Journal of KIISE (정보과학회 논문지)

Korean Institute of Information Scientists and Engineers (한국정보과학회)
권호 표지
DOI QR코드

DOI QR Code

A Runtime Inspection Technique with Intent Specification for Developing Robust Android Apps

강건한 안드로이드 어플리케이션 개발을 위한 실행시간 인텐트 명세 검사 기법

  • 고명필 (연세대학교 컴퓨터정보통신공학부) ;
  • 최광훈 (연세대학교 컴퓨터정보통신공학부) ;
  • 창병모 (숙명여자대학교 컴퓨터과학과)
  • Received : 2015.10.14
  • Accepted : 2015.11.26
  • Published : 2016.02.15
⟨ Previous Next ⟩

Abstract

Android apps suffer from intent vulnerabilities in that they abnormally stop execution when Android components such as, activity, service, and broadcast receiver, take malformed intents. This paper proposes a method to prevent intent vulnerabilities by allowing programmers to write a specification on intents that a component expects to have, and by checking intents against the specification in runtime. By declaring intent specifications, we can solve the problem that one may miss writing conditional statements, which check the validity of intents, or one may mix those statements with another regular code, so making it difficult to maintain them. We perform an experiment by applying the proposed method to 7 Android apps, and confirm that many of abnormal termination of the apps because of malformed intents can be avoided by the intent specification based runtime assertion.

안드로이드 앱의 액티비티, 서비스, 브로드캐스트 리시버와 같은 컴포넌트에 부적절한 인텐트를 전달하면 비정상적으로 종료되는 인텐트 취약점 문제가 빈번하게 발생한다. 이 논문은 안드로이드 컴포넌트가 기대하는 인텐트 명세를 개발자가 직접 기술하고, 실행시간에 이 컴포넌트에 전달된 인텐트를 검사하여 인텐트 취약점을 방지하는 방법을 제안한다. 인텐트 유효성을 검사하는 여러 조건문이 실수로 누락되거나 다른 코드와 섞여 유지 보수하기 어려운 점을 이 논문에서 제안하는 인텐트 명세를 선언함으로써 해결할 수 있다. 7개의 안드로이드 앱에 대해 제안한 방법을 적용한 실험 결과 인텐트 명세 기반 실행시간 검사 방법을 통해 앱의 비정상 종료를 방지할 수 있었다.

Keywords

Acknowledgement

Supported by : 한국산업기술진흥원, 한국연구재단

References

  1. Android APIs, [Online]. Available: http://developer.android.com.
  2. A. K. Maji, F. A. Arshad, S. Bagchi, and J. S. Rellermeyer, "An Empirical Study of the Robustness of Inter-component Communication in Android," Proc. of the 2012 42nd Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN) (DSN'12), IEEE Computer society, Washington, DC, USA, pp. 1-12, 2012.
  3. J. Burns, Intent Fuzzer, [Online]. Available: https://www.isecpartners.com-/tools/mobile-security/intent-fuzzer.aspx, iSEC Partners, 2009.
  4. R. Sasnauskas and J. Regehr, "Intent Fuzzer: Crafting Intents of Death," Proc. of the 2014 Joint International Workshop on Dynamic Analysis (WODA) and Software and System Performance Testing, Debugging, and Analytics (PERTEA), pp. 1-5, San Jose, CA, 2014, ACM.
  5. F. J. Hui Ye, S. Cheng, and L. Zhang, "DroidFuzzer: Fuzzing the Android Apps with Intent-filter Tag," Proc. of International Conference on Advances in Mobile Computing & Multimedia (MoMM), pp. 68-74, Vienna, Austria, 2013, ACM.
  6. M. P. Roee Hay and O. Tripp, "Dynamic Detection of Inter-application Communication Vulnerabilities in Android," Proc. of the 2015 International Symposium on Software Testing and Analysis (ISSTA), pp. 118-128, New York, NY, USA, 2015, ACM.
  7. M. Ko, K. Choi, and B-M, Chang, "A Flexible Intent Fuzzer with an Automatic Tally of Failures for Detecting Vulnerabilities of Android App," Technical Report TR-SEP-2015-3, Sep. 2015.
  8. J. Gosling, B. Joy, G. L. Steel, G Bracha, and A. Buckley, The JavaTM Language Specification, Java SE 8 Edition. Oracle, 2014.
  9. JaeChul Ryu, Eunseon Jo, Moon-Joo Kim, Jin Kwak, Development of Mobile Software Security Testing Tool for Detecting New Android Vulnerabilities, Journal of Korea Institute of Information security and Cryptology, Vol. 25, No. 1, pp. 57-59, Feb. 2015.
  10. Sehwan Yeo, Jin Lee, Jungsun Kim, Blocking Harmful Application by Intent Monitoring in the Android Platofrm, KIISE Transactions on Computing Practices, Vol. 19, No. 5, pp. 273-277, May 2013.
  11. Min Jae Jo, Ji Sun Shin, Study on Security Vulnerabilities of Implicit Intents in Android, Journal of the Korea Institute of Information Security & Cryptology, Vol. 24, No. 6, pp. 1175-1184, Dec. 2014. https://doi.org/10.13089/JKIISC.2014.24.6.1175
  12. Joon-Seok Oh, Miyoung Kang, Jin-Young Choi, "Research on Android App API Coding Guide," Proc. of Korea Computer Congress 2010, The Korean Institute of Information Scientists and Engineers, Vol. 37, No. 2(C), pp. 129-132, Nov. 2010.
  13. Myungpil Ko, A Design and Implementation of Intent Specification Language for Robust Android Apps, MS Thesis, Computer Science in Yonsei University, Aug. 2015.
  14. Spoon-Processor for Java annotations, [Online]. Available: http://spoon.gforge.inria.fr/processor_annotations.html
  15. R. Meier, Professional Android 4 Application Development, 3rd Ed., Wrox, Hoboken, NJ, USA, 2012.
  16. Z. Mednieks, G. B. Meike, and L. Dornin, Enterprise Android: Programming Android Database Applications for the Enterprise, John Wiley & Sons, Somerset, NJ, USA, 2013.