Do not let Next-Intent Vulnerability be your next nightmare: type system-based approach to detect it in Android apps

Abstract

Android is currently the most widespread operating system (OS) worldwide, but also the most prone to attacks. Despite the challenges faced by Industry and Academia to improve the Android OS security, it still has several vulnerabilities. Among those, the severity of the Next-Intent Vulnerability (NIV) can be immediately grasped. Android apps are made of components, which by default are private and cannot be targeted by other apps on the same phone. However, NIV allows any app to access the private components of a different app, eventually generating a crash or stealing sensitive data. NIV occurs when there is a chain of calls among different components based on the Intent messaging model and there is no control over the reliability of the first component triggering the call. NIV was first detected in 2013, but it is still an open issue. In this paper, we present Next-Intent Vulnerability Detector ( $$\mathcal {N}\hbox {I}\mathcal {V}\hbox {D}$$ ), a novel approach to detect NIV in Android apps by relying on type systems. $$\mathcal {N}\hbox {I}\mathcal {V}\hbox {D}$$ applies the inference rules of its type system to the app execution paths containing a sequence of calls to three NIV-related Android APIs. Compared to the state-of-the-art, $$\mathcal {N}\hbox {I}\mathcal {V}\hbox {D}$$ is faster and more efficient, without losing precision in detecting NIV. Finally, through $$\mathcal {N}\hbox {I}\mathcal {V}\hbox {D}$$ Google Photos was found to be vulnerable, and we disclosed the finding on the Google official bug report website (issue number 124342801).