ISSN 1000-1239 CN 11-1777/TP

Journal of Computer Research and Development ›› 2016, Vol. 53 ›› Issue (10): 2248-2261.doi: 10.7544/issn1000-1239.2016.20160449

Special Issue: 2016网络空间共享安全研究进展专题

Previous Articles     Next Articles

Security Analysis and Evaluation for the Usage of Settings Mechanism in Android

Lu Yemian, Ying Lingyun, Su Purui, Feng Dengguo, Jing Erxia, Gu Yacong   

  1. (Trusted Computing and Information Assurance Laboratory, Institute of Software, Chinese Academy of Sciences, Beijing 100190)
  • Online:2016-10-01

Abstract: Offered by Android system, Settings is a mechanism used by applications to read and write some global settings of the device. Data stored in Settings can be read by all the applications on the same device. Some Android applications and third-party libraries carelessly put privacy data and important configuration information into Settings, which leads to serious security risks such as privacy leakage and configuration data leakage. In this paper, we make a comprehensive study of the issues mentioned above. By analyzing a large number of applications, we find the privacy data and configuration information leaked to Settings including IMEI, BSSID and location info, etc. We also successfully undertake some data hijacking attacks and DoS attacks for Android applications and third-party libraries, which confirms that the inappropriate use of Settings can really lead to serious security problems. Based on the above research, we propose SettingsHunter, a static detection tool for Settings issues. SettingsHunter detects privacy data and important configuration information put in Settings using taint analysis technology. In order to improve the efficiency, SettingsHunter separates the analysis of third-party libraries from the one of host applications. This separation also improves the analysis ability for third-party libraries. We use SettingsHunter to analysis 3477 applications and the result shows that 23.5% of the analyzed applications put privacy data or key configuration information into Settings, of which 90.7% is due to the using of third-party libraries. These applications and third-party libraries may suffer from privacy data leakage or configuration data pollution attacks.

Key words: Android applications, third-party libraries, privacy leakage, data pollution, static taint analysis

CLC Number: