MR-Droid: A Scalable and Prioritized Analysis
of Inter-App Communication Risks
Fang Liu, Haipeng Cai, Gang Wang, Danfeng (Daphne) Yao,
Karim O. Elish, and Barbara G. Ryder
Department of Computer Science
Virginia Tech
Blacksburg, Virginia
Mobile Security Technologies (MOST) 2017
in conjunction with the IEEE Symposium on Security and Privacy
Problems of Inter-App Communication
Service
(Recommend)
Component
Activity
Broadcast
The dialog prompting can be skipped without user knowledge!
[Fang Liu, ect., Usenix Security 2017]
2
What is Intent?
• Intent
• Operation & data between
components/apps
• Explicit
It’s only
for me
Hey buddy,
catch!
Activity
Intent
Activity
Explicit Intent
• Source app specifies destination app
or Component.
• Implicit
• No destination component specified.
• OS/user chooses the matched app.
Implicit Intent
3
Threats Model
• Intent Hijacking [Chin 2011] [Octeau 2013]
• Intent Spoofing/Component Hijacking [Devi 2010]
• Collusion [Marforio 2011]
Type of Exposure
Broadcast Theft
Activity Hijacking
Service Hijacking
Broadcast Injection
System Broadcast w/o Action Check
Percentage
44%
97%
19%
56%
13%
Activity Launch
Service Launch
57%
14%
% of apps that have the vulnerabilities [Chin et al, Mobisys’11]
4
Problem Statement
Reporting an app as generically vulnerable or malicious leads to
insufficient precision and excessive alerts.
Given a large number of apps, we
• Detect the vulnerable/malicious apps.
• Rank/prioritize their risk levels to facilitate analysts’
investments!
5
Single-app Analysis VS Cross-app Analysis
The information that single-app analysis provides is limited.
Whether one app is vulnerable?
Whether one app is malicious in
term of leaking sensitive data itself?
Whether two apps collude?
Whether one app performs malicious
behaviors on other apps?
How severe is the security risk of an app?
6
Prioritization Assumption
Higher Risk
Lower Risk
Our goal is to prioritize apps’ ICC risks
based on their communication context.
7
The Need for Large-scale Analysis
• Communication context from the communication graph of all apps.
• Limited communication context from small scale apps reduces accuracy.
Number of Apps in Google Play
3000
# of Apps (in thousand)
2500
2000
1500
1000
2
O(𝑛 )
n is huge!
500
0
Dec Apr Oct Jul Dec May Sep Apr Jul Jul Feb Dec
'09 '10 '10 '11 '11 '12 '12 '13 '14 '15 '16 '16
A scalable approach for market-scale analysis.
8
Scalable Approach with MapReduce
Parallel Source/Sink Points
Generation
Source/Sink Points
Linking with MapReduce
Static Data Flow
Source/Sink Points
Analysis,
Transformation for
Retrieve Attributes parallel processing
Action Test,
Group links
Category Test,
for each pair
Data Test,
Permission checking
Neighbor-based Risk
Analysis
Mining the Inter-app graph
for risk prioritization.
9
Neighbor-based Risk Analysis
Graph
Ranking & Classification
High
Medium
Low
Communication Context/Features
10
Evaluation
• Questions to Answer:
• Is the prioritization result accurate?
• How is the scalability of our approach?
• Data: 12K most popular free apps from Google Play in
2014 with Android 4.2. 13 millions communication
app pairs generated.
• Environment: 15-node cluster. Each node has two
quad-core 2.8GHz Xeon processors and 8GB RAM.
11
Prioritization Results
Risk
Level
Activity
Hijacking
Service
Hijacking
Broadcast
Theft
Activity
Launch
Service
Launch
Broadcast
Injection
Collusion
Pairs
High
(TP)
94
(9/10)
10
(7/10)
15
(9/10)
17
(10/10)
4
(4/4)
7
(7/7)
6
(6/6)
Medium
(TP)
790
(8/10)
32
(6/10)
303
(7/10)
9
(8/9)
8
(8/8)
0
169
(14/169)
Low
(TP)
11,112
(2/10)
11,954
(0/10)
11,678
(1/10)
11970
(0/10)
11, 984
(0/10)
11989
(0/10)
12,986,078
(0/10)
• Manually examined about 200 apps to verify the result.
• 100% TP rate in detecting collusion, broadcast injection, activity and
service launch based intent spoofing.
• FP: Most of Errors were caused by unresolved attributes in Intent.
• Rankings produced by our approach can help users and security
analysts prioritize their inspection efforts.
12
Performance Evaluation
Analysis time of three phases
• 25 hours for the complete analysis with 13 million ICC pairs.
• The runtime cost has a near-linear increase with the number of apps.
13
Attack Cases
• Stealthy collusion via implicit intents.
• Risks of automatically generated apps.
• Insecure interfaces for same-developer apps.
• Hijacking vulnerabilities in third-party libraries.
• Colluding apps by the same developers.
14
Case Study
com.vng.android.zingbrowser.labanbookreader to
org.geometerplus.fbreader.plugin.local_opds_scanner
com.vng.android.zingbrowser.labanbookreader
• Ebook reader app
• Scan local wifi network (without permission)
• Hijacking/collusion via implicit intent.
org.geometerplus.fbreader.plugin.local_opds_scanner
• Plugin app to scan local wifi network for book repository
• Open interface with customized action
• Action: android.fbreader.action.ADD_OPDS_CATALOG
15
Summary
• Existing approaches report excessive alerts of ICC risks.
 Prioritize ICC risks based on app communication
contexts (neighbor-based risk analysis).
 Achieve high scalability with MapReduce.
Prioritize security analysts’ inspection efforts with high
accuracy.
16
Another Inter-app Analysis Work
DIALDroid: a tool that performs taint analysis and ICC mapping
among Android apps. We detected collusive and vulnerable apps
with over 110K real-world apps.
Code & Benchmark: https://github.com/dialdroid-android
Dataset: https://amiangshu.com/dialdroid/
Technical details: AsiaCCS2017
17
Thank You!