DOI QR코드

DOI QR Code

A Practical Intent Fuzzing Tool for Robustness of Inter-Component Communication in Android Apps

  • Choi, Kwanghoon (Dept. of Electronics and Computer Engineering, Chonnam National University) ;
  • Ko, Myungpil (Computer&Telecommunication Engineering Division, Yonsei University) ;
  • Chang, Byeong-Mo (Dept. of Computer Science, Sookmyung Women's University)
  • Received : 2017.08.01
  • Accepted : 2018.05.03
  • Published : 2018.09.30

Abstract

This research aims at a new practical Intent fuzzing tool for detecting Intent vulnerabilities of Android apps causing the robustness problem. We proposed two new ideas. First, we designed an Intent specification language to describe the structure of Intent, which makes our Intent fuzz testing tool flexible. Second, we proposed an automatic tally method classifying unique failures. With the two ideas, we implemented an Intent fuzz testing tool called Hwacha, and evaluated it with 50 commercial Android apps. Our tool offers an arbitrary combination of automatic and manual Intent generators with executors such as ADB and JUnit due to the use of the Intent specification language. The automatic tally method excluded almost 80% of duplicate failures in our experiment, reducing efforts of testers very much in review of failures. The tool uncovered more than 400 unique failures including what is unknown so far. We also measured execution time for Intent fuzz testing, which has been rarely reported before. Our tool is practical because the whole procedure of fuzz testing is fully automatic and the tool is applicable to the large number of Android apps with no human intervention.

Keywords

References

  1. Google, "Android Developers," 2012. [Online].
  2. J. Burns, "Intent Fuzzer," 2009. [Online].
  3. A. K. Maji, F. A. Arshad, S. Bagchi, and J. S. Rellermeyer, "An empirical study of the robustness of Inter-component Communication in Android," in Proc. of Proceedings of the International Conference on Dependable Systems and Networks, pp. 1-12, June 25-28, 2012.
  4. H. Ye, S. Cheng, L. Zhang, and F. Jiang, "DroidFuzzer : Fuzzing the Android Apps with," in Proc. of Int. Conf. Adv. Mob. Comput. Multimed., pp. 2-4, December 2-4, 2013.
  5. R. Sasnauskas and J. Regehr, "Intent fuzzer: crafting intents of death," in Proc. of the 2014 Joint Int'l Workshop on Dynamic Analysis and Software and System Performance Testing, Debugging, and Analytics - WODA+PERTEA 2014, pp. 1-5, July 22, 2014.
  6. R. Hay, O. Tripp, and M. Pistoia, "Dynamic detection of inter-application communication vulnerabilities in Android," in Proc. of Proceedings of the 2015 International Symposium on Software Testing and Analysis - ISSTA 2015, pp. 118-128, July 13-17, 2015.
  7. W. Tianjun and Y. Yuexiang, "Crafting Intents to Detect ICC Vulnerabilities of Android Apps," in Proc. of Int'l Conference on Computational Intelligence and Security, pp. 16-19, December 16-19, 2016.
  8. D. S. Hirschberg, "A linear space algorithm for computing maximal common subsequences," Commun. ACM, vol. 18, no. 6, pp. 341-343, June, 1975. https://doi.org/10.1145/360825.360861
  9. K. Choi, "Hwacha, a Flexible Intent Fuzzer with an Automatic Tally of Failures for Android." [Online].
  10. S. Arzt et al., "FlowDroid : Precise Context , Flow , Field , Object-sensitive and Lifecycle-aware Taint Analysis for Android Apps," in Proc. of 35th ACM SIGPLAN Conf. Program. Lang. Des. Implement., pp. 259-269, June 9-11, 2014.
  11. K. Yang, J. Zhuge, Y. Wang, L. Zhou, and H. Duan, "IntentFuzzer: detecting capability leaks of android applications," in Proc. of Proceedings of the 9th ACM symposium on Information, computer and communications security, pp. 531-536, June 4-6, 2014.
  12. M. Ko, "A Design and Implementation of Intent Specification Language for Robust Android Apps," Master Thesis, Yonsei University, Wonju, Korea, August 2015.