Automatically exploiting potential component leaks in Android applications

Li Li; Alexandre Bartel; Jacques Klein; Yves Le Traon

doi:10.1109/TrustCom.2014.50

Automatically exploiting potential component leaks in Android applications

Li Li, Alexandre Bartel, Jacques Klein, Yves Le Traon

Research output: Chapter in Book/Report/Conference proceeding › Conference Paper › Research › peer-review

38 Citations (Scopus)

Abstract

We present PCLeaks, a tool based on inter-component communication (ICC) vulnerabilities to perform data-flow analysis on Android applications to find potential component leaks that could potentially be exploited by other components. To evaluate our approach, we run PCLeaks on 2000 apps randomly selected from the Google Play store. PCLeaks reports 986 potential component leaks in 185 apps. For each leak reported by PCLeaks, PCLeaksValidator automatically generates an Android app which tries to exploit the leak. By manually running a subset of the generated apps, we find that 75% of the reported leaks are exploitable leaks.

Original language	English
Title of host publication	Proceedings - 2014 IEEE 13th International Conference on Trust, Security and Privacy in Computing and Communications, TrustCom 2014
Editors	Yunhao Liu, Nei Kato, Keqiu Li, Jian Ren
Place of Publication	Piscataway NJ USA
Publisher	IEEE, Institute of Electrical and Electronics Engineers
Pages	388-397
Number of pages	10
ISBN (Electronic)	9781479965137
DOIs	https://doi.org/10.1109/TrustCom.2014.50
Publication status	Published - 2014
Externally published	Yes
Event	IEEE International Conference on Trust, Security and Privacy in Computing and Communications (TrustCom) 2014 - Beijing, China Duration: 24 Sep 2014 → 26 Sep 2014 Conference number: 13th

Conference

Conference	IEEE International Conference on Trust, Security and Privacy in Computing and Communications (TrustCom) 2014
Abbreviated title	TrustCom 2014
Country	China
City	Beijing
Period	24/09/14 → 26/09/14

Access to Document

10.1109/TrustCom.2014.50

Link to publication in Scopus

Cite this

Li, L., Bartel, A., Klein, J., & Traon, Y. L. (2014). Automatically exploiting potential component leaks in Android applications. In Y. Liu, N. Kato, K. Li, & J. Ren (Eds.), Proceedings - 2014 IEEE 13th International Conference on Trust, Security and Privacy in Computing and Communications, TrustCom 2014 (pp. 388-397). IEEE, Institute of Electrical and Electronics Engineers. https://doi.org/10.1109/TrustCom.2014.50

Li, Li ; Bartel, Alexandre ; Klein, Jacques ; Traon, Yves Le. / Automatically exploiting potential component leaks in Android applications. Proceedings - 2014 IEEE 13th International Conference on Trust, Security and Privacy in Computing and Communications, TrustCom 2014. editor / Yunhao Liu ; Nei Kato ; Keqiu Li ; Jian Ren. Piscataway NJ USA : IEEE, Institute of Electrical and Electronics Engineers, 2014. pp. 388-397

@inproceedings{5d77e75202654b3b8407334c5157e42c,

title = "Automatically exploiting potential component leaks in Android applications",

abstract = "We present PCLeaks, a tool based on inter-component communication (ICC) vulnerabilities to perform data-flow analysis on Android applications to find potential component leaks that could potentially be exploited by other components. To evaluate our approach, we run PCLeaks on 2000 apps randomly selected from the Google Play store. PCLeaks reports 986 potential component leaks in 185 apps. For each leak reported by PCLeaks, PCLeaksValidator automatically generates an Android app which tries to exploit the leak. By manually running a subset of the generated apps, we find that 75% of the reported leaks are exploitable leaks.",

author = "Li Li and Alexandre Bartel and Jacques Klein and Traon, {Yves Le}",

year = "2014",

doi = "10.1109/TrustCom.2014.50",

language = "English",

pages = "388--397",

editor = "Liu, {Yunhao } and Kato, {Nei } and Li, {Keqiu } and Jian Ren",

booktitle = "Proceedings - 2014 IEEE 13th International Conference on Trust, Security and Privacy in Computing and Communications, TrustCom 2014",

publisher = "IEEE, Institute of Electrical and Electronics Engineers",

address = "United States of America",

note = "IEEE International Conference on Trust, Security and Privacy in Computing and Communications (TrustCom) 2014, TrustCom 2014 ; Conference date: 24-09-2014 Through 26-09-2014",

}

Li, L, Bartel, A, Klein, J & Traon, YL 2014, Automatically exploiting potential component leaks in Android applications. in Y Liu, N Kato, K Li & J Ren (eds), Proceedings - 2014 IEEE 13th International Conference on Trust, Security and Privacy in Computing and Communications, TrustCom 2014. IEEE, Institute of Electrical and Electronics Engineers, Piscataway NJ USA, pp. 388-397, IEEE International Conference on Trust, Security and Privacy in Computing and Communications (TrustCom) 2014, Beijing, China, 24/09/14. https://doi.org/10.1109/TrustCom.2014.50

Automatically exploiting potential component leaks in Android applications. / Li, Li; Bartel, Alexandre; Klein, Jacques; Traon, Yves Le.

Proceedings - 2014 IEEE 13th International Conference on Trust, Security and Privacy in Computing and Communications, TrustCom 2014. ed. / Yunhao Liu; Nei Kato; Keqiu Li; Jian Ren. Piscataway NJ USA : IEEE, Institute of Electrical and Electronics Engineers, 2014. p. 388-397.

Research output: Chapter in Book/Report/Conference proceeding › Conference Paper › Research › peer-review

TY - GEN

T1 - Automatically exploiting potential component leaks in Android applications

AU - Li, Li

AU - Bartel, Alexandre

AU - Klein, Jacques

AU - Traon, Yves Le

N1 - Conference code: 13th

PY - 2014

Y1 - 2014

N2 - We present PCLeaks, a tool based on inter-component communication (ICC) vulnerabilities to perform data-flow analysis on Android applications to find potential component leaks that could potentially be exploited by other components. To evaluate our approach, we run PCLeaks on 2000 apps randomly selected from the Google Play store. PCLeaks reports 986 potential component leaks in 185 apps. For each leak reported by PCLeaks, PCLeaksValidator automatically generates an Android app which tries to exploit the leak. By manually running a subset of the generated apps, we find that 75% of the reported leaks are exploitable leaks.

AB - We present PCLeaks, a tool based on inter-component communication (ICC) vulnerabilities to perform data-flow analysis on Android applications to find potential component leaks that could potentially be exploited by other components. To evaluate our approach, we run PCLeaks on 2000 apps randomly selected from the Google Play store. PCLeaks reports 986 potential component leaks in 185 apps. For each leak reported by PCLeaks, PCLeaksValidator automatically generates an Android app which tries to exploit the leak. By manually running a subset of the generated apps, we find that 75% of the reported leaks are exploitable leaks.

UR - http://www.scopus.com/inward/record.url?scp=84923025805&partnerID=8YFLogxK

U2 - 10.1109/TrustCom.2014.50

DO - 10.1109/TrustCom.2014.50

M3 - Conference Paper

SP - 388

EP - 397

BT - Proceedings - 2014 IEEE 13th International Conference on Trust, Security and Privacy in Computing and Communications, TrustCom 2014

A2 - Liu, Yunhao

A2 - Kato, Nei

A2 - Li, Keqiu

A2 - Ren, Jian

PB - IEEE, Institute of Electrical and Electronics Engineers

CY - Piscataway NJ USA

T2 - IEEE International Conference on Trust, Security and Privacy in Computing and Communications (TrustCom) 2014

Y2 - 24 September 2014 through 26 September 2014

ER -

Li L, Bartel A, Klein J, Traon YL. Automatically exploiting potential component leaks in Android applications. In Liu Y, Kato N, Li K, Ren J, editors, Proceedings - 2014 IEEE 13th International Conference on Trust, Security and Privacy in Computing and Communications, TrustCom 2014. Piscataway NJ USA: IEEE, Institute of Electrical and Electronics Engineers. 2014. p. 388-397 https://doi.org/10.1109/TrustCom.2014.50