Intent Security Testing - An Approach to Testing the Intent-based Vulnerability of Android Components

Sébastien Salva, Stassia R. Zafimiharisoa, Patrice Laurençot

Abstract

The intent mechanism is a powerful feature of the Android platform that helps compose existing components together to build a Mobile application. However, hackers can leverage the intent messaging to extract personal data or to call components without credentials by sending malicious intents to components. This paper tackles this issue by proposing a security testing method which aims at detecting whether the components of an Android application are vulnerable to malicious intents. Our method takes Android projects and intent-based vulnerabilities formally represented with models called vulnerability patterns. The originality of our approach resides in the generation of partial specifications from configuration files and component codes to generate test cases. A tool, called APSET, is presented and evaluated with experimentations on some Android applications.

References

  1. Android, D. (2013). Android developer's guide. In http:// developer.android.com/index.html, last accessed feb 2013.
  2. Chin, E., Felt, A. P., Greenwood, K., and Wagner, D. (2011). Analyzing inter-application communication in android. In Proceedings of the 9th international conference on Mobile systems, applications, and services, pages 239-252.
  3. Cohen, M. B., Gibbons, P. B., Mugridge, W. B., and Colbourn, C. J. (2003). Constructing test suites for interaction testing. In Proc. of the 25th International Conference on Software Engineering, pages 38-48.
  4. Frantzen, L., Tretmans, J., and Willemse, T. (2005). Test Generation Based on Symbolic Specifications. In Grabowski, J. and Nielsen, B., editors, FATES 2004, number 3395 in Lecture Notes in Computer Science, pages 1-15. Springer.
  5. Jing, Y., Ahn, G.-J., and Hu, H. (2012). Model-based conformance testing for android. In Hanaoka, G. and Yamauchi, T., editors, Proceedings of the 7th International Workshop on Security (IWSEC), volume 7631 of Lecture Notes in Computer Science, pages 1-18. Springer.
  6. Report (2012). It business: Android security. In http:// www.itbusinessedge.com/cm/blogs/weinschenk/ google-must-deal-with-android-security-problemsquickly/?cs=49291, , last accessed feb 2013.
  7. Zhong, J., Huang, J., and Liang, B. (2012). Android permission re-delegation detection and test case generation. In Computer Science Service System (CSSS), 2012 International Conference on, pages 871 -874.
Download


Paper Citation


in Harvard Style

Salva S., R. Zafimiharisoa S. and Laurençot P. (2013). Intent Security Testing - An Approach to Testing the Intent-based Vulnerability of Android Components . In Proceedings of the 10th International Conference on Security and Cryptography - Volume 1: SECRYPT, (ICETE 2013) ISBN 978-989-8565-73-0, pages 355-362. DOI: 10.5220/0004515203550362


in Bibtex Style

@conference{secrypt13,
author={Sébastien Salva and Stassia R. Zafimiharisoa and Patrice Laurençot},
title={Intent Security Testing - An Approach to Testing the Intent-based Vulnerability of Android Components},
booktitle={Proceedings of the 10th International Conference on Security and Cryptography - Volume 1: SECRYPT, (ICETE 2013)},
year={2013},
pages={355-362},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0004515203550362},
isbn={978-989-8565-73-0},
}


in EndNote Style

TY - CONF
JO - Proceedings of the 10th International Conference on Security and Cryptography - Volume 1: SECRYPT, (ICETE 2013)
TI - Intent Security Testing - An Approach to Testing the Intent-based Vulnerability of Android Components
SN - 978-989-8565-73-0
AU - Salva S.
AU - R. Zafimiharisoa S.
AU - Laurençot P.
PY - 2013
SP - 355
EP - 362
DO - 10.5220/0004515203550362