Presented at
Black Hat USA 2014,
Aug. 7, 2014, 2:50 p.m.
(25 minutes).
We identified a set of vulnerabilities that common Android Apps programming (mis)practices might introduce.
We developed an effective static analyzer to automatically detect a set of vulnerabilities rising by incorrect Android's Inter-Component Communication usage.
We completed our analysis by automatically demonstrating whether the vulnerabilities identified by static analysis can actually be exploited or not at run-time by an attacker.
We adopted a formal and sound approach to automatically produce malicious payloads able to reproduce the dangerous behavior in vulnerable applications.
The lack of exhaustive sanity checks when receiving messages from unknown sources is the evidence of the underestimation of this problem in real world application development.
Presenters:
-
Daniele Gallingani
Graduated at UIC in the Computer Science Master Program in May 2013, I worked as a research assistant focusing on research interests related to Android security issues. I am currently a master student at Politecnico di Milano. I also co-founded a company that offers technological consultancy to both startups and consolidated companies.
Links:
Similar Presentations: