Visible to the public Sandboxing for Mobile Apps 2015Conflict Detection Enabled

SoS Newsletter- Advanced Book Block


SoS Logo

Sandboxing for Mobile Apps



Just as containing or “sandboxing” provides a way to protect against malware in other software, sandboxing can be used to identify and protect against malicious code in iOS and Android apps. For the Science of Security community, sandboxing offers opportunities to advance composability, metrics, and policy-based governance. The work cited here was published in 2015.

Mihai Bucicoiu, Lucas Davi, Razvan Deaconescu, Ahmad-Reza Sadeghi; “XiOS: Extended Application Sandboxing on iOS,” ASIA CCS ’15 Proceedings of the 10th ACM Symposium on Information, Computer and Communications Security, April 2015, Pages 43–54. doi:10.1145/2714576.2714629
Abstract: Until very recently it was widely believed that iOS malware is effectively blocked by Apple’s vetting process and application sandboxing. However, the newly presented severe malicious app attacks (e.g., Jekyll) succeeded to undermine these protection measures and steal private data, post Twitter messages, send SMS, and make phone calls. Currently, no effective defenses against these attacks are known for iOS.  The main goal of this paper is to systematically analyze the recent attacks against iOS sandboxing and provide a practical security framework for iOS app hardening which is fully independent of the Apple’s vetting process and particularly benefits enterprises to protect employees’ iOS devices. The contribution of this paper is twofold: First, we show a new and generalized attack that significantly reduces the complexity of the recent attacks against iOS sandboxing. Second, we present the design and implementation of a novel and efficient iOS app hardening service, XiOS, that enables fine-grained application sandboxing, and mitigates the existing as well as our new attacks. In contrast to previous work in this domain (on iOS security), our approach does not require to jailbreak the device. We demonstrate the efficiency and effectiveness of XiOS by conducting several benchmarks as well as fine-grained policy enforcement on real-world iOS applications.
Keywords: binary instrumentation, ios, mobile security, sandboxing (ID#: 15-7554)


Xingmin Cui, Jingxuan Wang, Lucas C. K. Hui, Zhongwei Xie, Tian Zeng, S. M. Yiu; “WeChecker: Efficient and Precise Detection of Privilege Escalation Vulnerabilities in Android Apps,” WiSec ’15 Proceedings of the 8th ACM Conference on Security & Privacy in Wireless and Mobile Networks, June 2015, Article No. 25. doi:10.1145/2766498.2766509
Abstract: Due to the rapid increase of Android apps and their wide usage to handle personal data, a precise and large-scaling checker is in need to validate the apps’ permission flow before they are listed on the market. Several tools have been proposed to detect sensitive data leaks in Android apps. But these tools are not applicable to large-scale analysis since they fail to deal with the arbitrary execution orders of different event handlers smartly. Event handlers are invoked by the framework based on the system state, therefore we cannot pre-determine their order of execution. Besides, since all exported components can be invoked by an external app, the execution orders of these components are also arbitrary. A naive way to simulate these two types of arbitrary execution orders yields a permutation of all event handlers in an app. The time complexity is O(n!) where n is the number of event handlers in an app. This leads to a high analysis overhead when n is big. To give an illustration, CHEX [10] found 50.73 entry points of 44 unique class types in an app on average. In this paper we propose an improved static taint analysis to deal with the challenge brought by the arbitrary execution orders without sacrificing the high precision. Our analysis does not need to make permutations and achieves a polynomial time complexity. We also propose to unify the array and map access with object reference by propagating access paths to reduce the number of false positives due to field-insensitivity and over approximation of array access and map access.  We implement a tool, WeChecker, to detect privilege escalation vulnerabilities [7] in Android apps. WeChecker achieves 96% precision and 96% recall in the state-of-the-art test suite DriodBench (for compairson, the precision and recall of FlowDroid [1] are 86% and 93%, respectively). The evaluation of WeChecker on real apps shows that it is efficient (average analysis time of each app: 29.985s) and fits for large-scale checking.
Keywords: Android, control flow, data flow checking, privilege escalation attack, taint analysis (ID#: 15-7555)


Roee Hay, Omer Tripp, Marco Pistoia; “Dynamic Detection of Inter-Application Communication Vulnerabilities in Android,” ISSTA 2015 Proceedings of the 2015 International Symposium on Software Testing and Analysis, July 2015, Pages 118–128. doi:10.1145/2771783.2771800
Abstract: A main aspect of the Android platform is Inter-Application Communication (IAC), which enables reuse of functionality across apps and app components via message passing. While a powerful feature, IAC also constitutes a serious attack surface. A malicious app can embed a payload into an IAC message, thereby driving the recipient app into a potentially vulnerable behavior if the message is processed without its fields first being sanitized or validated. We present what to our knowledge is the first comprehensive testing algorithm for Android IAC vulnerabilities. Toward this end, we first describe a catalog, stemming from our field experience, of 8 concrete vulnerability types that can potentially arise due to unsafe handling of incoming IAC messages. We then explain the main challenges that automated discovery of Android IAC vulnerabilities entails, including in particular path coverage and custom data fields, and present simple yet surprisingly effective solutions to these challenges. We have realized our testing approach as the IntentDroid system, which is available as a commercial cloud service. IntentDroid utilizes lightweight platform-level instrumentation, implemented via debug breakpoints (to run atop any Android device without any setup or customization), to recover IAC-relevant app-level behaviors. Evaluation of IntentDroid over a set of 80 top-popular apps has revealed a total 150 IAC vulnerabilities — some already fixed by the developers following our report — with a recall rate of 92% w.r.t. a ground truth established via manual auditing by a security expert.
Keywords: Android, inter-application communication, mobile, security (ID#: 15-7556)


Yajin Zhou, Kunal Patel, Lei Wu, Zhi Wang, Xuxian Jiang; “Hybrid User-Level Sandboxing of Third-Party Android Apps,”
ASIA CCS ’15 Proceedings of the 10th ACM Symposium on Information, Computer and Communications Security, April 2015,
Pages 19–30. doi:10.1145/2714576.2714598
Abstract: Users of Android phones increasingly entrust personal information to third-party apps. However, recent studies reveal that many apps, even benign ones, could leak sensitive information without user awareness or consent. Previous solutions either require to modify the Android framework thus significantly impairing their practical deployment, or could be easily defeated by malicious apps using a native library.  In this paper, we propose AppCage, a system that thoroughly confines the run-time behavior of third-party Android apps without requiring framework modifications or root privilege. AppCage leverages two complimentary user-level sandboxes to interpose and regulate an app’s access to sensitive APIs. Specifically, dex sandbox hooks into the app’s Dalvik virtual machine instance and redirects each sensitive framework API to a proxy which strictly enforces the user-defined policies, and native sandbox leverages software fault isolation to prevent the app’s native libraries from directly accessing the protected APIs or subverting the dex sandbox. We have implemented a prototype of AppCage. Our evaluation shows that AppCage can successfully detect and block attempts to leak private information by third-party apps, and the performance overhead caused by AppCage is negligible for apps without native libraries and minor for apps with them.
Keywords: android, dalvik hooking, software fault isolation (ID#: 15-7557)


Dan Ping, Xin Sun, Bing Mao; “TextLogger: Inferring Longer Inputs on Touch Screen Using Motion Sensors,” WiSec ’15 Proceedings of the 8th ACM Conference on Security & Privacy in Wireless and Mobile Networks, June 2015, Article No. 24. doi:10.1145/2766498.2766511
Abstract: Today’s smartphones are equipped with precise motion sensors like accelerometer and gyroscope, which can measure tiny motion and rotation of devices. While they make mobile applications more functional, they also bring risks of leaking users’ privacy. Researchers have found that tap locations on screen can be roughly inferred from motion data of the device. They mostly utilized this side-channel for inferring short input like PIN numbers and passwords, with repeated attempts to boost accuracy. In this work, we study further for longer input inference, such as chat record and e-mail content, anything a user ever typed on a soft keyboard. Since people increasingly rely on smartphones for daily activities, their inputs directly or indirectly expose privacy about them. Thus, it is a serious threat if their input text is leaked.  To make our attack practical, we utilize the shared memory side-channel for detecting window events and tap events of a soft keyboard. The up or down state of the keyboard helps triggering our Trojan service for collecting accelerometer and gyroscope data. Machine learning algorithms are used to roughly predict the input text from the raw data and language models are used to further correct the wrong predictions. We performed experiments on two real-life scenarios, which were writing emails and posting Twitter messages, both through mobile clients. Based on the experiments, we show the feasibility of inferring long user inputs to readable sentences from motion sensor data. By applying text mining technology on the inferred text, more sensitive information about the device owners can be exposed.
Keywords: edit distance model, keystroke inference using motion sensors, language model, machine learning, shared memory side-channel, side-channel attacks, smartphone security (ID#: 15-7558)


Xin Chen, Sencun Zhu; “DroidJust: Automated Functionality-Aware Privacy Leakage Analysis for Android Applications,” WiSec ’15 Proceedings of the 8th ACM Conference on Security & Privacy in Wireless and Mobile Networks, June 2015,
Article No. 5. doi:10.1145/2766498.2766507
Abstract: Android applications (apps for short) can send out users’ sensitive information against users’ intention. Based on the stats from Genome and Mobile-Sandboxing, 55.8% and 59.7% Android malware families feature privacy leakage. Prior approaches to detecting privacy leakage on smartphones primarily focused on the discovery of sensitive information flows. However, Android apps also send out users’ sensitive information for legitimate functions. Due to the fuzzy nature of the privacy leakage detection problem, we formulate it as a justification problem, which aims to justify if a sensitive information transmission in an app serves any purpose, either for intended functions of the app itself or for other related functions. This formulation makes the problem more distinct and objective, and therefore more feasible to solve than before. We propose DroidJust, an automated approach to justifying an app’s sensitive information transmission by bridging the gap between the sensitive information transmission and application functions. We also implement a prototype of DroidJust and evaluate it with over 6000 Google Play apps and over 300 known malware collected from VirusTotal. Our experiments show that our tool can effectively and efficiently analyze Android apps w.r.t their sensitive information flows and functionalities, and can greatly assist in detecting privacy leakage.
Keywords: Android security, privacy leakage detection, static taint analysis (ID#: 15-7559)


Yuanzhong Xu, Emmett Witchel; “Maxoid: Transparently Confining Mobile Applications with Custom Views of State,” EuroSys ’15 Proceedings of the Tenth European Conference on Computer Systems, April 2015, Article No. 26. doi:10.1145/2741948.2741966
Abstract: We present Maxoid, a system that allows an Android app to process its sensitive data by securely invoking other, untrusted apps. Maxoid provides secrecy and integrity for both the invoking app and the invoked app. For each app, Maxoid presents custom views of private and public state (files and data in content providers) to transparently redirect unsafe data flows and minimize disruption. Maxoid supports unmodified apps with full security guarantees, and also introduces new APIs to improve usability. We show that Maxoid can improve security for popular Android apps with minimal performance overheads.
Keywords: (not provided) (ID#: 15-7560)


Daniel R. Thomas, Alastair R. Beresford, Andrew Rice; “Security Metrics for the Android Ecosystem,” SPSM ’15 Proceedings
of the 5th Annual ACM CCS Workshop on Security and Privacy in Smartphones and Mobile Devices
, October 2015,
Pages 87–98. doi:10.1145/2808117.2808118
Abstract: The security of Android depends on the timely delivery of updates to fix critical vulnerabilities. In this paper we map the complex network of players in the Android ecosystem who must collaborate to provide updates, and determine that inaction by some manufacturers and network operators means many handsets are vulnerable to critical vulnerabilities. We define the FUM security metric to rank the performance of device manufacturers and network operators, based on their provision of updates and exposure to critical vulnerabilities. Using a corpus of 20 400 devices we show that there is significant variability in the timely delivery of security updates across different device manufacturers and network operators. This provides a comparison point for purchasers and regulators to determine which device manufacturers and network operators provide security updates and which do not. We find that on average 87.7% of Android devices are exposed to at least one of 11 known critical vulnerabilities and, across the ecosystem as a whole, assign a FUM security score of 2.87 out of 10. In our data, Nexus devices do considerably better than average with a score of 5.17; and LG is the best manufacturer with a score of 3.97.
Keywords: android, ecosystems, metrics, updates, vulnerabilities (ID#: 15-7561)


Antonio Bianchi, Yanick Fratantonio, Christopher Kruegel, Giovanni Vigna; “NJAS: Sandboxing Unmodified Applications in Non-Rooted Devices Running Stock Android,” SPSM ’15 Proceedings of the 5th Annual ACM CCS Workshop on Security and Privacy in Smartphones and Mobile Devices, October 2015, Pages 27–38. doi:10.1145/2808117.2808122
Abstract: Malware poses a serious threat to the Android ecosystem. Moreover, even benign applications can sometimes constitute security and privacy risks to their users, as they might contain vulnerabilities, or they might perform unwanted actions. Previous research has shown that the current Android security model is not sufficient to protect against these threats, and several solutions have been proposed to enable the specification and enforcing of finer-grained security policies. Unfortunately, many existing solutions suffer from several limitations: they require modifications to the Android framework, root access to the device, to create a modified version of an existing app that cannot be installed without enabling unsafe options, or they cannot completely sandbox native code components. In this work, we propose a novel approach that aims to sandbox arbitrary Android applications. Our solution, called NJAS, works by executing an Android application within the context of another one, and it achieves sandboxing by means of system call interposition. In this paper, we show that our solution overcomes major limitations that affect existing solutions. In fact, it does not require any modification to the framework, does not require root access to the device, and does not require the user to enable unsafe options. Moreover, the core sandboxing mechanism cannot be evaded by using native code components.
Keywords: android, code sandboxing, mobile security, system call interposition (ID#: 15-7562)


Suzanna Schmeelk, Junfeng Yang, Alfred Aho; “Android Malware Static Analysis Techniques,” CISR ’15 Proceedings of the 10th Annual Cyber and Information Security Research Conference, April 2015, Article No. 5. doi:10.1145/2746266.2746271
Abstract: During 2014, Business Insider announced that there are over a billion users of Android worldwide. Government officials are also trending towards acquiring Android mobile devices. Google’s application architecture is already ubiquitous and will keep expanding. The beauty of an application-based architecture is the flexibility, interoperability and customizability it provides users. This same flexibility, however, also allows and attracts malware development.  This paper provides a horizontal research analysis of techniques used for Android application malware analysis. The paper explores techniques used by Android malware static analysis methodologies. It examines the key analysis efforts used by examining applications for permission leakage and privacy concerns. The paper concludes with a discussion of some gaps of current malware static analysis research.
Keywords: Android Application Security, Cyber Security, Java, Malware Analysis, Static Analysis (ID#: 15-7563)


Yajin Zhou, Lei Wu, Zhi Wang, Xuxian Jiang; “Harvesting Developer Credentials in Android Apps,” WiSec ’15
Proceedings of the 8th ACM Conference on Security & Privacy in Wireless and Mobile Networks
, June 2015, Article No. 23. doi:10.1145/2766498.2766499
Abstract: Developers often integrate third-party services into their apps. To access a service, an app must authenticate itself to the service with a credential. However, credentials in apps are often not properly or adequately protected, and might be easily extracted by attackers. A leaked credential could pose serious privacy and security threats to both the app developer and app users.  In this paper, we propose CredMiner to systematically study the prevalence of unsafe developer credential uses in Android apps. CredMiner can programmatically identify and recover (obfuscated) developer credentials unsafely embedded in Android apps. Specifically, it leverages data flow analysis to identify the raw form of the embedded credential, and selectively executes the part of the program that builds the credential to recover it. We applied CredMiner to 36,561 apps collected from various Android markets to study the use of free email services and Amazon AWS. There were 237 and 196 apps that used these two services, respectively. CredMiner discovered that 51.5% (121/237) and 67.3% (132/196) of them were vulnerable. In total, CredMiner recovered 302 unique email login credentials and 58 unique Amazon AWS credentials, and verified that 252 and 28 of these credentials were still valid at the time of the experiments, respectively.
Keywords: Amazon AWS, CredMiner, information flow, static analysis (ID#: 15-7564)


Luyi Xing, Xiaolong Bai, Tongxin Li, XiaoFeng Wang, Kai Chen, Xiaojing Liao, Shi-Min Hu, Xinhui Han; “Cracking App Isolation on Apple: Unauthorized Cross-App Resource Access on MAC OS-X and iOS,” CCS ’15 Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, October 2015, Pages 31–43. doi:10.1145/2810103.2813609
Abstract: On modern operating systems, applications under the same user are separated from each other, for the purpose of protecting them against malware and compromised programs. Given the complexity of today’s OSes, less clear is whether such isolation is effective against different kind of cross-app resource access attacks (called XARA in our research). To better understand the problem, on the less-studied Apple platforms, we conducted a systematic security analysis on MAC OS~X and iOS. Our research leads to the discovery of a series of high-impact security weaknesses, which enable a sandboxed malicious app, approved by the Apple Stores, to gain unauthorized access to other apps’ sensitive data. More specifically, we found that the inter-app interaction services, including the keychain, WebSocket and NSConnection on OS~X and URL Scheme on the MAC OS and iOS, can all be exploited by the malware to steal such confidential information as the passwords for iCloud, email and bank, and the secret token of Evernote. Further, the design of the app sandbox on OS~X was found to be vulnerable, exposing an app’s private directory to the sandboxed malware that hijacks its Apple Bundle ID. As a result, sensitive user data, like the notes and user contacts under Evernote and photos under WeChat, have all been disclosed. Fundamentally, these problems are caused by the lack of app-to-app and app-to-OS authentications. To better understand their impacts, we developed a scanner that automatically analyzes the binaries of MAC OS and iOS apps to determine whether proper protection is missing in their code. Running it on hundreds of binaries, we confirmed the pervasiveness of the weaknesses among high-impact Apple apps. Since the issues may not be easily fixed, we built a simple program that detects exploit attempts on OS~X, helping protect vulnerable apps before the problems can be fully addressed.
Keywords: MACH-O, OS X, XARA, apple, attack, confuse deputy, cross-app resource access, iOS, program analysis, vulnerability (ID#: 15-7565)


Zhui Deng, Brendan Saltaformaggio, Xiangyu Zhang, Dongyan Xu; “iRiS: Vetting Private API Abuse in iOS Applications,”
CCS ’15 Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, October 2015,
Pages 44–56. doi:10.1145/2810103.2813675
Abstract: With the booming sale of iOS devices, the number of iOS applications has increased significantly in recent years. To protect the security of iOS users, Apple requires every iOS application to go through a vetting process called App Review to detect uses of private APIs that provide access to sensitive user information. However, recent attacks have shown the feasibility of using private APIs without being detected during App Review. To counter such attacks, we propose a new iOS application vetting system, called iRiS, in this paper. iRiS first applies fast static analysis to resolve API calls. For those that cannot be statically resolved, iRiS uses a novel iterative dynamic analysis approach, which is slower but more powerful compared to static analysis. We have ported Valgrind to iOS and implemented a prototype of iRiS on top of it. We evaluated iRiS with 2019 applications from the official App Store. From these, iRiS identified 146 (7%) applications that use a total number of 150 different private APIs, including 25 security-critical APIs that access sensitive user information, such as device serial number. By analyzing iOS applications using iRiS, we also identified a suspicious advertisement service provider which collects user privacy information in its advertisement serving library. Our results show that, contrary to popular belief, a nontrivial number of iOS applications that violate Apple’s terms of service exist in the App Store. iRiS is effective in detecting private API abuse missed by App Review.
Keywords: application vetting, binary instrumentation, dynamic analysis, forced execution, iOS, private API, static analysis
(ID#: 15-7566)


Kevin Boos, Ardalan Amiri Sani, Lin Zhong; “Eliminating State Entanglement with Checkpoint-Based Virtualization of Mobile OS Services,” APSys ’15 Proceedings of the 6th Asia-Pacific Workshop on Systems, July 2015, Article No. 20. doi:10.1145/2797022.2797041
Abstract: Mobile operating systems have adopted a service model in which applications access system functionality by interacting with various OS Services in separate processes. These interactions cause application-specific states to be spread across many service processes, a problem we identify as state entanglement. State entanglement presents significant challenges to a wide variety of computing goals: fault isolation, fault tolerance, application migration, live update, and application speculation. We propose CORSA, a novel virtualization solution that uses a lightweight checkpoint/restore mechanism to virtualize OS Services on a per-application basis. This cleanly encapsulates a single application’s service-side states into a private virtual service instance, eliminating state entanglement and enabling the above goals. We present empirical evidence that our ongoing implementation of CORSA on Android is feasible with low overhead, even in the worst case of high frequency service interactions.
Keywords: (not provided) (ID#: 15-7567)


Tai-Lun Tseng, Shih-Hao Hung, Chia-Heng Tu; “Migratom.js: A Javascript Migration Framework for Distributed Web Computing and Mobile Devices,” SAC ’15 Proceedings of the 30th Annual ACM Symposium on Applied Computing, April 2015, Pages 798–801. doi:10.1145/2695664.2695987
Abstract: The emerging HTML5 technologies aim to enhance web apps with increased capabilities on mobile devices, as device-to-device computing becomes important in the future. To enable new application scenarios by making HTML5 execution environment dynamic and efficient, we propose a JavaScript framework Migratom.js, which manages task offloading and code migration with the flow-based programming paradigm. Migratom.js accelerates mobile web apps by offloading compute-intensive tasks to superior computing resources and enables the development of distributed HTML5 applications. This paper describes the design and implementation of Migratom.js and conducts case studies to evaluate the proposed framework. The results show that our framework is suitable for augmenting existing and emerging mobile applications.
Keywords: JavaScript, flow-based programming, mobile computing, remote execution (ID#: 15-7568)


Ajay Kumar Jha, Seungmin Lee, Woo Jin Lee; “Permission-Based Security in Android Application: From Policy Expert to
End User,”
RACS Proceedings of the 2015 Conference on Research in Adaptive and Convergent Systems, October 2015,
Pages 319–320. doi:10.1145/2811411.2811493
Abstract: Though filtering of malicious applications is performed at Play Store, some malicious applications escape the filtering process. Thus, it becomes necessary to take strong security measures at other levels. Security in Android can be enforced at system and application levels. At system level Android uses sandboxing technique while at application level it uses permission. In this paper we briefly discuss the permission-based security implemented in Android through three different perspectives—policy expert, developer, and end user.
Keywords: android, permission, policy, privacy, security (ID#: 15-7569)


Tobias Distler, Christopher Bahn, Alysson Bessani, Frank Fischer, Flavio Junqueira; “Extensible Distributed Coordination,” EuroSys ’15 Proceedings of the Tenth European Conference on Computer Systems, April 2015,
Article No. 10. doi:10.1145/2741948.2741954
Abstract: Most services inside a data center are distributed systems requiring coordination and synchronization in the form of primitives like distributed locks and message queues. We argue that extensibility is a crucial feature of the coordination infrastructures used in these systems. Without the ability to extend the functionality of coordination services, applications might end up using sub-optimal coordination algorithms, possibly leading to low performance. Adding extensibility, however, requires mechanisms that constrain extensions to be able to make reasonable security and performance guarantees. We propose a scheme that enables extensions to be introduced and removed dynamically in a secure way. To avoid performance overheads due to poorly designed extensions, it constrains the access of extensions to resources. Evaluation results for extensible versions of ZooKeeper and DepSpace show that it is possible to increase the throughput of a distributed queue by more than an order of magnitude (17x for ZooKeeper, 24x for DepSpace) while keeping the underlying coordination kernel small.
Keywords: DepSpace, ZooKeeper, coordination services, distributed algorithms, extensibility (ID#: 15-7570)


Articles listed on these pages have been found on publicly available internet pages and are cited with links to those pages. Some of the information included herein has been reprinted with permission from the authors or data repositories. Direct any requests via Email to for removal of the links or modifications to specific citations. Please include the ID# of the specific citation in your correspondence.