SCLib: A practical and lightweight defense against component hijacking in android applications

Author

Daoyuan WU, Singapore Management UniversityFollow
Yao CHENG, Institute of Infocomm Research
Debin GAO, Singapore Management UniversityFollow
Yingjiu LI, Singapore Management UniversityFollow
Robert H. DENG, Singapore Management UniversityFollow

Publication Type

Conference Proceeding Article

Version

submittedVersion

Publication Date

3-2018

Abstract

Cross-app collaboration via inter-component communication is a fundamental mechanism on Android. Although it brings the benefits such as functionality reuse and data sharing, a threat called component hijacking is also introduced. By hijacking a vulnerable component in victim apps, an attack app can escalate its privilege for operations originally prohibited. Many prior studies have been performed to understand and mitigate this issue, but no defense is being deployed in the wild, largely due to the deployment difficulties and performance concerns. In this paper we present SCLib, a secure component library that performs in-app mandatory access control on behalf of app components. It does not require firmware modification or app repackaging as in previous works. The library-based nature also makes SCLib more accessible to app developers, and enables them produce secure components in the first place over fragmented Android devices. As a proof of concept, we design six mandatory policies and overcome unique implementation challenges to mitigate attacks originated from both system weaknesses and common developer mistakes. Our evaluation using ten high-profile open source apps shows that SCLib can protect their 35 risky components with negligible code footprint (less than 0.3% stub code) and nearly no slowdown to normal intra-app communication.

Keywords

Access control, Android (operating system), Data privacy, Firmware, Network security, Open systems, Android applications, Android devices, Component libraries, Data Sharing, Functionality reuse, Fundamental mechanisms, Mandatory access control, Proof of concept, Mobile security

Discipline

Information Security

Research Areas

Cybersecurity

Publication

CODASPY '18: Proceedings of 8th ACM Conference on Data and Application Security and Privacy, Tempe, AZ, March 19-21

First Page

299

Last Page

306

ISBN

9781450356329

Identifier

10.1145/3176258.3176336

Publisher

ACM

City or Country

New York

Citation

WU, Daoyuan; CHENG, Yao; GAO, Debin; LI, Yingjiu; and DENG, Robert H.. SCLib: A practical and lightweight defense against component hijacking in android applications. (2018). CODASPY '18: Proceedings of 8th ACM Conference on Data and Application Security and Privacy, Tempe, AZ, March 19-21. 299-306.
Available at: https://ink.library.smu.edu.sg/sis_research/4088

Copyright Owner and License

Authors

Creative Commons License

This work is licensed under a Creative Commons Attribution-NonCommercial-No Derivative Works 4.0 International License.

Additional URL

https://doi.org/10.1145/3176258.3176336