Borrowing Your Enemy’s Arrows: The Case of Code Reuse in Android via Direct Inter-app Code Invocation
The Android ecosystem offers different facilities to enable communication among app components and across apps to ensure that rich services can be composed through functionality reuse. At the heart of this system is the Inter-component communication (ICC) scheme, which has been largely studied in the literature. Less known in the community is another powerful mechanism that allows for direct inter-app code invocation which opens up for different reuse scenarios, both legitimate or malicious. This paper exposes the general workflow for this mechanism, which beyond ICCs, enables app developers to access and invoke functionalities (either entire Java classes, methods or object fields) implemented in other apps using official Android APIs. We experimentally showcase how this reuse mechanism can be leveraged to “plagiarize" supposedly-protected functionalities. Typically, we were able to leverage this mechanism to bypass security guards that a popular video broadcaster has placed for preventing access to its video database from outside its provided app. We further contribute with a static analysis toolkit, named DICIDer, for detecting direct inter-app code invocations in apps. An empirical analysis of the usage prevalence of this reuse mechanism is then conducted. Finally, we discuss the usage contexts as well as the implications of this studied reuse mechanism.
Fri 13 NovDisplayed time zone: (UTC) Coordinated Universal Time change
08:00 - 08:30 | |||
08:00 2mTalk | All Your App Links Are Belong to Us: Understanding the Threats of Instant Apps Based Attacks Research Papers Yutian Tang ShanghaiTech University, Yulei Sui University of Technology Sydney, Haoyu Wang Beijing University of Posts and Telecommunications, Xiapu Luo Hong Kong Polytechnic University, China, Hao Zhou Hong Kong Polytechnic University, China, Zhou Xu Chongqing University, China DOI | ||
08:03 1mTalk | Borrowing Your Enemy’s Arrows: The Case of Code Reuse in Android via Direct Inter-app Code Invocation Research Papers Jun Gao University of Luxembourg, Luxembourg, Li Li Monash University, Australia, Pingfan Kong University of Luxembourg, Luxembourg, Tegawendé F. Bissyandé University of Luxembourg, Luxembourg, Jacques Klein University of Luxembourg, Luxembourg DOI Pre-print Media Attached | ||
08:05 1mTalk | Impact of Programming Languages on Energy Consumption for Mobile Devices Student Research Competition Zamira Kholmatova Innopolis University, Russia DOI | ||
08:07 1mTalk | Rebooting Research on Detecting Repackaged Android Apps: Literature Review and Benchmark Journal First Li Li Monash University, Australia, Tegawendé F. Bissyandé University of Luxembourg, Luxembourg, Jacques Klein University of Luxembourg, Luxembourg | ||
08:09 1mTalk | Static Asynchronous Component Misuse Detection for Android Applications Research Papers Linjie Pan Institute of Software at Chinese Academy of Sciences, China, Baoquan Cui Institute of Software at Chinese Academy of Sciences, China, Hao Liu Beijing University of Technology, China, Jiwei Yan Institute of Software at Chinese Academy of Sciences, China, Siqi Wang Beijing University of Technology, China, Jun Yan Institute of Software at Chinese Academy of Sciences, China, Jian Zhang Institute of Software at Chinese Academy of Sciences, China DOI | ||
08:11 19mTalk | Conversations on Mobile 2 Paper Presentations Jun Gao University of Luxembourg, Luxembourg, Li Li Monash University, Australia, Linjie Pan Institute of Software at Chinese Academy of Sciences, China, Yutian Tang ShanghaiTech University, Zamira Kholmatova Innopolis University, Russia, M: David Lo Singapore Management University | ||