Project Publications
LOCARD related articles have been published in high-rated journals and presented in top conferences. The following list depicts all articles published and presented from the beginning of the project.

Do not let Next-Intent Vulnerability be your next nightmare: type system-based approach to detect it in Android apps

Abstract:

Android is currently the most widespread operating system (OS) worldwide, but also the most prone to attacks. Despite the challenges faced by Industry and Academia to improve the Android OS security, it still has several vulnerabilities. Among those, the severity of the Next-Intent Vulnerability (NIV) can be immediately grasped. Android apps are made of components, which by default are private and cannot be targeted by other apps on the same phone. However, NIV allows any app to access the private components of a different app, eventually generating a crash or stealing sensitive data. NIV occurs when there is a chain of calls among different components based on the Intent messaging model and there is no control over the reliability of the first component triggering the call. NIV was first detected in 2013, but it is still an open issue. In this paper, we present Next-Intent Vulnerability Detector (NIVD), a novel approach to detect NIV in Android apps by relying on type systems. NIVD applies the inference rules of its type system to the app execution paths containing a sequence of calls to three NIV-related Android APIs. Compared to the state-of-the-art, NIVD is faster and more efficient, without losing precision in detecting NIV. Finally, through NIVD Google Photos was found to be vulnerable, and we disclosed the finding on the Google official bug report website (issue number 124342801).


Authors: Mohamed A. El-Zawawy; Eleonora Losiouk; Mauro Conti.

Journal: International Journal of Information Security.

Date of Publication: 6 March, 2020.

Publisher:: Springer.

Join the community
Follow us and stay connected and updated.
Slider
EU flag Copyright © 2020 LOCARD. All rights reserved. This project has received funding from the European Union’s Horizon 2020 Research and Innovation Programme under Grant Agreement nº 832735. This project reflects only the author’s view and the Commission is not responsible for any use that may be made of the information it contains.