More Web Proxy on the site http://driver.im/

research-article

Public Access

Detecting and Measuring Misconfigured Manifests in Android Apps

Authors:

Mohamed Elsabagh,

Angelos Stavrou,

Zhiqiang LinAuthors Info & Claims

CCS '22: Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security

Pages 3063 - 3077

https://doi.org/10.1145/3548606.3560607

Published: 07 November 2022 Publication History

Abstract

The manifest file of an Android app is crucial for app security as it declares sensitive app configurations, such as access permissions required to access app components. Surprisingly, we noticed a number of widely-used apps (some with over 500 million downloads) containing misconfigurations in their manifest files that can result in severe security issues. This paper presents ManiScope, a tool to automatically detect misconfigurations of manifest files when given an Android APK. The key idea is to build a manifest XML Schema by extracting ManiScope constraints from the manifest documentation with novel domain-aware NLP techniques and rules, and validate manifest files against the schema to detect misconfigurations. We have implemented ManiScope, with which we have identified 609,428 (33.20%) misconfigured Android apps out of 1,853,862 apps from Google Play, and 246,658 (35.64%) misconfigured ones out of 692,106 pre-installed apps from 4,580 Samsung firmwares, respectively. Among them, 84,117 (13.80%) of misconfigured Google Play apps and 56,611 (22.95%) of misconfigured pre-installed apps have various security implications including app defrauding, message spoofing, secret data leakage, and component hijacking.

References

[1]

2017. CVE-2017--16835. https://nvd.nist.gov/vuln/detail/CVE-2017-16835. (Ac- cessed on 2021-01-18).

[2]

2017. CVE-2017-17551. https://nvd.nist.gov/vuln/detail/CVE-2017-17551. (Accessed on 2021-01-18).

[3]

2021. Android manifest development documents. https://developer.android.com/ guide/topics/manifest/manifest-intro. (Accessed on 2021-01-18).

[4]

2021. Android Open Source Project. https://cs.android.com/android/platform/ superproject.

[5]

2021. Android Package Parser. http://androidxref.com/9.0.0_r3/xref/frameworks/ base/core/java/android/content/pm/PackageParser.java#parseVerifier. (Accessed on 2021-01-12).

[6]

2021. Android Studio linter. https://developer.android.com/studio/write/lint. (Accessed on 2021-01-18).

[7]

2021. Apache Xerces. https://en.wikipedia.org/wiki/Apache_Xerces. (Accessed on 2021-01-18).

[8]

2021. The attributes used in AndroidManifest.xml. https://cs.android.com/ android/platform/superproject//master:frameworks/base/core/res/res/values/attrs_manifest.xml. (Accessed on 2021-01-18).

[9]

2021. BeautifulSoup Parser. https://lxml.de/elementsoup.html. (Accessed on 2021-01-18).

[10]

2021. CVSS v3 Calculator. https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator. (Accessed on 2021-01-18).

[11]

2021. Filters on Google Play. https://developer.android.com/google/play/filters. (Accessed on 2021-01-18).

[12]

2021. Introduction to DTD. https://www.w3schools.com/xml/xml_dtd_intro.asp. (Accessed on 2021-01-18).

[13]

2021. An Introduction to Schematron. https://www.xml.com/pub/a/2003/11/12/ schematron.html.

[14]

2021. lxml - XML and HTML with Python. https://lxml.de/. (Accessed on 2021-01-18).

[15]

2021. Purchasing Listener doesn't get called. https://forums.developer.amazon. com/questions/16519/purchasinglistener-doesnt-get-called.html. (Accessed on 2021-01-18).

[16]

2021. Python AxmlParser. https://github.com/antitree/AxmlParserPY. (Accessed on 2021-01-18).

[17]

2021. Relax NG home page. https://relaxng.org/. (Accessed on 2021-01-18).

[18]

2021. SamMobile - Your authority on all things Samsung. https://www.sammobile. com/. (Accessed on 2021-05-30).

[19]

2021. Schema - W3C. https://www.w3.org/standards/xml/schema.

[20]

2021. View & restrict your app's compatible devices | Play Console Help. https:// support.google.com/googleplay/android-developer/answer/7353455?hl=en. (Accessed on 2021-01-18).

[21]

2021. XML Schema Languages. https://en.wikipedia.org/wiki/XML_schema# Languages. (Accessed on 2021-01-18).

[22]

Benjamin Andow, Samin Yaseer Mahmud, Wenyu Wang, Justin Whitaker, William Enck, Bradley Reaves, Kapil Singh, and Tao Xie. 2019. PolicyLint: Investigating Internal Privacy Policy Contradictions on Google Play. In 28th USENIX Security Symposium, USENIX Security 2019, Santa Clara, CA, USA, August 14-16, 2019.

[23]

Kathy Wain Yee Au, Yi Fan Zhou, Zhen Huang, and David Lie. 2012. PScout: analyzing the Android permission specification. In the ACM Conference on Computer and Communications Security, CCS'12, 2012. ACM.

[24]

Michael Backes, Sven Bugiel, Erik Derr, Patrick D. McDaniel, Damien Octeau, and Sebastian Weisgerber. 2016. On Demystifying the Android Application Framework: Re-Visiting Android Permission Specification Analysis. In 25th USENIX Security Symposium, USENIX Security 16, Austin, TX, USA, August 10-12, 2016.

[25]

Lujo Bauer, Scott Garriss, and Michael K. Reiter. 2011. Detecting and resolving policy misconfigurations in access-control systems. ACM Trans. Inf. Syst. Secur. 14, 1 (2011), 2:1--2:28.

Digital Library

[26]

Steven Bird, Ewan Klein, and Edward Loper. 2009. Natural language processing with Python: analyzing text with the natural language toolkit. O'Reilly Media.

Digital Library

[27]

Yi Chen, Luyi Xing, Yue Qin, Xiaojing Liao, XiaoFeng Wang, Kai Chen, and Wei Zou. 2019. Devils in the Guidance: Predicting Logic Vulnerabilities in Payment Syndication Services through Automated Documentation Analysis. In 28th USENIX Security Symposium, USENIX Security 2019, Santa Clara, CA, USA, August 14-16, 2019. USENIX Association.

[28]

Tathagata Das, Ranjita Bhagwan, and Prasad Naldurg. 2010. Baaz: A System for Detecting Access Control Misconfigurations. In 19th USENIX Security Symposium, Proceedings. 161--176.

[29]

Greg Durrett, Jonathan K Kummerfeld, Taylor Berg-Kirkpatrick, Rebecca S Port- noff, Sadia Afroz, Damon McCoy, Kirill Levchenko, and Vern Paxson. 2017. Identifying products in online cybercrime marketplaces: A dataset for fine-grained domain adaptation. arXiv preprint arXiv:1708.09609 (2017).

[30]

Mohamed Elsabagh, Ryan Johnson, Angelos Stavrou, Chaoshun Zuo, Qingchuan Zhao, and Zhiqiang Lin. 2020. FIRMSCOPE: Automatic Uncovering of Privilege-Escalation Vulnerabilities in Pre-Installed Apps in Android Firmware. In 29th USENIX Security Symposium (USENIX Security 20). 2379--2396.

[31]

Julien Gamba, Mohammed Rashed, Abbas Razaghpanah, Juan Tapiador, and Narseo Vallina-Rodriguez. [n.d.]. An Analysis of Pre-installed Android Software. In 2020 IEEE Symposium on Security and Privacy.

[32]

Hamza Harkous, Kassem Fawaz, Rémi Lebret, Florian Schaub, Kang G. Shin, and Karl Aberer. 2018. Polisis: Automated Analysis and Presentation of Privacy Policies Using Deep Learning. In 27th USENIX Security Symposium, USENIX Security 2018.

[33]

Ajay Kumar Jha, Sunghee Lee, and Woo Jin Lee. 2017. Developer mistakes in writing Android manifests: an empirical study of configuration errors. In Proceedings of the 14th International Conference on Mining Software Repositories, MSR 2017. IEEE Computer Society, 25--36.

Digital Library

[34]

Ryan Johnson, Mohamed Elsabagh, Angelos Stavrou, and Jeff Offutt. 2018. Dazed Droids: A Longitudinal Study of Android Inter-App Vulnerabilities. In Proceedings of the 2018 on Asia Conference on Computer and Communications Security. ACM.

Digital Library

[35]

Lorenzo Keller, Prasang Upadhyaya, and George Candea. 2008. ConfErr: A tool for assessing resilience to human configuration errors. In The 38th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2008, June 24-27, 2008, Anchorage, Alaska, USA, Proceedings. IEEE Computer Society.

[36]

Leonid Kof. 2005. Natural Language Processing: Mature Enough for Requirements Documents Analysis?. In 10th International Conference on Applications of Natural Language to Information Systems, NLDB 2005, Proceedings. Springer.

Digital Library

[37]

Sven J. Körner and Mathias Landhäußer. 2010. Semantic Enriching of Natural Language Texts with Automatic Thematic Role Annotation. In 15th International Conference on Applications of Natural Language to Information Systems, NLDB 2010, Proceedings. Springer.

[38]

Yeonjoon Lee, Xueqiang Wang, Kwangwuk Lee, Xiaojing Liao, XiaoFeng Wang, Tongxin Li, and Xianghang Mi. 2019. Understanding iOS-based Crowdturfing Through Hidden {UI} Analysis. In 28th {USENIX} Security Symposium ({USENIX} Security 19). 765--781.

[39]

Xiaojing Liao, Kan Yuan, XiaoFeng Wang, Zhongyu Pei, Hao Yang, Jianjun Chen, Haixin Duan, Kun Du, Eihal Alowaisheq, Sumayah Alrwais, et al. 2016. Seeking nonsense, looking for trouble: Efficient promotional-infection detection through semantic inconsistency search. In 2016 IEEE Symposium on Security and Privacy (SP). IEEE, 707--723.

[40]

Long Lu, Zhichun Li, Zhenyu Wu, Wenke Lee, and Guofei Jiang. 2012. CHEX: statically vetting Android apps for component hijacking vulnerabilities. In the ACM Conference on Computer and Communications Security, CCS'12, Raleigh, NC, USA, October 16-18, 2012. ACM.

Digital Library

[41]

Rebecca S Portnoff, Sadia Afroz, Greg Durrett, Jonathan K Kummerfeld, Taylor Berg-Kirkpatrick, Damon McCoy, Kirill Levchenko, and Vern Paxson. 2017. Tools for automated analysis of cybercriminal markets. In Proceedings of the 26th International Conference on World Wide Web. 657--666.

Digital Library

[42]

Driss Sadoun, Catherine Dubois, Yacine Ghamri-Doudane, and Brigitte Grau. 2013. From Natural Language Requirements to Formal Specification Using an Ontology. In 25th IEEE International Conference on Tools with Artificial Intelligence, ICTAI 2013, Herndon, VA, USA, November 4-6, 2013. IEEE Computer Society.

Digital Library

[43]

Rocky Slavin, Xiaoyin Wang, Mitra Bokaei Hosseini, James Hester, Ram Krishnan, Jaspreet Bhatia, Travis D. Breaux, and Jianwei Niu. 2016. Toward a framework for detecting privacy policy violations in Android application code. In Proceedings of the 38th International Conference on Software Engineering, ICSE 2016, Austin, TX, USA, May 14-22, 2016. ACM.

Digital Library

[44]

John W. Stamey and Ryan A. Rossi. 2009. Automatically identifying relations in privacy policies. In Proceedings of the 27th Annual International Conference on Design of Communication, SIGDOC 2009. ACM.

[45]

Henry S Thompson, Noah Mendelsohn, D Beech, and M Maloney. 2009. W3C XML schema definition language (XSD) 1.1 part 1: Structures. The World Wide Web Consortium (W3C), W3C Working Draft Dec 3 (2009).

[46]

Peng Wang, Xianghang Mi, Xiaojing Liao, XiaoFeng Wang, Kan Yuan, Feng Qian, and Raheem A Beyah. 2018. Game of Missuggestions: Semantic Analysis of Search-Autocomplete Manipulations. In NDSS.

[47]

Xiaoyin Wang, Xue Qin, Mitra Bokaei Hosseini, Rocky Slavin, Travis D. Breaux, and Jianwei Niu. 2018. GUILeak: tracing privacy policy claims on user input data for Android applications. In Proceedings of the 40th International Conference on Software Engineering, ICSE 2018. ACM.

Digital Library

[48]

Tianyin Xu, Jiaqi Zhang, Peng Huang, Jing Zheng, Tianwei Sheng, Ding Yuan, Yuanyuan Zhou, and Shankar Pasupathy. 2013. Do not blame users for misconfigurations. In 24th Symposium on Operating Systems Principles, SOSP. ACM.

Digital Library

[49]

Lihua Yuan, Jianning Mai, Zhendong Su, Hao Chen, Chen-Nee Chuah, and Prasant Mohapatra. 2006. FIREMAN: A Toolkit for FIREwall Modeling and ANalysis. In 2006 IEEE Symposium on Security and Privacy (S&P 2006), 21-24 May 2006, Berkeley, California, USA. IEEE Computer Society, 199--213.

[50]

Lei Zhang, Zhemin Yang, Yuyu He, Zhenyu Zhang, Zhiyun Qian, Geng Hong, Yuan Zhang, and Min Yang. 2018. Invetter: Locating Insecure Input Validations in Android Services. In Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security (Toronto, Canada) (CCS '18). ACM.

Digital Library

[51]

Qingchuan Zhao, Chaoshun Zuo, Brendan Dolan-Gavitt, Giancarlo Pellegrino, and Zhiqiang Lin. 2020. Automatic Uncovering of Hidden Behaviors From Input Validation in Mobile Apps. In Proceedings of the 2020 IEEE Symposium on Security and Privacy. San Francisco, CA.

[52]

Xiaoyong Zhou, Yeonjoon Lee, Nan Zhang, Muhammad Naveed, and XiaoFeng Wang. 2014. The peril of fragmentation: Security hazards in Android device driver customizations. In 2014 IEEE Symposium on Security and Privacy. IEEE.

Digital Library

[53]

Chaoshun Zuo, Zhiqiang Lin, and Yinqian Zhang. 2019. Why Does Your Data Leak? Uncovering the Data Leakage in Cloud from Mobile Apps. In 2019 IEEE Symposium on Security and Privacy, SP 2019. IEEE.

[54]

Chaoshun Zuo, Qingchuan Zhao, and Zhiqiang Lin. 2017. AuthScope: Towards Automatic Discovery of Vulnerable Authorizations in Online Services. In Proceedings of the 24th ACM Conference on Computer and Communications Security (CCS'17). Dallas, TX

Digital Library

Cited By

Xiao LYu AWang HZhao LMeng D(2024)MLCAC: Dynamic Authorization and Intelligent Decision-making towards Insider Threats2024 27th International Conference on Computer Supported Cooperative Work in Design (CSCWD)10.1109/CSCWD61410.2024.10580595(407-412)Online publication date: 8-May-2024
https://doi.org/10.1109/CSCWD61410.2024.10580595
Lenk CKinder JMeng WJensen CCremers CKirda E(2023)Poster: Privacy Risks from Misconfigured Android Content ProvidersProceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security10.1145/3576915.3624389(3579-3581)Online publication date: 15-Nov-2023
https://dl.acm.org/doi/10.1145/3576915.3624389
Olszewski DLu AStillman CWarren KKitroser CPascual AUkirde DButler KTraynor PMeng WJensen CCremers CKirda E(2023)"Get in Researchers; We're Measuring Reproducibility": A Reproducibility Study of Machine Learning Papers in Tier 1 Security ConferencesProceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security10.1145/3576915.3623130(3433-3459)Online publication date: 15-Nov-2023
https://dl.acm.org/doi/10.1145/3576915.3623130

Index Terms

Detecting and Measuring Misconfigured Manifests in Android Apps
1. Security and privacy
  1. Network security
    1. Mobile and wireless security
  2. Systems security
    1. Operating systems security
      1. Mobile platform security

Recommendations

Studying TLS Usage in Android Apps
CoNEXT '17: Proceedings of the 13th International Conference on emerging Networking EXperiments and Technologies

Transport Layer Security (TLS), has become the de-facto standard for secure Internet communication. When used correctly, it provides secure data transfer, but used incorrectly, it can leave users vulnerable to attacks while giving them a false sense of ...
Pro Android Web Apps: Develop for Android using HTML5, CSS3 & JavaScript
Darwin: a static analysis dataset of malicious and benign Android apps
WAMA 2016: Proceedings of the International Workshop on App Market Analytics

The Android platform comprises the vast majority of the mobile market. Unfortunately, Android apps are not immune to issues that plague conventional software including security vulnerabilities, bugs, and permission-based problems. In order to address ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Conferences

CCS '22: Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security

November 2022

3598 pages

ISBN:9781450394505

DOI:10.1145/3548606

General Chairs:
Heng Yin
University of California, Riverside
,
Angelos Stavrou
Virginia Tech
,
Program Chairs:
Cas Cremers
CISPA Helmholtz Center for Information Security
,
Elaine Shi
Carnegie Mellon University

Copyright © 2022 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 07 November 2022

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

NSF (National Science Foundation)

Conference

CCS '22

Sponsor:

SIGSAC

CCS '22: 2022 ACM SIGSAC Conference on Computer and Communications Security

November 7 - 11, 2022

CA, Los Angeles, USA

Acceptance Rates

Overall Acceptance Rate 1,234 of 6,846 submissions, 18%

Upcoming Conference

CCS '25

Sponsor:
sigsac

ACM SIGSAC Conference on Computer and Communications Security

October 13 - 17, 2025

Taipei , Taiwan

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

3
Total Citations
View Citations
674
Total Downloads

Downloads (Last 12 months)312
Downloads (Last 6 weeks)36

Reflects downloads up to 13 Dec 2024

Other Metrics

View Author Metrics

Citations

Cited By

Xiao LYu AWang HZhao LMeng D(2024)MLCAC: Dynamic Authorization and Intelligent Decision-making towards Insider Threats2024 27th International Conference on Computer Supported Cooperative Work in Design (CSCWD)10.1109/CSCWD61410.2024.10580595(407-412)Online publication date: 8-May-2024
https://doi.org/10.1109/CSCWD61410.2024.10580595
Lenk CKinder JMeng WJensen CCremers CKirda E(2023)Poster: Privacy Risks from Misconfigured Android Content ProvidersProceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security10.1145/3576915.3624389(3579-3581)Online publication date: 15-Nov-2023
https://dl.acm.org/doi/10.1145/3576915.3624389
Olszewski DLu AStillman CWarren KKitroser CPascual AUkirde DButler KTraynor PMeng WJensen CCremers CKirda E(2023)"Get in Researchers; We're Measuring Reproducibility": A Reproducibility Study of Machine Learning Papers in Tier 1 Security ConferencesProceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security10.1145/3576915.3623130(3433-3459)Online publication date: 15-Nov-2023
https://dl.acm.org/doi/10.1145/3576915.3623130

View Options

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Media

Figures

Other

Tables

View Table of Contents