IVDroid: Static detection for input validation vulnerability in Android inter-component communication

Abstract

Input validation vulnerability in Android inter-component communication is a kind of severe vulnerabilities in Android apps. Malicious attacks can exploit the vulnerability to bypass Android security mechanism and compromise the integrity, confidentiality and availability of Android devices. However, so far there is not a sound approach at source code level designed for app developers to detect such vulnerabilities. In this paper we propose a novel approach aiming at detecting input validation flaws in Android apps and implement a prototype named IVDroid, which provides practical static analysis of Java source code. IVDroid leverages backward program slicing to abstract application logic from Java source code. On slice level, IVDroid detects flaws of known pattern by security rule matching and detects flaws of unknown pattern by duplicate validation behavior mining. Then IVDroid semi-automatically confirms the suspicious rule violations and report the confirmed ones as vulnerabilities. We evaluate IVDroid on 3 versions of Android spanning from version 2.2 to 4.4.2 and it detects 37 vulnerabilities including confused deputy and denial of service attack. Our results prove that IVDroid can provide a practical defence solution for app developers.