Login Papers Register

Need an account to vote? Register to attend at gsec.hitb.org/sg2017/

<< previous next >>

Component Hijacking on Android: From Birth to Death

Daoyuan Wu

2 vote(s)

Cross-app collaboration via inter-component communication is a fundamental mechanism on Android. Although it brings the benefits such as functionality reuse and data sharing, a threat called component hijacking is also introduced. By hijacking a vulnerable component in victim apps, an attack app can bypass Android sandbox and escalate its privilege, causing confused deputy problems such as permission misuse, data manipulation, and content leaks.

In the first part of my talk (the "Birth" part), I will summarize and classify Android apps' component hijacking issues in the last six years. I will show (i) when and how component hijacking was discovered and evolved on Android; (ii) how component hijacking affects different types of Android components; (iii) how component hijacking causes different security consequences, from basic permission misuse to advanced token stealing; and (iv) how hijacking exploits evolve over time, e.g., from local to remote attacks. To the best of my knowledge, this is the first comprehensive summary of Android component hijacking. All contents will be illustrated using real vulnerable apps, discovered by me or other researchers.

In the second part (the "Death" part), I will present SCLib, a secure component library that performs in-app mandatory access control on behalf of the app components. It does not require firmware modification or app repackaging, and is more accessible to app developers due to its library-based nature. SCLib automatically collects enforcement primitives (e.g., component attributes and input data of incoming requests) at entry points of the protected components, and enforces “just-enough” policies from the pre-defined policy set. In the course of implementing SCLib, I overcame major challenges using three new techniques, namely recovering caller app identity via the Binder side channel, popping up alerts via the dialog-like Activity transition, and extracting component attributes by run-time manifest analysis. I will open source the codes of SCLib for the real-world adoption.

About Daoyuan Wu

Daoyuan Wu is a PhD candidate at Singapore Management University (SMU). He has accumulated 10 years' experience in the computer security area (holding a B.E. degree in Information Security and a research-based MPhil degree at The Hong Kong Polytechnic University). His main research topic is vulnerability detection and mitigation, with the current focus on Android and iOS. He has published around 10 academic papers, including three top-tier conference papers.

He was a speaker in Taiwan's hacker conference, HitCon 2014. He reported a number of vulnerabilities in the spare time, such as being the first reporter of content provider vulnerabilities in many popular Android apps (over 60 CVEs). He has also won bug bounties or been acknowledged by top vendors including Facebook, Samsung, Yahoo, Evernote, Yandex, Baidu, Tencent, Alibaba, and Qihoo 360. Beside app vulnerabilities, he reported one system issue in Android (CVE-2014-7224) and one in iOS (CVE-2015-5921 with Apple iOS9 acknowledgement).