SCLib: A Practical and Lightweight Defense against Component Hijacking in Android Applications

Daoyuan WU; Yao CHENG; Debin GAO; Yingjiu LI; Robert H. DENG

doi:10.1145/3176258.3176336

SCLib: A Practical and Lightweight Defense against Component Hijacking in Android Applications

Daoyuan WU
, Yao CHENG
, Debin GAO
, Yingjiu LI
, Robert H. DENG

Research output: Book Chapters | Papers in Conference Proceedings › Conference paper (refereed) › Research › peer-review

16 Citations (Scopus)

Abstract

Cross-app collaboration via inter-component communication is a fundamental mechanism on Android. Although it brings the benefits such as functionality reuse and data sharing, a threat called component hijacking is also introduced. By hijacking a vulnerable component in victim apps, an attack app can escalate its privilege for operations originally prohibited. Many prior studies have been performed to understand and mitigate this issue, but no defense is being deployed in the wild, largely due to the deployment difficulties and performance concerns. In this paper we present SCLib, a secure component library that performs in-app mandatory access control on behalf of app components. It does not require firmware modification or app repackaging as in previous works. The library-based nature also makes SCLib more accessible to app developers, and enables them produce secure components in the first place over fragmented Android devices. As a proof of concept, we design six mandatory policies and overcome unique implementation challenges to mitigate attacks originated from both system weaknesses and common developer mistakes. Our evaluation using ten high-profile open source apps shows that SCLib can protect their 35 risky components with negligible code footprint (less than 0.3% stub code) and nearly no slowdown to normal intra-app communication. The worst-case performance overhead is only about 5%.

Original language	English
Title of host publication	CODASPY '18: Proceedings of the Eighth ACM Conference on Data and Application Security and Privacy
Editors	Ziming ZHAO, Gail-Joon AHN, Ram KRISHNAN, Gabriel GHINITA
Publisher	Association for Computing Machinery, Inc
Chapter	Mobile Security
Pages	299-306
Number of pages	8
ISBN (Electronic)	9781450356329
DOIs	https://doi.org/10.1145/3176258.3176336
Publication status	Published - 13 Mar 2018
Externally published	Yes
Event	Eighth ACM Conference on Data and Application Security and Privacy - Tempe, United States Duration: 19 Mar 2018 → 21 Mar 2018

Conference

Conference	Eighth ACM Conference on Data and Application Security and Privacy
Abbreviated title	CODASPY '18
Country/Territory	United States
City	Tempe
Period	19/03/18 → 21/03/18

Bibliographical note

Acknowledgements:
We thank all the reviewers of this paper for their valuable comments.

Publisher Copyright:
© 2018 Association for Computing Machinery.

Funding

This work is partially supported by the Singapore National Research Foundation under NCR Award Number NRF2014NCR-NCR001-012.

Access to Document

10.1145/3176258.3176336

Cite this

WU, D., CHENG, Y., GAO, D., LI, Y., & DENG, R. H. (2018). SCLib: A Practical and Lightweight Defense against Component Hijacking in Android Applications. In Z. ZHAO, G.-J. AHN, R. KRISHNAN, & G. GHINITA (Eds.), CODASPY '18: Proceedings of the Eighth ACM Conference on Data and Application Security and Privacy (pp. 299-306). Association for Computing Machinery, Inc. https://doi.org/10.1145/3176258.3176336

WU, Daoyuan ; CHENG, Yao ; GAO, Debin et al. / SCLib: A Practical and Lightweight Defense against Component Hijacking in Android Applications. CODASPY '18: Proceedings of the Eighth ACM Conference on Data and Application Security and Privacy. editor / Ziming ZHAO ; Gail-Joon AHN ; Ram KRISHNAN ; Gabriel GHINITA. Association for Computing Machinery, Inc, 2018. pp. 299-306

@inproceedings{87bb21917ee348a3a704341fc9994b4b,

title = "SCLib: A Practical and Lightweight Defense against Component Hijacking in Android Applications",

abstract = "Cross-app collaboration via inter-component communication is a fundamental mechanism on Android. Although it brings the benefits such as functionality reuse and data sharing, a threat called component hijacking is also introduced. By hijacking a vulnerable component in victim apps, an attack app can escalate its privilege for operations originally prohibited. Many prior studies have been performed to understand and mitigate this issue, but no defense is being deployed in the wild, largely due to the deployment difficulties and performance concerns. In this paper we present SCLib, a secure component library that performs in-app mandatory access control on behalf of app components. It does not require firmware modification or app repackaging as in previous works. The library-based nature also makes SCLib more accessible to app developers, and enables them produce secure components in the first place over fragmented Android devices. As a proof of concept, we design six mandatory policies and overcome unique implementation challenges to mitigate attacks originated from both system weaknesses and common developer mistakes. Our evaluation using ten high-profile open source apps shows that SCLib can protect their 35 risky components with negligible code footprint (less than 0.3\% stub code) and nearly no slowdown to normal intra-app communication. The worst-case performance overhead is only about 5\%.",

author = "Daoyuan WU and Yao CHENG and Debin GAO and Yingjiu LI and DENG, \{Robert H.\}",

note = "Acknowledgements: We thank all the reviewers of this paper for their valuable comments. Publisher Copyright: {\textcopyright} 2018 Association for Computing Machinery.; Eighth ACM Conference on Data and Application Security and Privacy, CODASPY '18 ; Conference date: 19-03-2018 Through 21-03-2018",

year = "2018",

month = mar,

day = "13",

doi = "10.1145/3176258.3176336",

language = "English",

pages = "299--306",

editor = "Ziming ZHAO and Gail-Joon AHN and Ram KRISHNAN and Gabriel GHINITA",

booktitle = "CODASPY '18: Proceedings of the Eighth ACM Conference on Data and Application Security and Privacy",

publisher = "Association for Computing Machinery, Inc",

address = "United States",

}

WU, D, CHENG, Y, GAO, D, LI, Y & DENG, RH 2018, SCLib: A Practical and Lightweight Defense against Component Hijacking in Android Applications. in Z ZHAO, G-J AHN, R KRISHNAN & G GHINITA (eds), CODASPY '18: Proceedings of the Eighth ACM Conference on Data and Application Security and Privacy. Association for Computing Machinery, Inc, pp. 299-306, Eighth ACM Conference on Data and Application Security and Privacy, Tempe, Arizona, United States, 19/03/18. https://doi.org/10.1145/3176258.3176336

SCLib: A Practical and Lightweight Defense against Component Hijacking in Android Applications. / WU, Daoyuan; CHENG, Yao; GAO, Debin et al.
CODASPY '18: Proceedings of the Eighth ACM Conference on Data and Application Security and Privacy. ed. / Ziming ZHAO; Gail-Joon AHN; Ram KRISHNAN; Gabriel GHINITA. Association for Computing Machinery, Inc, 2018. p. 299-306.

Research output: Book Chapters | Papers in Conference Proceedings › Conference paper (refereed) › Research › peer-review

TY - GEN

T1 - SCLib: A Practical and Lightweight Defense against Component Hijacking in Android Applications

AU - WU, Daoyuan

AU - CHENG, Yao

AU - GAO, Debin

AU - LI, Yingjiu

AU - DENG, Robert H.

PY - 2018/3/13

Y1 - 2018/3/13

N2 - Cross-app collaboration via inter-component communication is a fundamental mechanism on Android. Although it brings the benefits such as functionality reuse and data sharing, a threat called component hijacking is also introduced. By hijacking a vulnerable component in victim apps, an attack app can escalate its privilege for operations originally prohibited. Many prior studies have been performed to understand and mitigate this issue, but no defense is being deployed in the wild, largely due to the deployment difficulties and performance concerns. In this paper we present SCLib, a secure component library that performs in-app mandatory access control on behalf of app components. It does not require firmware modification or app repackaging as in previous works. The library-based nature also makes SCLib more accessible to app developers, and enables them produce secure components in the first place over fragmented Android devices. As a proof of concept, we design six mandatory policies and overcome unique implementation challenges to mitigate attacks originated from both system weaknesses and common developer mistakes. Our evaluation using ten high-profile open source apps shows that SCLib can protect their 35 risky components with negligible code footprint (less than 0.3% stub code) and nearly no slowdown to normal intra-app communication. The worst-case performance overhead is only about 5%.

AB - Cross-app collaboration via inter-component communication is a fundamental mechanism on Android. Although it brings the benefits such as functionality reuse and data sharing, a threat called component hijacking is also introduced. By hijacking a vulnerable component in victim apps, an attack app can escalate its privilege for operations originally prohibited. Many prior studies have been performed to understand and mitigate this issue, but no defense is being deployed in the wild, largely due to the deployment difficulties and performance concerns. In this paper we present SCLib, a secure component library that performs in-app mandatory access control on behalf of app components. It does not require firmware modification or app repackaging as in previous works. The library-based nature also makes SCLib more accessible to app developers, and enables them produce secure components in the first place over fragmented Android devices. As a proof of concept, we design six mandatory policies and overcome unique implementation challenges to mitigate attacks originated from both system weaknesses and common developer mistakes. Our evaluation using ten high-profile open source apps shows that SCLib can protect their 35 risky components with negligible code footprint (less than 0.3% stub code) and nearly no slowdown to normal intra-app communication. The worst-case performance overhead is only about 5%.

UR - https://www.scopus.com/pages/publications/85050401150

U2 - 10.1145/3176258.3176336

DO - 10.1145/3176258.3176336

M3 - Conference paper (refereed)

AN - SCOPUS:85050401150

SP - 299

EP - 306

BT - CODASPY '18: Proceedings of the Eighth ACM Conference on Data and Application Security and Privacy

A2 - ZHAO, Ziming

A2 - AHN, Gail-Joon

A2 - KRISHNAN, Ram

A2 - GHINITA, Gabriel

PB - Association for Computing Machinery, Inc

T2 - Eighth ACM Conference on Data and Application Security and Privacy

Y2 - 19 March 2018 through 21 March 2018

ER -

WU D, CHENG Y, GAO D, LI Y, DENG RH. SCLib: A Practical and Lightweight Defense against Component Hijacking in Android Applications. In ZHAO Z, AHN GJ, KRISHNAN R, GHINITA G, editors, CODASPY '18: Proceedings of the Eighth ACM Conference on Data and Application Security and Privacy. Association for Computing Machinery, Inc. 2018. p. 299-306 doi: 10.1145/3176258.3176336

SCLib: A Practical and Lightweight Defense against Component Hijacking in Android Applications

Abstract

Conference

Bibliographical note

Funding

Access to Document

Other files and links

Fingerprint

Cite this