IntentFuzzer: Detecting Capability Leaks of Android Applications Kun Yang 1,3 , Jianwei Zhuge 2,3 , Yongke Wang 4 , Lujue Zhou 2 , and Haixin Duan 2,3 1 Department of Computer Science and Technology, Tsinghua University 2 Institute for Network Science and Cyberspace, Tsinghua University 3 Tsinghua National Laboratory for Information Science and Technology 4 Institute of Information Engineering, Chinese Academy of Sciences ABSTRACT Capability leak is a vulnerability in Android applications, which violates the enforcement of permission model and threatens the secure usage of Android phone users. Mali- cious applications can launch permission escalation attacks with this vulnerability. In this paper, we propose a dynamic Intent fuzzing mechanism to uncover vulnerable applications in both Android markets and closed source ROMs. We built a prototype called IntentFuzzer. With it, we analyzed more than 2000 Android applications in Google Play and hun- dreds of in-rom applications inside two closed source ROMs. We found that 161 applications in Google Play have at least one permission leak, and 26 permissions in Xiaomi Hongmi phone and 19 permissions in Lenovo K860i stock phone are leaked. Finally, we give several cases of exploitation to verify our analysis result. Categories and Subject Descriptors D.2.4 [Software Engineering]: Software/Program Verifi- cation; D.2.5 [Software Engineering]: Testing and De- bugging General Terms Security, Design, Experimentation Keywords Smartphone Security, Intent Fuzzing, Capability Leak 1. INTRODUCTION Android smartphones market share has exploded in re- cent years. Compared with traditional PC, smartphones are much closer to users. Considering the sensors such as cam- eras and voice recorder integrated into mobile devices, it’s necessary to protect these usage of the sensors. Moreover, smartphones have become the main way to store and handle private data, including SMS messages, call logs, contact in- formation and photos, which are imperative to be protected. Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from permissions@acm.org. ASIA CCS’14, June 4–6, 2014, Kyoto, Japan. Copyright is held by the owner/author(s). Publication rights licensed to ACM. ACM 978-1-4503-2800-5/14/06 ...$15.00. http://dx.doi.org/10.1145/2590296.2590316 . Permission model is essential in the design of Android se- curity. In this model, sensitive resources are protected by permissions that other applications don’t have. However, because of the existence of vulnerable applications, it is pos- sible for attackers to break through such permission model. Capability leak is such a vulnerability that an application exposes some permissions, by which other applications with- out these permissions can access protected resources. Several static analysis systems have already been built to detect capability leaks in applications [7, 6, 10, 5]. Droid- Checker [5] has found 6 vulnerable apps including Adobe Photoshop Express 1.3.1. Woodpecker[10] detected 11 per- missions are leaked in 8 stock phones from world’s leading manufacturers. These tools are effective, but they may all have false positive, and should manually verify how to trig- ger permission leaks. To precisely uncover capability leaks in millions of appli- cations automatically, we used an old technique - fuzzing in this new situation. By sending testing Intents to vari- ous exposed interfaces, we can detect if any capability leaks happen. Compared with static methods, our method has an advantage in precision. While static analysis only sees the possible calling connections between function calls, dy- namic fuzzing can detect permission leaks that really hap- pen, which can be recorded and used to reconstruct all the scenes. We developed a prototype called IntentFuzzer, and used it to analyze over 2,000 popular applications in Google Play. Our result shows that 161 applications have at least one permission leak. We also apply IntentFuzzer to closed source ROMs that customized by various vendors, and found that 26 permissions in Xiaomi Hongmi phone and 19 permissions in Lenovo K860i are leaked. The rest of paper is organized as follows: Section 2 briefly introduces background knowledge of Android permission mo- del and Inter Component Communication mechanism. Sec- tion 3 and Section 4 describe our system design and im- plementation respectively. Section 5 presents the detailed evaluation results from our study. Section 6 discusses lim- itations and future work. Section 7 describes related work and Section 8 summarizes our conclusions. 2. BACKGROUND 2.1 Permission Model To mitigate security threat related to personal privacy, Google has designed a permission-based model. Android application is prohibited from accessing dangerous permis- 531