Abstract
In this work, we conduct a systematic study on IntentService, one of the async constructs provided by Android using static program analysis, and find that in Android 6, 974 intents can be sent by third-party applications without protection. Based on this observation, we develop a tool, ATUIN, to demonstrate the feasibility of attacking a CPU automatically by exploiting the intents that can be handled by an Android system. Furthermore, by investigating the unprotected intents, we discover tens of critical vulnerabilities that have not been reported before, including Wi-Fi DoS, telephone signal blocking, SIM card removal, homescreen hiding, and NFC state cheating. Our study sheds light on research into protecting asynchronous programming from being exploited by hackers.
Original language | English |
---|---|
Pages (from-to) | 1-26 |
Number of pages | 26 |
Journal | Software Quality Journal |
DOIs | |
Publication status | Accepted/In press - 31 May 2017 |
Keywords
- Android
- Asynchronous programming
- Homescreen hiding
- IntentService
- NFC state cheating
- SIM card removal
- System-level attacks
- Telephone signal block
- Wi-Fi DoS
ASJC Scopus subject areas
- Software
- Safety, Risk, Reliability and Quality