Towards analyzing the input validation vulnerabilities associated with android system services

Chen Cao, Neng Gao, Peng Liu, Ji Xiang

Research output: Chapter in Book/Report/Conference proceedingConference contribution

13 Scopus citations

Abstract

Although the input validation vulnerabilities play a critical role in web application security, such vulnerabilities are so far largely neglected in the Android security research community. We found that due to the unique Framework Code layer, Android devices do need specific input validation vulnerability analysis in system services. In this work, we take the first steps to analyze Android specific input validation vulnerabilities. In particular, a) we take the first steps towards measuring the corresponding attack surface and reporting the current input validation status of Android system services. b) We developed a new input validation vulnerability scanner for Android devices. This tool fuzzes all the Android system services by sending requests with malformed arguments to them. Through comprehensive evaluation of Android system with over 90 system services and over 1,900 system service methods, we identified 16 vulnerabilities in Android system services. We have reported all the issues to Google and Google has confirmed them.

Original languageEnglish (US)
Title of host publicationProceedings - 31st Annual Computer Security Applications Conference, ACSAC 2015
PublisherAssociation for Computing Machinery
Pages361-370
Number of pages10
ISBN (Electronic)9781450336826
DOIs
StatePublished - Dec 7 2015
Event31st Annual Computer Security Applications Conference, ACSAC 2015 - Los Angeles, United States
Duration: Dec 7 2015Dec 11 2015

Publication series

NameACM International Conference Proceeding Series
Volume7-11-December-2015

Other

Other31st Annual Computer Security Applications Conference, ACSAC 2015
CountryUnited States
CityLos Angeles
Period12/7/1512/11/15

All Science Journal Classification (ASJC) codes

  • Software
  • Human-Computer Interaction
  • Computer Vision and Pattern Recognition
  • Computer Networks and Communications

Cite this

Cao, C., Gao, N., Liu, P., & Xiang, J. (2015). Towards analyzing the input validation vulnerabilities associated with android system services. In Proceedings - 31st Annual Computer Security Applications Conference, ACSAC 2015 (pp. 361-370). (ACM International Conference Proceeding Series; Vol. 7-11-December-2015). Association for Computing Machinery. https://doi.org/10.1145/2818000.2818033