUTING, COMMUNICATION AND AUTOMATION (ICCCA), 2017, : 813 - 818
  • [24] Analysis of Applying UCD in Android App Design
    Fan, M. Y.
    PROCEEDINGS OF THE 2015 INTERNATIONAL CONFERENCE ON ELECTRICAL, AUTOMATION AND MECHANICAL ENGINEERING (EAME 2015), 2015, 13 : 295 - 297
  • [25] Together Strong: Cooperative Android App Analysis
    Pauck, Felix
    Wehrheim, Heike
    ESEC/FSE'2019: PROCEEDINGS OF THE 2019 27TH ACM JOINT MEETING ON EUROPEAN SOFTWARE ENGINEERING CONFERENCE AND SYMPOSIUM ON THE FOUNDATIONS OF SOFTWARE ENGINEERING, 2019, : 374 - 384
  • [26] Security in iOS and Android: A Comparative Analysis
    Ignacio Galuppo, Raul
    Luna, Carlos
    Betarte, Gustavo
    2018 37TH INTERNATIONAL CONFERENCE OF THE CHILEAN COMPUTER SCIENCE SOCIETY (SCCC), 2018,
  • [27] The Analysis of the Security of Android Application Components
    Li, Xiu
    Li, Dai-Ping
    INTERNATIONAL CONFERENCE ON COMPUTER SCIENCE AND COMMUNICATION ENGINEERING (CSCE 2015), 2015, : 1013 - 1018
  • [28] A Security Analysis of Password Managers on Android
    Sharma, Abhyudaya
    Mishra, Sweta
    INFORMATION SYSTEMS SECURITY, ICISS 2023, 2023, 14424 : 3 - 22
  • [29] Security Analysis of OnlineCabBooking Android Application
    Grover, Nishant
    Saxena, Jyotsna
    Sihag, Vikas
    PROCEEDINGS OF THE INTERNATIONAL CONFERENCE ON DATA ENGINEERING AND COMMUNICATION TECHNOLOGY, ICDECT 2016, VOL 1, 2017, 468 : 603 - 611
  • [30] Analysis and research of android security system
    Zheng, Ling
    Liu, Yanjiao
    ADVANCES IN ENERGY, ENVIRONMENT AND MATERIALS SCIENCE, 2016, : 735 - 739
12345