Breaking and fixing the Android Launching Flow Alessandro Armando a,b , Alessio Merlo a,c, *, Mauro Migliardi d , Luca Verderame a a DIBRIS, Universita ` degli Studi di Genova, Italy b Security & Trust Unit, FBK-irst, Trento, Italy c Universita ` e-Campus, Italy d DEI, University of Padova, Italy article info Article history: Received 24 November 2012 Received in revised form 13 March 2013 Accepted 15 March 2013 Keywords: Android OS Android security Android security framework Zygote vulnerability Denial-of-Service abstract The security model of the Android OS is based on the effective combination of a number of well-known security mechanisms (e.g. statically defined permissions for applications, the isolation offered by the Dalvik Virtual Machine, and the well-known Linux discretionary access control model). Although each security mechanism has been extensively tested and proved to be effective in isolation, their combination may suffer from unexpected security flaws. We show that this is actually the case by presenting a severe vulnerability in Android related to the application launching flow. This vulnerability is based on a security flaw affecting a kernel-level socket (namely, the Zygote socket). We also present an exploit of the vulnerability that allows a malicious application to mount a severe Denial-of-Service attack that makes the Android devices become totally unresponsive. Besides explaining the vulnerability (which affects all versions of Android up to version 4.0.3) we propose two fixes. One of the two fixes has been adopted in the official release of Android, starting with version 4.1. We empirically assess the impact of the vulnerability as well as the efficacy of the countermeasures on the end user. We conclude by extending our security analysis to the whole set of sockets, showing that other sockets do not suffer from the same vulner- ability as the Zygote one. ª 2013 Elsevier Ltd. All rights reserved. 1. Introduction By leveraging a generic Linux kernel, the Android OS is built out of a layered architecture that runs on a wide variety of devices and supports the execution of a large number of ap- plications available for download both inside and outside the Google Play Store. Since most applications are developed by third-parties, security is a major concern. The Android secu- rity model tackles the problem by striving to attain the following design goal: A central design point of the Android security architecture is that no application, by default, has permission to perform any oper- ation that would adversely impact other applications, the oper- ating system, or the user.http://developer.android.com/ guide/topics/security/security.html This goal is pursued through a number of cross-layer security mechanisms aimed at isolating applications from each other. These mechanisms are built out of basic security mechanisms available in the individual layers of the Android * Corresponding author. DIBRIS, Universita ` degli Studi di Genova, Via all’Opera Pia, 13, 16145 Genova, Italy. Tel.: þ39 (0)10 3532344. E-mail addresses: alessandro.armando@unige.it, armando@fbk.eu (A. Armando), alessio.merlo@uniecampus.it, alessio.merlo@unige. it (A. Merlo), mauro.migliardi@unipd.it (M. Migliardi), luca.verderame@unige.it (L. Verderame). Available online at www.sciencedirect.com journal homepage: www.elsevier.com/locate/cose computers & security xxx (2013) 1 e12 Please cite this article in press as: Armando A, et al., Breaking and fixing the Android Launching Flow, Computers & Security (2013), http://dx.doi.org/10.1016/j.cose.2013.03.009 0167-4048/$ e see front matter ª 2013 Elsevier Ltd. All rights reserved. http://dx.doi.org/10.1016/j.cose.2013.03.009