All Your App Links Are Belong to Us: Understanding the Threats of Instant Apps Based Attacks
Android deep link is a URL that takes users to a specific page of a mobile app, enabling seamless user experience from a webpage to an app. Android app link, a new type of deep link introduced in Android 6.0, is claimed to offer more benefits, such as supporting instant apps and providing more secure verification to protect against hijacking attacks that previous deep links can not. However, we find that the app link is not as secure as claimed, because the verification process can be bypassed by exploiting instant apps.
In this paper, we explore the weakness of the existing app link mechanism and propose three feasible hijacking attacks. Our findings show that even popular apps are subject to these attacks, such as Twitter, Whatsapp, Facebook Message. Our observation is confirmed by Google. To measure the severity of these vulnerabilities, we develop an automatic tool to detect vulnerable apps, and perform a large-scale empirical study on 400,000 Android apps.
Experiment results suggest that app link hijacking vulnerabilities are prevalent in the ecosystem. Specifically, 27.1% apps are vulnerable to \textit{link hijacking with smart text selection (STS)}; 30.0% apps are vulnerable to \textit{link hijacking without STS}, and all instant apps are vulnerable to \textit{instant app attack}. We provide an in-depth understanding of the mechanisms behind these types of attacks. Furthermore, we propose the corresponding detection and defense methods that can successfully prevent the proposed hijackings for all the evaluated apps, thus raising the bar against the attacks on Android app links. Our insights and findings demonstrate the urgency to identify and prevent app link hijacking attacks.
Fri 13 Nov Times are displayed in time zone: (UTC) Coordinated Universal Time change
08:00 - 08:30: MobilePaper Presentations / Student Research Competition / Research Papers / Journal First at Virtual room 2 | |||
08:00 - 08:02 Talk | All Your App Links Are Belong to Us: Understanding the Threats of Instant Apps Based Attacks Research Papers Yutian TangShanghaiTech University, Yulei SuiUniversity of Technology Sydney, Haoyu WangBeijing University of Posts and Telecommunications, Xiapu LuoHong Kong Polytechnic University, China, Hao ZhouHong Kong Polytechnic University, China, Zhou XuChongqing University, China DOI | ||
08:03 - 08:04 Talk | Borrowing Your Enemy’s Arrows: The Case of Code Reuse in Android via Direct Inter-app Code Invocation Research Papers Jun GaoUniversity of Luxembourg, Luxembourg, Li LiMonash University, Australia, Pingfan KongUniversity of Luxembourg, Luxembourg, Tegawendé F. BissyandéUniversity of Luxembourg, Luxembourg, Jacques KleinUniversity of Luxembourg, Luxembourg DOI Pre-print Media Attached | ||
08:05 - 08:06 Talk | Impact of Programming Languages on Energy Consumption for Mobile Devices Student Research Competition Zamira KholmatovaInnopolis University, Russia DOI | ||
08:07 - 08:08 Talk | Rebooting Research on Detecting Repackaged Android Apps: Literature Review and Benchmark Journal First Li LiMonash University, Australia, Tegawendé F. BissyandéUniversity of Luxembourg, Luxembourg, Jacques KleinUniversity of Luxembourg, Luxembourg | ||
08:09 - 08:10 Talk | Static Asynchronous Component Misuse Detection for Android Applications Research Papers Linjie PanInstitute of Software at Chinese Academy of Sciences, China, Baoquan CuiInstitute of Software at Chinese Academy of Sciences, China, Hao LiuBeijing University of Technology, China, Jiwei YanInstitute of Software at Chinese Academy of Sciences, China, Siqi WangBeijing University of Technology, China, Jun YanInstitute of Software at Chinese Academy of Sciences, China, Jian ZhangInstitute of Software at Chinese Academy of Sciences, China DOI | ||
08:11 - 08:30 Talk | Conversations on Mobile 2 Paper Presentations Jun GaoUniversity of Luxembourg, Luxembourg, Li LiMonash University, Australia, Linjie PanInstitute of Software at Chinese Academy of Sciences, China, Yutian TangShanghaiTech University, Zamira KholmatovaInnopolis University, Russia, M: David LoSingapore Management University |