LifeafterAppUninstallation:AretheDataStillAlive?DataResidueAttacksonAndroid
XiaoZhang,Kailiang Ying,Yousra Aafer,Zhenshen Qiu,andWenliang Du
AppLife
Installation Interaction Uninstallation
But,whatif…
ArethereanydataleftafterapplicationuninstallationonAndroid?
Android App UninstallationWindows Residue
InDetails
Installation Interaction Uninstallation
ArethedatastillaliveafterapplicationuninstallationonAndroid?
AppXYZ (UID=10050)
/data/data/com.XYZ
/Android/data/com.XYZ
account.db |settings.db |packages.xml …
<10050,perms>|Clip data| token …
sharedfiles
/Android/data/com.XYZ
account.db |settings.db |packages.xml …
<10050,perms>|Clip data| token…
sharedfiles
AppXYZ (UID=10050)
/data/data/com.XYZ
FRAMEWORK
AppXYZ (UID=10050)
/data/data/com.XYZ
/Android/data/com.XYZ
/data/system/|/system/|/sys/|…
<10050,perms>
APPLICATION
SDCard
Whatcangowrong?
ArethedatastillaliveinAndroidsystemservicesafterapplicationuninstallation?
Methodology
ProtectionExamination Exploit
AttemptsDamage
Measurement
AttackDesignSystem Service
CollectionCandidateDatabase
ResidueInstances
FilteringManualAnalysis
Data Residue Harvest Damage Evaluation
Feedback
CandidateService
Savingdatatofiles,databases?Or
Savingdatainmemory?
Datacleanup(flaw)?
DataResidue
Yes
No
Vulnerabilityexploits
Findings
• 7securityvulnerabilitiesacknowledgedbyGooglewithMediumpriority
SampleExploits- I• CredentialStealing
SampleExploits- II• SettingsImpersonating
Android Framework
SpellCheckerModule
SampleExploits- II• SettingsImpersonating
Android Framework
Spell Checker Module
EvenMore…
Detailsareavailableat:https://sites.google.com/site/droidnotsecure/
Evaluation
• 2,373apps• 10devices
• 8Androidversions• 3playstores
FundamentalCauses
• DataResidueInstances<->MandatoryDesignPrincipleinBackend
• Exploits<->Signature-basedFrontend
Limitation• ManualAnalysis
• StaticAnalysis– AppLevel– Intelligence
• DynamicAnalysis– AppLevel– ExploitConditions
privateclass TextServicesMonitor extendsPackageMonitor {@OverridepublicvoidonSomePackagesChanged() {synchronized(mSpellCheckerMap){buildSpellCheckerMapLocked(mContext, mSpellCheckerList,
mSpellCheckerMap);//TODO:UpdateforeachlocaleSpellCheckerInfo sci =getCurrentSpellChecker(null);if(sci ==null) return;finalStringpackageName =sci.getPackageName();finalint change=isPackageDisappearing(packageName);if(//Packagedisappearing
change==PACKAGE_PERMANENT_CHANGE||change==PACKAGE_TEMPORARY_CHANGE
//Packagemodified||isPackageModified(packageName)) {
sci=findAvailSpellCheckerLocked(null, packageName);if(sci !=null) {setCurrentSpellCheckerLocked(sci.getId());
}}
}}
}
Conclusion
• DataResidueVulnerability• SystematicStudy• ComprehensiveEvaluation
• Triggermoreresearchefforts
Questions?
[email protected]://sites.google.com/site/droidnotsecure/