Probably because it’s the No. 1 operating system on the mobile device market in 2013, Android also accounted for almost all of the mobile malware in 2013. Android apps suffer from common vulnerabilities such as activity hijacking and sensitive information leaks. These vulnerabilities have led a team of Carnegie Mellon University researchers to develop two secure coding tools for analyzing Android apps.
The first tool, known as DidFail (or Droid Intent Data Flow Analysis for Information Leakage), addresses sensitive information leaks. The flow analyzer tracks both inter- and intra-component data flows.
According do DidFail’s website, the analysis takes place in the following two phases:
1. Given a set of applications, it first determines data flows enabled individually by each application, and the conditions under which these are possible.
2. It then builds on these results to enumerate the potentially dangerous data flows enabled by the set of applications as a whole.
“Our tool enables users and organizations to be very secure about the set of apps they allow to be installed together while also enabling them to install the greatest number of apps that abide by their security policy,” according to CMU’s Software Engineering Institute’s blog.
DidFail is available for free along with a test suite of apps to demonstrate its functionality. Researches cautioned that the tool may produce false positives, and it only works on Android intents. The researchers plan on addressing these limitations eventually.
The second tool addresses activity hijacking. Activity hijacking attacks can happen when a user interacts with a malicious app. This type of attack can cause the leakage of sensitive data or the loss of secure control of the app.
CMU’s activity hijacking vulnerability detection tool is meant to:
1. Find likely violations of secure coding rules.
2. Produce a list of the different types of intents the app registers receive.
3. Produce a list of program sites (source code or bytecode locations) that send intents, along with the action string and target class if known.
The activity-hijacking tool is not yet ready for public consumption, being made available only to a limited audience.