Towards Analyzing the Input Validation Vulnerabilities associated with Android System Services

Although the input validation vulnerabilities play a critical role in web application security, such vulnerabilities are so far largely neglected in the Android security research community.
We found that due to the unique Framework Code layer, Android devices do need specific input validation vulnerability analysis in system services.
In this work, we take the first steps to analyze Android specific input validation vulnerabilities.
In particular, a) we take the first steps towards measuring the corresponding attack surface and reporting the current input validation status of Android system services.
b) We developed a new input validation vulnerability scanner for Android devices.
This tool fuzzes all the Android system services by sending requests with malformed arguments to them.
Through comprehensive evaluation of Android system with over 90 system services and over 1,900 system service methods, we identified 16 vulnerabilities in Android system services.
We have reported all the issues to Google and Google has confirmed them.

Author(s):

Chen Cao    
Institute of Information Engineering, CAS
China

Neng Gao    
Institute of Information Engineering, CAS
China

Peng Liu    
The Pennsylvania State University
United States

Ji Xiang    
Institute of Information Engineering, CAS
China