TY - GEN
T1 - Harvesting inconsistent security configurations in custom android ROMs via differential analysis
AU - Aafer, Yousra
AU - Zhang, Xiao
AU - Du, Wenliang
N1 - Funding Information:
We would like to thank our anonymous reviewers for their insightful comments. This project was supported in part by the NSF grant 1318814.
PY - 2016
Y1 - 2016
N2 - Android customization offers substantially different experiences and rich functionalities to users. Every party in the customization chain, such as vendors and carriers, modify the OS and the pre-installed apps to tailor their devices for a variety of models, regions, and custom services. However, these modifications do not come at no cost. Several existing studies demonstrate that modifying security configurations during the customization brings in critical security vulnerabilities. Albeit these serious consequences, little has been done to systematically study how Android customization can lead to security problems, and how severe the situation is. In this work, we systematically identified security features that, if altered during the customization, can introduce potential risks. We conducted a large scale differential analysis on 591 custom images to detect inconsistent security features. Our results show that these discrepancies are indeed prevalent among our collected images. We have further identified several risky patterns that warrant further investigation. We have designed attacks on real devices and confirmed that these inconsistencies can indeed lead to actual security breaches.
AB - Android customization offers substantially different experiences and rich functionalities to users. Every party in the customization chain, such as vendors and carriers, modify the OS and the pre-installed apps to tailor their devices for a variety of models, regions, and custom services. However, these modifications do not come at no cost. Several existing studies demonstrate that modifying security configurations during the customization brings in critical security vulnerabilities. Albeit these serious consequences, little has been done to systematically study how Android customization can lead to security problems, and how severe the situation is. In this work, we systematically identified security features that, if altered during the customization, can introduce potential risks. We conducted a large scale differential analysis on 591 custom images to detect inconsistent security features. Our results show that these discrepancies are indeed prevalent among our collected images. We have further identified several risky patterns that warrant further investigation. We have designed attacks on real devices and confirmed that these inconsistencies can indeed lead to actual security breaches.
UR - http://www.scopus.com/inward/record.url?scp=84995368181&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=84995368181&partnerID=8YFLogxK
M3 - Conference contribution
AN - SCOPUS:84995368181
T3 - Proceedings of the 25th USENIX Security Symposium
SP - 1153
EP - 1168
BT - Proceedings of the 25th USENIX Security Symposium
PB - USENIX Association
T2 - 25th USENIX Security Symposium
Y2 - 10 August 2016 through 12 August 2016
ER -