AppChainer: investigating the chainability among payloads in android applications

Abstract

Statistics show that more than 80 applications are installed on each android smartphone. Vulnerability research on Android applications is of critical importance. Recently, academic researchers mainly focus on single bug patterns, while few of them investigate the relations between multiple bugs. Industrial researchers proposed a series of logic exploit chains leveraging multiple logic bugs. However, there is no general model to evaluate the chaining abilities between bugs. This paper presents a formal model to elucidate the relations between multiple bugs in Android applications. To prove the effectiveness of the model, we design and implement a prototype system named AppChainer. AppChainer automatically identifies attack surfaces of Android applications and investigates whether the payloads entering these attack surfaces are “chainable”. Experimental results on 2138 popular Android applications show that AppChainer is effective in identifying and chaining attacker-controllable payloads. It identifies 14467 chainable payloads and constructs 5458 chains both inside a single application and among various applications. The time cost and resource consumption of AppChainer are also acceptable. For each application, the average analysis time is 317 s, and the average memory consumed is 2368 MB. Compared with the most relevant work Jandroid, the experiment results on our custom DroidChainBench show that AppChainer outperforms Jandroid at the precision rate and performs equally with Jandroid at the recall rate.