Static Detection and Automatic Exploitation of Intent Message Vulnerabilities in Android Applications

Presented at Black Hat USA 2014, Aug. 7, 2014, 2:50 p.m. (25 minutes)

We identified a set of vulnerabilities that common Android Apps programming (mis)practices might introduce. We developed an effective static analyzer to automatically detect a set of vulnerabilities rising by incorrect Android's Inter-Component Communication usage. We completed our analysis by automatically demonstrating whether the vulnerabilities identified by static analysis can actually be exploited or not at run-time by an attacker. We adopted a formal and sound approach to automatically produce malicious payloads able to reproduce the dangerous behavior in vulnerable applications. The lack of exhaustive sanity checks when receiving messages from unknown sources is the evidence of the underestimation of this problem in real world application development.

Presenters:

• Daniele Gallingani
  Graduated at UIC in the Computer Science Master Program in May 2013, I worked as a research assistant focusing on research interests related to Android security issues. I am currently a master student at Politecnico di Milano. I also co-founded a company that offers technological consultancy to both startups and consolidated companies.

Links:

• https://www.blackhat.com/us-14/archives.html#static-detection-and-automatic-exploitation-of-intent-message-vulnerabilities-in-android-applications
• https://infocon.org/cons/Black Hat/Black Hat USA/Black Hat USA 2014/video/Static Detection and Automatic Exploitation of Intent Message Vulnerabilities in Android.mp4
• https://www.youtube.com/watch?v=clVBOP7XJM8

Similar Presentations:

• BruCON 0x0A (2018) / Hunting Android Malware: A novel runtime technique for identifying malicious applications
• Black Hat Europe 2015 / AndroBugs Framework: An Android Application Security Vulnerability Scanner
• DEF CON 19 (2011) / Seven Ways to Hang Yourself with Google Android