Resource Race Attacks on Android

Yan Cai; Yutian Tang; Haicheng Li; Le Yu; Hao Zhou; Xiapu Luo; Liang He; Purui Su

doi:10.1109/SANER48275.2020.9054863

Resource Race Attacks on Android

Yan Cai, Yutian Tang, Haicheng Li, Le Yu, Hao Zhou, Xiapu Luo, Liang He, Purui Su

Research output: Chapter in book / Conference proceeding › Conference article published in proceeding or book › Academic research › peer-review

8 Citations (Scopus)

Abstract

Smartphones are frequently involved in accessing private user data. Although many studies have been done to prevent malicious apps from leaking private user data, only a few recent works examine how to remove the sensitive information from the data collected by smartphone hardware resources (e.g., camera). Unfortunately, none of them investigates whether a malicious app can obtain such sensitive information when (or right before/after) a legitimate app collects such data (e.g., taking photos). To fill in the gap, in this paper, we model such attacks as the Resource Race Attack (RRAttack) based on races between two apps during their requests to exclusive resources to access sensitive information. RRAttacks have three categories according to when a race on requesting resources occurs: Pre-Use, In-Use, and Post-Use attacks. We further conduct the first systematic study on the feasibility of launching the RRAttacks on two heavily used exclusive Android resources: camera and touchscreen. In details, we perform Proof-of-Concept (PoC) attacks to reveal that, (a) camera is highly vulnerable to both In-Use and Post-Use attacks; and (b) touchscreen is vulnerable to Pre-Use attacks. Particularly, we demonstrate successful RRAttacks on them to steal private information, to cause financial loss, and to steal user passwords from Android 6 to the latest Android Q. Moreover, our analyses on 1,000 apps indicate that most of them are vulnerable to one to three RRAttacks. Finally, we propose a set of defense strategies against RRAttacks for user apps, system apps, and Android system itself.

Original language	English
Title of host publication	SANER 2020 - Proceedings of the 2020 IEEE 27th International Conference on Software Analysis, Evolution, and Reengineering
Editors	Kostas Kontogiannis, Foutse Khomh, Alexander Chatzigeorgiou, Marios-Eleftherios Fokaefs, Minghui Zhou
Publisher	Institute of Electrical and Electronics Engineers Inc.
Pages	47-58
Number of pages	12
ISBN (Electronic)	9781728151434
DOIs	https://doi.org/10.1109/SANER48275.2020.9054863
Publication status	Published - Feb 2020
Event	27th IEEE International Conference on Software Analysis, Evolution, and Reengineering, SANER 2020 - London, Canada Duration: 18 Feb 2020 → 21 Feb 2020

Publication series

Name	SANER 2020 - Proceedings of the 2020 IEEE 27th International Conference on Software Analysis, Evolution, and Reengineering

Conference

Conference	27th IEEE International Conference on Software Analysis, Evolution, and Reengineering, SANER 2020
Country/Territory	Canada
City	London
Period	18/02/20 → 21/02/20

Keywords

Android Privacy
Camera
Resource Race
Touchscreen

ASJC Scopus subject areas

Organizational Behavior and Human Resource Management
Hardware and Architecture
Software
Safety, Risk, Reliability and Quality
Computer Networks and Communications

More information

10.1109/SANER48275.2020.9054863

Cite this

Cai, Y., Tang, Y., Li, H., Yu, L., Zhou, H., Luo, X., He, L., & Su, P. (2020). Resource Race Attacks on Android. In K. Kontogiannis, F. Khomh, A. Chatzigeorgiou, M.-E. Fokaefs, & M. Zhou (Eds.), SANER 2020 - Proceedings of the 2020 IEEE 27th International Conference on Software Analysis, Evolution, and Reengineering (pp. 47-58). Article 9054863 (SANER 2020 - Proceedings of the 2020 IEEE 27th International Conference on Software Analysis, Evolution, and Reengineering). Institute of Electrical and Electronics Engineers Inc.. https://doi.org/10.1109/SANER48275.2020.9054863

Cai, Yan ; Tang, Yutian ; Li, Haicheng et al. / Resource Race Attacks on Android. SANER 2020 - Proceedings of the 2020 IEEE 27th International Conference on Software Analysis, Evolution, and Reengineering. editor / Kostas Kontogiannis ; Foutse Khomh ; Alexander Chatzigeorgiou ; Marios-Eleftherios Fokaefs ; Minghui Zhou. Institute of Electrical and Electronics Engineers Inc., 2020. pp. 47-58 (SANER 2020 - Proceedings of the 2020 IEEE 27th International Conference on Software Analysis, Evolution, and Reengineering).

@inproceedings{44c1002725764d5b8ae72122e611263d,

title = "Resource Race Attacks on Android",

abstract = "Smartphones are frequently involved in accessing private user data. Although many studies have been done to prevent malicious apps from leaking private user data, only a few recent works examine how to remove the sensitive information from the data collected by smartphone hardware resources (e.g., camera). Unfortunately, none of them investigates whether a malicious app can obtain such sensitive information when (or right before/after) a legitimate app collects such data (e.g., taking photos). To fill in the gap, in this paper, we model such attacks as the Resource Race Attack (RRAttack) based on races between two apps during their requests to exclusive resources to access sensitive information. RRAttacks have three categories according to when a race on requesting resources occurs: Pre-Use, In-Use, and Post-Use attacks. We further conduct the first systematic study on the feasibility of launching the RRAttacks on two heavily used exclusive Android resources: camera and touchscreen. In details, we perform Proof-of-Concept (PoC) attacks to reveal that, (a) camera is highly vulnerable to both In-Use and Post-Use attacks; and (b) touchscreen is vulnerable to Pre-Use attacks. Particularly, we demonstrate successful RRAttacks on them to steal private information, to cause financial loss, and to steal user passwords from Android 6 to the latest Android Q. Moreover, our analyses on 1,000 apps indicate that most of them are vulnerable to one to three RRAttacks. Finally, we propose a set of defense strategies against RRAttacks for user apps, system apps, and Android system itself.",

keywords = "Android Privacy, Camera, Resource Race, Touchscreen",

author = "Yan Cai and Yutian Tang and Haicheng Li and Le Yu and Hao Zhou and Xiapu Luo and Liang He and Purui Su",

year = "2020",

month = feb,

doi = "10.1109/SANER48275.2020.9054863",

language = "English",

series = "SANER 2020 - Proceedings of the 2020 IEEE 27th International Conference on Software Analysis, Evolution, and Reengineering",

publisher = "Institute of Electrical and Electronics Engineers Inc.",

pages = "47--58",

editor = "Kostas Kontogiannis and Foutse Khomh and Alexander Chatzigeorgiou and Marios-Eleftherios Fokaefs and Minghui Zhou",

booktitle = "SANER 2020 - Proceedings of the 2020 IEEE 27th International Conference on Software Analysis, Evolution, and Reengineering",

note = "27th IEEE International Conference on Software Analysis, Evolution, and Reengineering, SANER 2020 ; Conference date: 18-02-2020 Through 21-02-2020",

}

Cai, Y, Tang, Y, Li, H, Yu, L, Zhou, H , Luo, X, He, L & Su, P 2020, Resource Race Attacks on Android. in K Kontogiannis, F Khomh, A Chatzigeorgiou, M-E Fokaefs & M Zhou (eds), SANER 2020 - Proceedings of the 2020 IEEE 27th International Conference on Software Analysis, Evolution, and Reengineering., 9054863, SANER 2020 - Proceedings of the 2020 IEEE 27th International Conference on Software Analysis, Evolution, and Reengineering, Institute of Electrical and Electronics Engineers Inc., pp. 47-58, 27th IEEE International Conference on Software Analysis, Evolution, and Reengineering, SANER 2020, London, Canada, 18/02/20. https://doi.org/10.1109/SANER48275.2020.9054863

Resource Race Attacks on Android. / Cai, Yan; Tang, Yutian; Li, Haicheng et al.
SANER 2020 - Proceedings of the 2020 IEEE 27th International Conference on Software Analysis, Evolution, and Reengineering. ed. / Kostas Kontogiannis; Foutse Khomh; Alexander Chatzigeorgiou; Marios-Eleftherios Fokaefs; Minghui Zhou. Institute of Electrical and Electronics Engineers Inc., 2020. p. 47-58 9054863 (SANER 2020 - Proceedings of the 2020 IEEE 27th International Conference on Software Analysis, Evolution, and Reengineering).

Research output: Chapter in book / Conference proceeding › Conference article published in proceeding or book › Academic research › peer-review

TY - GEN

T1 - Resource Race Attacks on Android

AU - Cai, Yan

AU - Tang, Yutian

AU - Li, Haicheng

AU - Yu, Le

AU - Zhou, Hao

AU - Luo, Xiapu

AU - He, Liang

AU - Su, Purui

PY - 2020/2

Y1 - 2020/2

N2 - Smartphones are frequently involved in accessing private user data. Although many studies have been done to prevent malicious apps from leaking private user data, only a few recent works examine how to remove the sensitive information from the data collected by smartphone hardware resources (e.g., camera). Unfortunately, none of them investigates whether a malicious app can obtain such sensitive information when (or right before/after) a legitimate app collects such data (e.g., taking photos). To fill in the gap, in this paper, we model such attacks as the Resource Race Attack (RRAttack) based on races between two apps during their requests to exclusive resources to access sensitive information. RRAttacks have three categories according to when a race on requesting resources occurs: Pre-Use, In-Use, and Post-Use attacks. We further conduct the first systematic study on the feasibility of launching the RRAttacks on two heavily used exclusive Android resources: camera and touchscreen. In details, we perform Proof-of-Concept (PoC) attacks to reveal that, (a) camera is highly vulnerable to both In-Use and Post-Use attacks; and (b) touchscreen is vulnerable to Pre-Use attacks. Particularly, we demonstrate successful RRAttacks on them to steal private information, to cause financial loss, and to steal user passwords from Android 6 to the latest Android Q. Moreover, our analyses on 1,000 apps indicate that most of them are vulnerable to one to three RRAttacks. Finally, we propose a set of defense strategies against RRAttacks for user apps, system apps, and Android system itself.

AB - Smartphones are frequently involved in accessing private user data. Although many studies have been done to prevent malicious apps from leaking private user data, only a few recent works examine how to remove the sensitive information from the data collected by smartphone hardware resources (e.g., camera). Unfortunately, none of them investigates whether a malicious app can obtain such sensitive information when (or right before/after) a legitimate app collects such data (e.g., taking photos). To fill in the gap, in this paper, we model such attacks as the Resource Race Attack (RRAttack) based on races between two apps during their requests to exclusive resources to access sensitive information. RRAttacks have three categories according to when a race on requesting resources occurs: Pre-Use, In-Use, and Post-Use attacks. We further conduct the first systematic study on the feasibility of launching the RRAttacks on two heavily used exclusive Android resources: camera and touchscreen. In details, we perform Proof-of-Concept (PoC) attacks to reveal that, (a) camera is highly vulnerable to both In-Use and Post-Use attacks; and (b) touchscreen is vulnerable to Pre-Use attacks. Particularly, we demonstrate successful RRAttacks on them to steal private information, to cause financial loss, and to steal user passwords from Android 6 to the latest Android Q. Moreover, our analyses on 1,000 apps indicate that most of them are vulnerable to one to three RRAttacks. Finally, we propose a set of defense strategies against RRAttacks for user apps, system apps, and Android system itself.

KW - Android Privacy

KW - Camera

KW - Resource Race

KW - Touchscreen

UR - http://www.scopus.com/inward/record.url?scp=85083587656&partnerID=8YFLogxK

U2 - 10.1109/SANER48275.2020.9054863

DO - 10.1109/SANER48275.2020.9054863

M3 - Conference article published in proceeding or book

AN - SCOPUS:85083587656

T3 - SANER 2020 - Proceedings of the 2020 IEEE 27th International Conference on Software Analysis, Evolution, and Reengineering

SP - 47

EP - 58

BT - SANER 2020 - Proceedings of the 2020 IEEE 27th International Conference on Software Analysis, Evolution, and Reengineering

A2 - Kontogiannis, Kostas

A2 - Khomh, Foutse

A2 - Chatzigeorgiou, Alexander

A2 - Fokaefs, Marios-Eleftherios

A2 - Zhou, Minghui

PB - Institute of Electrical and Electronics Engineers Inc.

T2 - 27th IEEE International Conference on Software Analysis, Evolution, and Reengineering, SANER 2020

Y2 - 18 February 2020 through 21 February 2020

ER -

Cai Y, Tang Y, Li H, Yu L, Zhou H , Luo X et al. Resource Race Attacks on Android. In Kontogiannis K, Khomh F, Chatzigeorgiou A, Fokaefs ME, Zhou M, editors, SANER 2020 - Proceedings of the 2020 IEEE 27th International Conference on Software Analysis, Evolution, and Reengineering. Institute of Electrical and Electronics Engineers Inc. 2020. p. 47-58. 9054863. (SANER 2020 - Proceedings of the 2020 IEEE 27th International Conference on Software Analysis, Evolution, and Reengineering). doi: 10.1109/SANER48275.2020.9054863

Resource Race Attacks on Android

Abstract

Publication series

Conference

Keywords

ASJC Scopus subject areas

More information

Other files and links

Fingerprint

Cite this