Looking Back! Using Early Versions of Android Apps as Attack Vectors

Abstract

Android platform is gaining explosive popularity. This leads developers to invest resources to maintain the upward trajectory of the demand. Unfortunately, as the profit potential grows higher, the chances of these Apps getting attacked also get higher. Therefore, developers improved the security of their Apps, which limits attackers ability to compromise upgraded versions of the Apps. However, developers cannot enhance the security of earlier versions that have been released on the Play Store. The earlier versions of the App can be subject to reverse engineering and other attacks. In this paper, we find that attackers can use these earlier versions as attack vectors, which threatens well protected upgraded versions. We show how to attack the upgraded versions of some popular Apps, including Facebook, Sina Weibo and Qihoo360-Cloud-Driven by analyzing the vulnerabilities existing in their earlier versions. We design and implement a tool named DroidSkynet to analyze and find out vulnerable apps from the Play Store. Among 1,500 mainstream Apps collected from the real world, our DroidSkynet indicates the success rate of attacking an App using an earlier version is 34 percent. We also explore possible mitigation solutions to achieve a balance between utility and security of the App update process.