Security Analysis and Evaluation for the Usage of Settings Mechanism in Android

Lu Yemian; Ying Lingyun; Su Purui; Feng Dengguo; Jing Erxia; Gu Yacong

doi:10.7544/issn1000-1239.2016.20160449

Journal of Computer Research and Development > 2016 > 53(10): 2248-2261. > DOI: 10.7544/issn1000-1239.2016.20160449 CSTR: 32373.14.issn1000-1239.2016.20160449

Lu Yemian, Ying Lingyun, Su Purui, Feng Dengguo, Jing Erxia, Gu Yacong. Security Analysis and Evaluation for the Usage of Settings Mechanism in Android[J]. Journal of Computer Research and Development, 2016, 53(10): 2248-2261. DOI: 10.7544/issn1000-1239.2016.20160449

Citation:

PDF (2267 KB)

Security Analysis and Evaluation for the Usage of Settings Mechanism in Android

(Trusted Computing and Information Assurance Laboratory, Institute of Software, Chinese Academy of Sciences, Beijing 100190)

More Information

Published Date: September 30, 2016

Graphical Abstract

Abstract

Abstract

Offered by Android system, Settings is a mechanism used by applications to read and write some global settings of the device. Data stored in Settings can be read by all the applications on the same device. Some Android applications and third-party libraries carelessly put privacy data and important configuration information into Settings, which leads to serious security risks such as privacy leakage and configuration data leakage. In this paper, we make a comprehensive study of the issues mentioned above. By analyzing a large number of applications, we find the privacy data and configuration information leaked to Settings including IMEI, BSSID and location info, etc. We also successfully undertake some data hijacking attacks and DoS attacks for Android applications and third-party libraries, which confirms that the inappropriate use of Settings can really lead to serious security problems. Based on the above research, we propose SettingsHunter, a static detection tool for Settings issues. SettingsHunter detects privacy data and important configuration information put in Settings using taint analysis technology. In order to improve the efficiency, SettingsHunter separates the analysis of third-party libraries from the one of host applications. This separation also improves the analysis ability for third-party libraries. We use SettingsHunter to analysis 3477 applications and the result shows that 23.5% of the analyzed applications put privacy data or key configuration information into Settings, of which 90.7% is due to the using of third-party libraries. These applications and third-party libraries may suffer from privacy data leakage or configuration data pollution attacks.
- Android applications,
- third-party libraries,
- privacy leakage,
- data pollution,
- static taint analysis

FullText(HTML)

References (0)

[1]	Guo Fangfang, Wang Xinyue, Wang Huiqiang, Lü Hongwu, Hu Yibing, Wu Fang, Feng Guangsheng, Zhao Qian. A Dynamic Stain Analysis Method on Maximal Frequent Sub Graph Mining[J]. Journal of Computer Research and Development, 2020, 57(3): 631-638. DOI: 10.7544/issn1000-1239.2020.20180846
[2]	Wang Lei, He Dongjie, Li Lian, Feng Xiaobing. Sparse Framework Based Static Taint Analysis Optimization[J]. Journal of Computer Research and Development, 2019, 56(3): 480-495. DOI: 10.7544/issn1000-1239.2019.20180071
[3]	Yue Hongzhou, Zhang Yuqing, Wang Wenjie, Liu Qixu. Android Static Taint Analysis of Dynamic Loading and Reflection Mechanism[J]. Journal of Computer Research and Development, 2017, 54(2): 313-327. DOI: 10.7544/issn1000-1239.2017.20150928
[4]	Meng Xiaofeng, Zhang Xiaojian. Big Data Privacy Management[J]. Journal of Computer Research and Development, 2015, 52(2): 265-281. DOI: 10.7544/issn1000-1239.2015.20140073
[5]	Wang Yawen, Yao Xinhong, Gong Yunzhan, Yang Zhaohong. A Method of Buffer Overflow Detection Based on Static Code Analysis[J]. Journal of Computer Research and Development, 2012, 49(4): 839-845.
[6]	Hu Chaojian, Li Zhoujun, Guo Tao, Shi Zhiwei. Detecting the Vulnerability Pattern of Writing Tainted Value to Tainted Address[J]. Journal of Computer Research and Development, 2011, 48(8): 1455-1463.
[7]	Han Wei, He Yeping. Static Analysis of TOCTTOU Vulnerabilities in Unix-Style File System[J]. Journal of Computer Research and Development, 2011, 48(8): 1430-1437.
[8]	Ye Pengfei, Peng Xin, and Zhao Wenyun. Recovering the Use Case from Object-Oriented Programs by Static Analysis[J]. Journal of Computer Research and Development, 2010, 47(12).
[9]	Bian Xiaofeng, Zhou Xuehai. Study on Modeling MIPS Processors for Static WCET Analysis[J]. Journal of Computer Research and Development, 2006, 43(10): 1828-1834.
[10]	Liu Wenfen, Guan Wei, Cao Jia, and Zhang Weiming. Detection of Secret Message in Spatial LSB Steganography Based on Contaminated Data Analysis[J]. Journal of Computer Research and Development, 2006, 43(6): 1058-1064.