Template-based Android Inter-Process Communication Fuzzing
Anatoli Kalysch, Mark Deutel and Tilo Müller; System Security and Software Protection Group.
Fuzzing is a test method in vulnerability assessments that calls the interfaces of a program in order to find bugs in its input processing. Automatically generated inputs, based on a set of templates and randomness, are sent to a program at a high rate, collecting crashes for later investigation. We apply fuzz testing to the inter-process communication (IPC) on Android in order to find bugs in the mechanisms of how Android apps communicate with each other. The sandboxing principle on Android usually ensures that apps can only communicate to other apps via programmatic interfaces. Unlike traditional operating systems, two Android apps running in the same user context are not able to access the data of each other(security) or quit the other app (safety). Our IPC fuzzer for Android detects the structure of data sent within Intents between apps by disassembling and analyzing an app’s bytecode. It relies on multiple mutation engines for input generation and supports post-mortem analysis for a detailed insight into crashes. We tested 1488 popular apps from the Google Play-Store, enabling us to crash 450 apps with intents that could be sent from any unprivileged app on the same device, thus undermining the safety guarantees given by Android. We show that any installed app on a device could easily crash a series of other apps, effectively rendering them useless. Even worse, we discovered flaws in popular frameworks like Unity, the Google Services API, and the AdjustSDK. Comparing our implementation to previous research shows improvements in the depth and diversity of our detected crashes.