1. MR-Droid: A Scalable and Prioritized Analysis
of Inter-App Communication Risks
Fang Liu, Haipeng Cai, Gang Wang, Danfeng (Daphne) Yao,
Karim O. Elish, and Barbara G. Ryder
Department of Computer Science
Virginia Tech
Blacksburg, Virginia
Uncover more
Mobile Security Technologies (MOST) 2017
in conjunction with the IEEE Symposium on Security and Privacy

2. Problems of Inter-App Communication
Service
(Recommend)
Component
Activity
Broadcast
The dialog prompting can be skipped without user knowledge!
[Fang Liu, ect., Usenix Security 2017]

3. What is Intent? Intent Explicit Implicit
Hey buddy, catch!
It’s only
for me
Intent
Operation & data between components/apps
Explicit
Source app specifies destination app or Component.
Implicit
No destination component specified.
OS/user chooses the matched app.
Activity
Activity
Intent
Explicit Intent
Implicit Intent

4. Threats Model Intent Hijacking [Chin 2011] [Octeau 2013]
Intent Spoofing/Component Hijacking [Devi 2010]
Collusion [Marforio 2011]
Type of Exposure
Percentage
Broadcast Theft
44%
Activity Hijacking
97%
Service Hijacking
19%
Broadcast Injection
56%
System Broadcast w/o Action Check
13%
Activity Launch
57%
Service Launch
14%
% of apps that have the vulnerabilities [Chin et al, Mobisys’11]

5. Problem Statement
Reporting an app as generically vulnerable or malicious leads to insufficient precision and excessive alerts.
Given a large number of apps, we
Detect the vulnerable/malicious apps.
Rank/prioritize their risk levels to facilitate analysts’ investments!

6. Single-app Analysis VS Cross-app Analysis
The information that single-app analysis provides is limited.
Whether two apps collude?
Whether one app performs malicious behaviors on other apps?
How severe is the security risk of an app?
Whether one app is vulnerable?
Whether one app is malicious in term of leaking sensitive data itself?

7. Prioritization Assumption
Higher Risk
Lower Risk
Our goal is to prioritize apps’ ICC risks
based on their communication context.

8. The Need for Large-scale Analysis
Communication context from the communication graph of all apps.
Limited communication context from small scale apps reduces accuracy.
O( 𝑛 2 )
n is huge!
A scalable approach for market-scale analysis.

9. Parallel Source/Sink Points Linking with MapReduce
Scalable Approach with MapReduce
Parallel Source/Sink Points
Generation
Source/Sink Points
Linking with MapReduce
Neighbor-based Risk
Analysis
Static Data Flow Analysis,
Retrieve Attributes
Source/Sink Points
Transformation for
parallel processing
Action Test,
Category Test,
Data Test,
Permission checking
Group links
for each pair
Mining the Inter-app graph
for risk prioritization.

10. Neighbor-based Risk Analysis
Graph
Ranking & Classification
High
Medium
Low
Communication Context/Features

11. Evaluation Questions to Answer:
Is the prioritization result accurate?
How is the scalability of our approach?
Data: 12K most popular free apps from Google Play in with Android millions communication app pairs generated.
Environment: 15-node cluster. Each node has two quad-core 2.8GHz Xeon processors and 8GB RAM.

12. Prioritization Results
Risk
Level
Activity Hijacking
Service Hijacking
Broadcast Theft
Activity Launch
Service Launch
Broadcast Injection
Collusion Pairs
High
(TP) 94
(9/10) 10
(7/10) 15 17
(10/10) 4
(4/4) 7
(7/7) 6
(6/6)
Medium
790
(8/10) 32
(6/10)
303 9
(8/9) 8
(8/8)
169
(14/169)
Low
11,112 (2/10)
11,954 (0/10)
11,678 (1/10)
11970 (0/10)
11, 984 (0/10)
11989
(0/10)
12,986,078 (0/10)
Manually examined about 200 apps to verify the result.
100% TP rate in detecting collusion, broadcast injection, activity and service launch based intent spoofing.
FP: Most of Errors were caused by unresolved attributes in Intent.
Rankings produced by our approach can help users and security analysts prioritize their inspection efforts.

13. Performance Evaluation
Analysis time of three phases
25 hours for the complete analysis with 13 million ICC pairs.
The runtime cost has a near-linear increase with the number of apps.

14. Attack Cases Stealthy collusion via implicit intents.
Risks of automatically generated apps.
Insecure interfaces for same-developer apps.
Hijacking vulnerabilities in third-party libraries.
Colluding apps by the same developers.

15. Case Study com.vng.android.zingbrowser.labanbookreader to
org.geometerplus.fbreader.plugin.local_opds_scanner
com.vng.android.zingbrowser.labanbookreader
Ebook reader app
Scan local wifi network (without permission)
Hijacking/collusion via implicit intent.
org.geometerplus.fbreader.plugin.local_opds_scanner
Plugin app to scan local wifi network for book repository
Open interface with customized action
Action: android.fbreader.action.ADD_OPDS_CATALOG

16. Summary Existing approaches report excessive alerts of ICC risks.
Prioritize ICC risks based on app communication contexts (neighbor-based risk analysis).
Achieve high scalability with MapReduce.
Prioritize security analysts’ inspection efforts with high accuracy.

17. Another Inter-app Analysis Work
DIALDroid: a tool that performs taint analysis and ICC mapping among Android apps. We detected collusive and vulnerable apps with over 110K real-world apps.
Code & Benchmark:
Dataset:
Technical details: AsiaCCS2017

18. Thank You!

19. With another job, we are able to construct an app communication graph.
Source/Sink Linking with MapReduce
Map
Key
Resource sharing
by apps that belongs
to the same company
SharedUserId+componentName
ComponentName
Source Point
Action+CategoriList
Explicit Linking
SharedUserId+componentName
Sink Point
ComponentName
Implicit Linking
Action test
Category test
Action+subCategoriList
Reduce performs data test & permission checking and output new <key, value> pairs for the links that pass all the three tests.
Output key: sourceApp+sinkApp
With another job, we are able to construct an app communication graph.