A Tale of Four Gates - Privilege Escalation and Permission Bypasses on Android through App Components

Read paper Read paper (Short) Slides View on Github

A scientific research paper discusses novel exploits in Android Multi user feature and background service protection.

Presented by: Abdulla Aldoseri · Prof. David Oswald · Robert Chiper

Abstract

Android apps interact and exchange data with other apps through so-called app components. Previous research has shown that app components can cause application-level vulnerabilities, for example leading to data leakage across apps. Alternatively, apps can (intentionally or accidentally) expose their permissions (e.g. for camera and microphone) to other apps that lack these privileges. This causes a confused deputy situation, where a less privileged app exposes its app components, which use these permissions, to the victim app. While previous research mainly focused on these issues, less attention has been paid to how app components can affect the security and privacy guarantees of Android OS. In this paper, we demonstrate two according vulnerabilities, affecting recent Android versions. First, we show how app components can be used to leak data from and, in some cases, take full control of other Android user profiles, bypassing the dedicated lock screen. We demonstrate the impact of this vulnerability on major Android vendors (Samsung, Huawei, Google and Xiaomi). Secondly, we found that app components can be abused by spyware to access sensors like the camera and the microphone in the background up to Android 10, bypassing mitigations specifically designed to prevent this behaviour. Using a two-app setup, we find that app components can be invoked stealthily to e.g. periodically take pictures and audio recordings in the background. Finally, we present Four Gates Inspector, our open-source static analysis tool to systematically detect such issues for a large number of apps with complex codebases. Our tool successfully identified exposed components issues in 34 out 5,783 apps with average analysis runtime of 4.3 s per app and, detected both known malware samples and unknown samples downloaded from the F-Droid repository. We responsibly disclosed all vulnerabilities presented in this paper to the affected vendors, leading to several CVE records and a currently unresolved high-severity issue in Android 10 and earlier.

Keywords: Android · Application components · Multi-user · Sensors

Presentation and Demo videos

Presentation video


Access other users profiles via bypassing mutli-user security (Attack demo)


Bypassing camera and mic restriction in the background on Android (Attack demo)

CVE

Cite

@inproceedings{aldoseri2022tale,
  title={A Tale of Four Gates: Privilege Escalation and Permission Bypasses on Android Through App Components},
  author={Aldoseri, Abdulla and Oswald, David and Chiper, Robert},
  booktitle={Computer Security--ESORICS 2022: 27th European Symposium on Research in Computer Security, Copenhagen, Denmark, September 26--30, 2022, Proceedings, Part II},
  pages={233--251},
  year={2022}
}