TY - GEN
T1 - Towards analyzing the input validation vulnerabilities associated with android system services
AU - Cao, Chen
AU - Gao, Neng
AU - Liu, Peng
AU - Xiang, Ji
N1 - Publisher Copyright:
© 2015 ACM.
PY - 2015/12/7
Y1 - 2015/12/7
N2 - Although the input validation vulnerabilities play a critical role in web application security, such vulnerabilities are so far largely neglected in the Android security research community. We found that due to the unique Framework Code layer, Android devices do need specific input validation vulnerability analysis in system services. In this work, we take the first steps to analyze Android specific input validation vulnerabilities. In particular, a) we take the first steps towards measuring the corresponding attack surface and reporting the current input validation status of Android system services. b) We developed a new input validation vulnerability scanner for Android devices. This tool fuzzes all the Android system services by sending requests with malformed arguments to them. Through comprehensive evaluation of Android system with over 90 system services and over 1,900 system service methods, we identified 16 vulnerabilities in Android system services. We have reported all the issues to Google and Google has confirmed them.
AB - Although the input validation vulnerabilities play a critical role in web application security, such vulnerabilities are so far largely neglected in the Android security research community. We found that due to the unique Framework Code layer, Android devices do need specific input validation vulnerability analysis in system services. In this work, we take the first steps to analyze Android specific input validation vulnerabilities. In particular, a) we take the first steps towards measuring the corresponding attack surface and reporting the current input validation status of Android system services. b) We developed a new input validation vulnerability scanner for Android devices. This tool fuzzes all the Android system services by sending requests with malformed arguments to them. Through comprehensive evaluation of Android system with over 90 system services and over 1,900 system service methods, we identified 16 vulnerabilities in Android system services. We have reported all the issues to Google and Google has confirmed them.
UR - http://www.scopus.com/inward/record.url?scp=84959334018&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=84959334018&partnerID=8YFLogxK
U2 - 10.1145/2818000.2818033
DO - 10.1145/2818000.2818033
M3 - Conference contribution
AN - SCOPUS:84959334018
T3 - ACM International Conference Proceeding Series
SP - 361
EP - 370
BT - Proceedings - 31st Annual Computer Security Applications Conference, ACSAC 2015
PB - Association for Computing Machinery
T2 - 31st Annual Computer Security Applications Conference, ACSAC 2015
Y2 - 7 December 2015 through 11 December 2015
ER -