Systematic Analysis and Detection of Misconfiguration Vulnerabilities in Android Smartphones

Android is a modern and popular software platform for smart phones. To manage information and features on smart phones, Android employs intent-based mechanism for inter-application or intra-application communication and provides a permission-based security model that requires each application to explicitly request permissions in its manifest file. However, misconfiguration defined in manifest files and that embedded in application code may result in vulnerabilities due to developer confusion and general misuse of the features provided by Android. In this paper, we propose a logic-programming-based approach to analyze smart phones and discover misconfiguration vulnerabilities in Android manifest file and application code. To enable misconfiguration vulnerability analysis and detection, we develop a static technique to extract security related information from application code, and employ logic predicates to describe various vulnerabilities. Based on this approach, we developed a tool called SADroid to systematically analyze and detect misconfiguration vulnerabilities in Android smart phones. Our results with two representative phones show that the inherent weakness of Android permission model and developers´ programming errors make Android vulnerable to some attacks.