Annual Computer Security Applications Conference (ACSAC) 2012
Analysis of the Communication between
Colluding Applications on Modern
Claudio Marforio1, Hubert Ritzdorf1, Aurélien Francillon2,
Srdjan Capkun1
of Information Security, ETH Zurich
2Networking and Security Group, Eurecom
10/29, 2012, Seminar @ ADLab, NCU
• Introduction
• Channels Classification
• Channels
• Overt Channels in Android
• Covert Channels in Android
• Communication Channel with External Agents
• Results of the Analysis
• Existing Tools
• TaintDroid
• XManDroid
• Mitigation Techniques
• Conclusion
• Permission-based security models
• Assumption: Apps can be independently restricted in accessing
resources and then safely composed on a single platform
• Collusion Attacks
• SoundComber (link)
• This paper…
• demonstrates the practicality of application collusion attacks on
• measures the throughput of these attacks
• confirms that TaintDroid and XManDroid still fail to detect several of
the implemented channels
• proposes countermeasures which limit the throughput
Channels Classification
• Application
• API: Android’s Java API, Windows Phone 7 C# / Silverlight APIs,
iOS’s Object-C API
• OS
• Native calls
• Hardware
• Exploiting hardware functionalities
Overt Channels in Android
• Shared Preferences (Application)
• The sink app uses an API to create an Android preference XML file
• World-readable and world-writable
• The source app writes ASCII data to it
• Internal Storage (Application)
• The source app writes a world-readable file to the internal storage
• The sink app reads it
• External Storage (Application)
Overt Channels in Android
• Broadcast Intents (Application)
• The source app adds private data as extra payload to a broadcast
• The sink app registers itself to receive the message
• System Log (Application)
• The source writes a specially-crafted message to the system log
• The sink reads to extract the information
• 4000 characters limit
Overt Channels in Android
• UNIX Socket Communication (OS)
• The source sends the data through a UNIX socket that the sink app
Covert Channels in Android
• Single and Multiple Settings (Application)
• The source modifies a general setting on the phone and the sink
reads it
• SoundComber
• Multiple settings can be changed at the same time to achieve
higher throughput
• Most settings can be changed without permissions
• Type of Intents (Application)
• The source sends a broadcast message to the sink and encodes
the data into the type of the intent
• Flags, action, particular extra data
Covert Channels in Android
• Automatic Intents (Application/OS)
• The source modifies particular settings that trigger automatic
broadcasts by the system to registered apps
• The vibration setting in SoundComber
• Ex: vibration on = 1; vibration off = 0
• Threads Enumeration (OS)
• The source spawns a number of threads and the sink reads how
many threads are currently active for the source app
• /proc filesystem
Covert Channels in Android
• UNIX Socket Discovery (OS)
• The source uses 2 sockets, a synchronization socket and a
communication socket
• The sink checks if the source communication socket is open, and
infer the transferred bit
• The synchronization socket is open if the communication socket
can be checked
Covert Channels in Android
• Free Space on Filesystem (OS)
• The source app writes or deletes data on the disk to encode the
• Ex: the source allocates 3 blocks to encode a ‘1’ and clears 3 blocks to
encode a ‘0’
• The sink checks the available blocks at predefined time intervals
• 75ms for Nexus One; 100ms for Galaxy S
• Bit-errors percentages
• 0.01% (Nexus One)
• 0.03% (Galaxy S)
Covert Channels in Android
• Reading /proc/stat (OS)
• The source app performs some computations, while the sink
monitors the processor usage statistics
Covert Channels in Android
• Timing Channel (Hardware)
• The source runs CPU-intensive tasks as to send bit ‘1’
• The sink continuously runs computation-intensive operations and
records the time required to complete them
• An initial learning period is used to benchmark the system behavior
• Majority vote(out of 5) to eliminate noise
• Transmitting time interval: 6ms (Nexus One)
• Bit-errors percentages
• 0.10% (Nexus One)
• 0.05% (Galaxy S)
Covert Channels in Android
• Processor Frequency (Hardware)
• Similar to Timing Channel
• Improving the throughput and reducing the synchronization time
• Dynamic Frequency Scaling
• Source: the same as in the case of Timing Channel
• The sink monitors the trend of the processor frequency and
decodes the current bit
• Afterward, the source waits for the CPU to “slow down” before the
next transmission
• Bit-errors percentages
• 0.14% (Nexus One)
• 4.67% (Galaxy S)
Covert Channels in Android
Communication Channel With External
• Similar to Processor Frequency covert channel
• The source either tries to increase the processor frequency or
• The sink measures how many dummy RC4 operations it can
perform in a fix time period
• 1.29 bps (Nexus One)
Results of the Analysis
• Low throughput:
• Timing channel (3.70 bps)
• GPS coordinates: 19.4 sec
• 135 byte contacts: 304.9 sec
• Processor Frequency (4.88 bps)
• GPS coordinates: 14.8 sec
• 135 byte contacts: 231.1 sec
• High throughput:
• Type of Intents or UNIX Socket Discovery
• Less than a second
Existing Tools: TaintDroid
• Overt Channels
• Internal Storage and Broadcast Intents … ok
• External Storage
• The external storage uses the FAT filesystem w/o extended attributes
• Shared Preferences
• System Log
• TaintDroid is not currently capable to extend tagging to native code
• Removing the taint from tainted variables
• n-way Switch Statement: 27.65 Mbps
• Java Exception Handling: 107.42 kbps
• File-based: 680 bps
• Timing-based: 98 bps
Existing Tools: XManDroid
• Policy enforcement
• Modifying the Android reference monitor to check for
• direct IPC calls at runtime
• indirect communication through Android system components
• The prototype successfully detected all Overt Channels
• except the System Log channel
• XManDroid would be able to detect the System Log channel
• Covert Channels
• Type of Intents and UNIX Socket Discovery … ok
• Reading /proc/stat and Threads Enumeration … ok
• Free Space on Filesystem, Processor Frequency, and Timing
Mitigation Techniques
• General Purpose Techniques
• User control on private data access
• Limiting APIs
• Limiting Multitasking
• Application Review
• Policy-Based Installation Strategy
• Application-Level Channels
• Operating-System-Level Channels
• Hardware-Level Channels
• Collusion attacks against the permission-based
mechanisms are a serious threat
• Covert channels with low throughput are sufficient to leak
private data
• Current solutions do not provide a complete solution

similar documents