Life after App Uninstallation: Are the Data Still Alive? Data Residue Attacks on Android Xiao Zhang, Kailiang Ying, Yousra Aafer, Zhenshen Qiu, and Wenliang Du
App Life Installation Interaction Uninstallation
But, what if … Windows Residue Android App Uninstallation Are there any data left after application uninstallation on Android?
In Details App XYZ (UID = 10050) App XYZ (UID = 10050) App XYZ (UID = 10050) APPLICATION /data/data/com.XYZ /data/data/com.XYZ /data/data/com.XYZ <10050, perms> <10050, perms> | Clip data | token … <10050, perms> | Clip data | token … FRAMEWORK /data/system/| /system/| /sys/ | … account.db | settings.db | packages.xml … account.db | settings.db | packages.xml … /Android/data/com.XY SDCard /Android/data/com.XY shared files /Android/data/com.XY shared Z Z Z files Installation Interaction Uninstallation Are the data still alive after application uninstallation on Android?
What can go wrong? Are the data still alive in Android system services after application uninstallation?
Methodology Feedback Manual Protection Attack Filtering Analysis Examination Design Exploit System Service Candidate Residue Damage Attempts Collection Database Instances Measurement Data Residue Harvest Damage Evaluation Saving data to files, databases? Or Saving data in memory? Yes exploits Data Candidate Vulnerability Residue Service No Data cleanup (flaw)?
Findings 7 security vulnerabilities acknowledged by Google with Medium • priority
Sample Exploits - I • Credential Stealing
Sample Exploits - II • Settings Impersonating Spell Checker Module Android Framework
Sample Exploits - II • Settings Impersonating Spell Checker Module Android Framework
Even More … Details are available at: https://sites.google.com/site/droidnotsecure/
Evaluation 8 Android versions • 2,373 apps • 3 play stores • 10 devices •
Fundamental Causes • Data Residue Instances <-> Mandatory Design Principle in Backend • Exploits <-> Signature-based Frontend
Limitation private class TextServicesMonitor extends PackageMonitor { • Manual Analysis @Override public void onSomePackagesChanged() { synchronized (mSpellCheckerMap) { buildSpellCheckerMapLocked(mContext, mSpellCheckerList, • Static Analysis mSpellCheckerMap); // TODO: Update for each locale – App Level SpellCheckerInfo sci = getCurrentSpellChecker(null); if (sci == null) return; – Intelligence final String packageName = sci.getPackageName(); final int change = isPackageDisappearing(packageName); if (// Package disappearing • Dynamic Analysis change == PACKAGE_PERMANENT_CHANGE || change == PACKAGE_TEMPORARY_CHANGE – App Level // Package modified || isPackageModified(packageName)) { – Exploit Conditions sci= findAvailSpellCheckerLocked(null, packageName); if (sci != null) { setCurrentSpellCheckerLocked(sci.getId()); } } } } }
Conclusion • Data Residue Vulnerability • Systematic Study • Comprehensive Evaluation • Trigger more research efforts
Questions? xzhang35@syr.edu https://sites.google.com/site/droidnotsecure/
Recommend
More recommend