Security Testing of Permission Re-delegation Vulnerabilities in Android Applications

Demissie, Biniam Fisseha (2019) Security Testing of Permission Re-delegation Vulnerabilities in Android Applications. PhD thesis, University of Trento.

[img]PDF - Doctoral Thesis
Restricted to Repository staff only until 9999.
Available under License Creative Commons Attribution Non-commercial Share Alike.

[img]PDF (Disclaimer document) - Disclaimer
Restricted to Repository staff only until 9999.



Smartphones play an important role in our daily lives. Once used only for communication purposes are now also used for several day-to-day activities ranging from social media and entertainment to privacy sensitive operations such as data storage, fitness tracking, mobile banking and sending/receiving business e-mails. This is achieved thanks to the several smartphone applications (apps) that are available. One of the most popular smartphone operating systems is Android. As of now, there are more than 3 million apps for Android. The Android platform facilitates reuse of apps' functionalities by allowing an app to request a task from another app installed on the same device through inter-process communication mechanism. This possibility is probably one of the reasons for the popularity of Android where an app can reuse a feature available in other apps. However, this integration also poses security risks to the privacy of the end-users if it is not implemented properly. Permission re-delegation vulnerability is a kind of privilege escalation that happens when unprivileged apps exploit this integration feature to make privileged apps perform a privileged action on their behalf. Static analysis techniques as well as run-time protections have been proposed to detect permission re-delegation vulnerabilities. However, as acknowledged by their authors, most of these approaches are affected by many false positives and, hence, fall short of precision because, they do not discriminate between intentional task requests and actual permission re-delegation vulnerabilities. In this thesis, we propose automatic techniques to classify potential permission re-delegation vulnerabilities detected by static analysis in real world Android apps as intentional task requests or actual vulnerabilities and to automatically generate test cases that show how the vulnerabilities can be exploited. This could be helpful for developers to easily analyze their apps and fix vulnerabilities before releasing their apps. The proposed approaches have been experimentally validated with thousands of real world apps and have been seen to perform better than state-of-the-art tools and techniques in terms of precision.

Item Type:Doctoral Thesis (PhD)
Doctoral School:Information and Communication Technology
PhD Cycle:30
Subjects:Area 01 - Scienze matematiche e informatiche > INF/01 INFORMATICA
Uncontrolled Keywords:Security testing, test case generation, security oracle, smartphone applications, Android apps, static analysis, dynamic analysis, genetic algorithm
Funders:Fondazione Bruno Kessler
Repository Staff approval on:20 Jun 2019 09:29

Repository Staff Only: item control page