More Web Proxy on the site http://driver.im/

research-article

Perplexed Messengers from the Cloud: Automated Security Analysis of Push-Messaging Integrations

Authors:

Xinhui HanAuthors Info & Claims

CCS '15: Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security

Pages 1260 - 1272

https://doi.org/10.1145/2810103.2813652

Published: 12 October 2015 Publication History

Abstract

In this paper, we report the first large-scale, systematic study on the security qualities of emerging push-messaging services, focusing on their app-side service integrations. We identified a set of security properties different push-messaging services (e.g., Google Cloud Messaging) need to have, and automatically verified them in different integrations using a new technique, called Seminal. Seminal is designed to extract semantic information from a service's sample code, and leverage the information to evaluate the security qualities of the service's SDKs and its integrations within different apps. Using this tool, we studied 30 leading services around the world, and scanned 35,173 apps. Our findings are astonishing: over 20% apps in Google Play and 50% apps in mainstream Chinese app markets are riddled with security-critical loopholes, putting a huge amount of sensitive user data at risk. Also, our research brought to light new types of security flaws never known before, which can be exploited to cause serious confusions among popular apps and services (e.g., Facebook, Skype, Yelp, Baidu Push). Taking advantage of such confusions, the adversary can post his content to the victim's apps in the name of trusted parties and intercept her private messages. The study highlights the serious challenges in securing push-messaging services and an urgent need for improving their security qualities.

References

[1]

Android Platform Distribution. https://developer.android.com/about/dashboards/index.html.

[2]

Baidu Cloud Push. http://developer.baidu.com/cloud/push.

[3]

CVE-2012-6636. https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-6636.

[4]

CVE-2014-6041. http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-6041.

[5]

GCM Template Code. http://developer.android.com/google/gcm/c2dm.html.

[6]

Getui. http://www.igetui.com/.

[7]

JPush. https://www.jpush.cn/.

[8]

Push Woosh. https://www.pushwoosh.com/.

[9]

PushIO. http://www.responsys.com/marketing-cloud/products/push-IO.

[10]

Soot. http://www.sable.mcgill.ca/soot/.

[11]

Supplement materials. https://sites.google.com/site/perplexedmsg/.

[12]

UrbanAirship. http://urbanairship.com/.

[13]

D. Arp, M. Spreitzenbarth, M. Hübner, H. Gascon, K. Rieck, and C. Siemens. Drebin: Effective and explainable detection of android malware in your pocket. In Proceedings of the Annual Symposium on Network and Distributed System Security (NDSS), 2014.

[14]

S. Arzt, S. Rasthofer, C. Fritz, E. Bodden, A. Bartel, J. Klein, Y. Le Traon, D. Octeau, and P. McDaniel. Flowdroid: Precise context, flow, field, object-sensitive and lifecycle-aware taint analysis for android apps. In Proceedings of the 35th ACM SIGPLAN Conference on Programming Language Design and Implementation, page 29. ACM, 2014.

Digital Library

[15]

E. Chin, A. P. Felt, K. Greenwood, and D. Wagner. Analyzing inter-application communication in android. In Proceedings of the 9th international conference on Mobile systems, applications, and services, pages 239--252. ACM, 2011.

Digital Library

[16]

M. Egele, D. Brumley, Y. Fratantonio, and C. Kruegel. An empirical study of cryptographic misuse in android applications. In Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security, pages 73--84. ACM, 2013.

Digital Library

[17]

W. Enck, D. Octeau, P. McDaniel, and S. Chaudhuri. A study of android application security. In USENIX Security Symposium, 2011.

Digital Library

[18]

W. Enck, M. Ongtang, P. D. McDaniel, et al. Understanding android security. IEEE Security & Privacy, 7(1):50--57, 2009.

Digital Library

[19]

S. Fahl, M. Harbach, T. Muders, L. Baumgärtner, B. Freisleben, and M. Smith. Why eve and mallory love android: An analysis of android ssl (in) security. In Proceedings of the 2012 ACM conference on Computer and communications security, pages 50--61. ACM, 2012.

Digital Library

[20]

A. P. Felt, H. J. Wang, A. Moshchuk, S. Hanna, and E. Chin. Permission re-delegation: Attacks and defenses. In USENIX Security Symposium, 2011.

Digital Library

[21]

C. Gibler, J. Crussell, J. Erickson, and H. Chen. AndroidLeaks: automatically detecting potential privacy leaks in android applications on a large scale. Springer, 2012.

[22]

M. I. Gordon, D. Kim, J. Perkins, L. Gilham, N. Nguyen, and M. Rinard. Information-flow analysis of android applications in droidsafe. In Proc. of the Network and Distributed System Security Symposium (NDSS). The Internet Society, 2015.

[23]

M. Grace, Y. Zhou, Z. Wang, and X. Jiang. Systematic detection of capability leaks in stock android smartphones. In Proceedings of the 19th Annual Symposium on Network and Distributed System Security, 2012.

[24]

M. Grace, Y. Zhou, Q. Zhang, S. Zou, and X. Jiang. Riskranker: scalable and accurate zero-day android malware detection. In Proceedings of the 10th international conference on Mobile systems, applications, and services, pages 281--294. ACM, 2012.

Digital Library

[25]

X. Jin, X. Hu, K. Ying, W. Du, H. Yin, and G. N. Peri. Code injection attacks on html5-based mobile apps: Characterization, detection and mitigation. In Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security, pages 66--77. ACM, 2014.

Digital Library

[26]

W. Klieber, L. Flynn, A. Bhosale, L. Jia, and L. Bauer. Android taint flow analysis for app sets. In Proceedings of the 3rd ACM SIGPLAN International Workshop on the State of the Art in Java Program Analysis, pages 1--6. ACM, 2014.

Digital Library

[27]

L. Li, A. Bartel, T. F. D. A. Bissyande, J. Klein, Y. Le Traon, S. Arzt, S. Rasthofer, E. Bodden, D. Octeau, and P. McDaniel. Iccta: detecting inter-component privacy leaks in android apps. In 2015 IEEE/ACM 37th IEEE International Conference on Software Engineering (ICSE 2015), 2015.

Digital Library

[28]

T. Li, X. Zhou, L. Xing, Y. Lee, M. Naveed, X. Wang, and X. Han. Mayhem in the push clouds: Understanding and mitigating security hazards in mobile push-messaging services. In Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security, pages 978--989. ACM, 2014.

Digital Library

[29]

L. Lu, Z. Li, Z. Wu, W. Lee, and G. Jiang. Chex: statically vetting android apps for component hijacking vulnerabilities. In Proceedings of the 2012 ACM conference on Computer and communications security, pages 229--240. ACM, 2012.

Digital Library

[30]

D. Octeau, P. McDaniel, S. Jha, A. Bartel, E. Bodden, J. Klein, and Y. Le Traon. Effective inter-component communication mapping in android with epicc: An essential step towards holistic security analysis. In USENIX Security 2013, 2013.

Digital Library

[31]

S. Poeplau, Y. Fratantonio, A. Bianchi, C. Kruegel, and G. Vigna. Execute this! analyzing unsafe and malicious dynamic code loading in android applications. In Proceedings of the 20th Annual Network & Distributed System Security Symposium (NDSS), 2014.

[32]

D. Sounthiraraj, J. Sahs, G. Greenwood, Z. Lin, and L. Khan. Smv-hunter: Large scale, automated detection of ssl/tls man-in-the-middle vulnerabilities in android apps. In Proceedings of the 19th Network and Distributed System Security Symposium, 2014.

[33]

R. Wang, L. Xing, X. Wang, and S. Chen. Unauthorized origin crossing on mobile platforms: Threats and mitigation. In Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security, pages 635--646. ACM, 2013.

Digital Library

[34]

F. Wei, S. Roy, X. Ou, and Robby. Amandroid: A precise and general inter-component data flow analysis framework for security vetting of android apps. In Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security, CCS '14, pages 1329--1341, New York, NY, USA, 2014. ACM.

Digital Library

[35]

M. Xia, L. Gong, Y. Lyu, Z. Qi, and X. Liu. Effective real-time android application auditing. In IEEE S&P, 2015.

Digital Library

[36]

Z. Yang and M. Yang. Leakminer: Detect information leakage on android with static taint analysis. In Software Engineering (WCSE), 2012 Third World Congress on, pages 101--104. IEEE, 2012.

Digital Library

[37]

Z. Yang, M. Yang, Y. Zhang, G. Gu, P. Ning, and X. S. Wang. Appintent: Analyzing sensitive data transmission in android for privacy leakage detection. In Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security, pages 1043--1054. ACM, 2013.

Digital Library

[38]

Y. Zhou and X. Jiang. Detecting passive content leaks and pollution in android applications. In Proceedings of the 20th Annual Symposium on Network and Distributed System Security, 2013.

[39]

Y. Zhou, Z. Wang, W. Zhou, and X. Jiang. Hey, you, get off of my market: Detecting malicious apps in official and alternative android markets. In NDSS, 2012.

Cited By

Neteler TFahl SLo Iacono L(2024)“You Received $100,000 From Johnny”: A Mixed-Methods Study on Push Notification Security and Privacy in Android AppsIEEE Access10.1109/ACCESS.2024.343909512(112499-112516)Online publication date: 2024
https://doi.org/10.1109/ACCESS.2024.3439095
Lou JZhang XZhang YLi XYuan XZhang N(2023)Devils in Your Apps: Vulnerabilities and User Privacy Exposure in Mobile Notification Systems2023 53rd Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN)10.1109/DSN58367.2023.00017(28-41)Online publication date: Jun-2023
https://doi.org/10.1109/DSN58367.2023.00017
Harsha BMorton RBlocki JSpringer JDark M(2021)Bicycle attacks considered harmfulComputers and Security10.1016/j.cose.2020.102068100:COnline publication date: 1-Jan-2021
https://dl.acm.org/doi/10.1016/j.cose.2020.102068
Show More Cited By

Index Terms

Perplexed Messengers from the Cloud: Automated Security Analysis of Push-Messaging Integrations
1. General and reference
  1. Cross-computing tools and techniques
    1. Validation
2. Software and its engineering
  1. Software creation and management
    1. Software verification and validation
      1. Empirical software validation
      2. Process validation
        Walkthroughs

Recommendations

Mayhem in the Push Clouds: Understanding and Mitigating Security Hazards in Mobile Push-Messaging Services
CCS '14: Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security

Push messaging is among the most important mobile-cloud services, offering critical supports to a wide spectrum of mobile apps. This service needs to coordinate complicated interactions between developer servers and their apps in a large scale, making ...
Vetting undesirable behaviors in android apps with permission use analysis
CCS '13: Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security

Android platform adopts permissions to protect sensitive resources from untrusted apps. However, after permissions are granted by users at install time, apps could use these permissions (sensitive resources) with no further restrictions. Thus, recent ...
revDroid: Code Analysis of the Side Effects after Dynamic Permission Revocation of Android Apps
ASIA CCS '16: Proceedings of the 11th ACM on Asia Conference on Computer and Communications Security

Dynamic revocation of permissions of installed Android applications has been gaining popularity, because of the increasing concern of security and privacy in the Android platform. However, applications often crash or misbehave when their permissions are ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Conferences

CCS '15: Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security

October 2015

1750 pages

ISBN:9781450338325

DOI:10.1145/2810103

General Chair:
Indrajit Ray
Colorado State University, USA
,
Program Chairs:
Ninghui Li
Purdue University, USA
,
Christopher Kruegel
University of California, Santa Barbara, USA

Copyright © 2015 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 12 October 2015

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

National Development and Reform Commission of China
National Science Foundation CNS
National Natural Science Foundation of China

Conference

CCS'15

Sponsor:

SIGSAC

CCS'15: The 22nd ACM Conference on Computer and Communications Security

October 12 - 16, 2015

Colorado, Denver, USA

Acceptance Rates

CCS '15 Paper Acceptance Rate 128 of 660 submissions, 19%;

Overall Acceptance Rate 1,234 of 6,846 submissions, 18%

Upcoming Conference

CCS '25

Sponsor:
sigsac

ACM SIGSAC Conference on Computer and Communications Security

October 13 - 17, 2025

Taipei , Taiwan

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

6
Total Citations
View Citations
766
Total Downloads

Downloads (Last 12 months)19
Downloads (Last 6 weeks)6

Reflects downloads up to 13 Dec 2024

Other Metrics

View Author Metrics

Citations

Cited By

Neteler TFahl SLo Iacono L(2024)“You Received $100,000 From Johnny”: A Mixed-Methods Study on Push Notification Security and Privacy in Android AppsIEEE Access10.1109/ACCESS.2024.343909512(112499-112516)Online publication date: 2024
https://doi.org/10.1109/ACCESS.2024.3439095
Lou JZhang XZhang YLi XYuan XZhang N(2023)Devils in Your Apps: Vulnerabilities and User Privacy Exposure in Mobile Notification Systems2023 53rd Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN)10.1109/DSN58367.2023.00017(28-41)Online publication date: Jun-2023
https://doi.org/10.1109/DSN58367.2023.00017
Harsha BMorton RBlocki JSpringer JDark M(2021)Bicycle attacks considered harmfulComputers and Security10.1016/j.cose.2020.102068100:COnline publication date: 1-Jan-2021
https://dl.acm.org/doi/10.1016/j.cose.2020.102068
Liu TWang HLi LBai GGuo YXu GZimmermann TLawall JMarinov D(2019)DaPandaProceedings of the 34th IEEE/ACM International Conference on Automated Software Engineering10.1109/ASE.2019.00017(66-78)Online publication date: 10-Nov-2019
https://dl.acm.org/doi/10.1109/ASE.2019.00017
李若(2018)Security Analysis and Verification of the Game LibraryComputer Science and Application10.12677/CSA.2018.8813808:08(1277-1291)Online publication date: 2018
https://doi.org/10.12677/CSA.2018.88138
Li TWang XZha MChen KWang XXing LBai XZhang NHan XThuraisingham BEvans DMalkin TXu D(2017)Unleashing the Walking DeadProceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security10.1145/3133956.3134021(829-844)Online publication date: 30-Oct-2017
https://dl.acm.org/doi/10.1145/3133956.3134021
Ahmadi MBiggio BArzt SAriu DGiacinto GLu LMannan M(2016)Detecting Misuse of Google Cloud Messaging in Android BadwareProceedings of the 6th Workshop on Security and Privacy in Smartphones and Mobile Devices10.1145/2994459.2994469(103-112)Online publication date: 24-Oct-2016
https://dl.acm.org/doi/10.1145/2994459.2994469

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents