Memory Forensics of Insecure Android Inter-app Communications

Mark Vella, Rachel Cilia

2017

Abstract

Android is designed in a way to promote the implementation of user task flows among multiple applications inside mobile devices. Consequently, app permissions may be leaked to malicious apps without users noticing any compromise to their devices’ security. In this work we explore the possibility of detecting insecure inter-app communications inside memory dumps, with forensic analysis results indicating the possibility of doing so across the various layers of Android’s architecture. Yet, for the detailed evidence reconstruction that could be required during digital investigation, current capabilities have to be complemented with evidence collected through live forensics. We propose that this process should still be based on carving forensic artifacts directly from memory.

References

  1. Anglano, C., Canonico, M., and Guazzone, M. (2016). Forensic analysis of the chatsecure instant messaging application on android smartphones. Digital Investigation, 19:44-59.
  2. Artenstein, N. and Revivo, I. (2014). Man in the Binder: He who controls IPC, controls the droid. In Europe BlackHat Conf.
  3. Elenkov, N. (2014). Android Security Internals: An InDepth Guide to Android's Security Architecture. No Starch Press.
  4. Gargenta, A. (2012). Deep dive into Android IPC/Binder framework. In AnDevCon: The Android Developer Conference.
  5. Kong, J. (2015). Data extraction on MTK-based Android mobile phone forensics. Journal of Digital Forensics, Security and Law, 10(4):31-42.
  6. Mauerer, W. (2010). Professional Linux kernel architecture. John Wiley & Sons.
  7. St üttgen, J. and Cohen, M. (2013). Anti-forensic resilient memory acquisition. Digital investigation, 10:S105- S115.
  8. Sylve, J., Case, A., Marziale, L., and Richard, G. G. (2012). Acquisition and analysis of volatile memory from Android devices. Digital Investigation, 8(3):175-184.
  9. Zhang, D., Wang, R., Lin, Z., Guo, D., and Cao, X. (2016). Iacdroid: Preventing inter-app communication capability leaks in android. In ISCC, 2016 IEEE Symposium on, pages 443-449. IEEE.
Download


Paper Citation


in Harvard Style

Vella M. and Cilia R. (2017). Memory Forensics of Insecure Android Inter-app Communications . In Proceedings of the 3rd International Conference on Information Systems Security and Privacy - Volume 1: ICISSP, ISBN 978-989-758-209-7, pages 481-486. DOI: 10.5220/0006215504810486


in Bibtex Style

@conference{icissp17,
author={Mark Vella and Rachel Cilia},
title={Memory Forensics of Insecure Android Inter-app Communications},
booktitle={Proceedings of the 3rd International Conference on Information Systems Security and Privacy - Volume 1: ICISSP,},
year={2017},
pages={481-486},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0006215504810486},
isbn={978-989-758-209-7},
}


in EndNote Style

TY - CONF
JO - Proceedings of the 3rd International Conference on Information Systems Security and Privacy - Volume 1: ICISSP,
TI - Memory Forensics of Insecure Android Inter-app Communications
SN - 978-989-758-209-7
AU - Vella M.
AU - Cilia R.
PY - 2017
SP - 481
EP - 486
DO - 10.5220/0006215504810486