Computing Reviews
Today's Issue Hot Topics Search Browse Recommended My Account Log In
Review Help
Search
IntentFuzzer: detecting capability leaks of Android applications
Yang K., Zhuge J., Wang Y., Zhou L., Duan H.  ASIA CCS 2014 (Proceedings of the 9th ACM Symposium on Information, Computer and Communications Security, Kyoto, Japan, Jun 4-6, 2014)531-536.2014.Type:Proceedings
Date Reviewed: Jul 31 2014

Preserving the confidentiality of private data in mobile devices is currently a major security concern. For this reason, Android requires a program (app) to explicitly obtain permissions at installation time in order to access private data. Nevertheless, Android applications can communicate through intents. Therefore, an app without a permission may obtain confidential data through an intent sent by an app owning that permission.

IntentFuzzer automatically tests Android apps to detect if, when asking an app for an intent, the app uses some permissions without checking if the caller app owns such permissions. In this way, it can detect if an app that does not require a permission could access confidential data through another app. The system is very simple and relies on existing tools, but it investigates a novel security threat that has not been deeply studied yet. The tool was applied to a huge number of apps, and it found hundreds that leak capabilities through intents. These experiments show that many applications are vulnerable to this type of attack, a major security issue for mobile devices.

While this work does not introduce a new theoretical approach, it does integrate existing methods and tools into a comprehensive system. It represents an important milestone in the understanding of the current limits of the Android permission system. Therefore, in this paper, experts in the field of software engineering, particularly in static and dynamic analysis, may get new hints and find new scenarios in which to introduce new formal methods to improve the security of mobile apps. In particular, IntentFuzzer detects a capability leak, but not if and what private data is leaked. This would represent a natural follow-up to this work.

Reviewer:  Pietro Ferrara Review #: CR142570 (1411-0968)
Bookmark and Share
  Reviewer Selected
 
 
Testing And Debugging (D.2.5 )
 
 
Software/ Program Verification (D.2.4 )
 
Would you recommend this review?
yes
no
Other reviews under "Testing And Debugging": Date
Software defect removal
Dunn R., McGraw-Hill, Inc., New York, NY, 1984. Type: Book (9789780070183131)
Mar 1 1985
On the optimum checkpoint selection problem
Toueg S., Babaoglu O. SIAM Journal on Computing 13(3): 630-649, 1984. Type: Article
Mar 1 1985
Software testing management
Royer T., Prentice-Hall, Inc., Upper Saddle River, NJ, 1993. Type: Book (9780135329870)
Mar 1 1994
more...

E-Mail This Printer-Friendly
Send Your Comments
Contact Us
Reproduction in whole or in part without permission is prohibited.   Copyright 1999-2024 ThinkLoud®
Terms of Use
| Privacy Policy