Life after App Uninstallation: Are the Data Still Alive? Data - - PowerPoint PPT Presentation

life after app uninstallation are the data still alive
SMART_READER_LITE
LIVE PREVIEW

Life after App Uninstallation: Are the Data Still Alive? Data - - PowerPoint PPT Presentation

Aug 24, 2023 27 likes •193 views

Life after App Uninstallation: Are the Data Still Alive? Data Residue Attacks on Android Xiao Zhang, Kailiang Ying, Yousra Aafer, Zhenshen Qiu, and Wenliang Du App Life Installation Interaction Uninstallation But, what if Windows

slide-1
SLIDE 1

Life after App Uninstallation: Are the Data Still Alive? Data Residue Attacks on Android

Xiao Zhang, Kailiang Ying, Yousra Aafer, Zhenshen Qiu, and Wenliang Du

slide-2
SLIDE 2

App Life

Installation Interaction Uninstallation

slide-3
SLIDE 3

But, what if …

Are there any data left after application uninstallation on Android?

Android App Uninstallation Windows Residue

slide-4
SLIDE 4

In Details

Installation Interaction Uninstallation

Are the data still alive after application uninstallation on Android?

App XYZ (UID = 10050) /data/data/com.XYZ /Android/data/com.XY Z account.db | settings.db | packages.xml … <10050, perms> | Clip data | token … shared files /Android/data/com.XY Z account.db | settings.db | packages.xml … <10050, perms> | Clip data | token … shared files App XYZ (UID = 10050) /data/data/com.XYZ FRAMEWORK App XYZ (UID = 10050) /data/data/com.XYZ /Android/data/com.XY Z /data/system/| /system/| /sys/ | … <10050, perms> APPLICATION SDCard

slide-5
SLIDE 5

What can go wrong?

Are the data still alive in Android system services after application uninstallation?

slide-6
SLIDE 6

Methodology

Protection Examination Exploit Attempts Damage Measurement Attack Design System Service Collection Candidate Database Residue Instances Filtering Manual Analysis

Data Residue Harvest Damage Evaluation Feedback

Candidate Service Saving data to files, databases? Or Saving data in memory? Data cleanup (flaw)? Data Residue Yes No Vulnerability exploits

slide-7
SLIDE 7

Findings

  • 7 security vulnerabilities acknowledged by Google with Medium

priority

slide-8
SLIDE 8

Sample Exploits - I

  • Credential Stealing
slide-9
SLIDE 9

Sample Exploits - II

  • Settings Impersonating

Android Framework

Spell Checker Module

slide-10
SLIDE 10

Sample Exploits - II

  • Settings Impersonating

Android Framework

Spell Checker Module

slide-11
SLIDE 11

Even More …

Details are available at: https://sites.google.com/site/droidnotsecure/

slide-12
SLIDE 12

Evaluation

  • 2,373 apps
  • 10 devices
  • 8 Android versions
  • 3 play stores
slide-13
SLIDE 13

Fundamental Causes

  • Data Residue Instances <-> Mandatory Design

Principle in Backend

  • Exploits <-> Signature-based Frontend
slide-14
SLIDE 14

Limitation

  • Manual Analysis
  • Static Analysis

– App Level – Intelligence

  • Dynamic Analysis

– App Level – Exploit Conditions

private class TextServicesMonitor extends PackageMonitor { @Override public void onSomePackagesChanged() { synchronized (mSpellCheckerMap) { buildSpellCheckerMapLocked(mContext, mSpellCheckerList, mSpellCheckerMap); // TODO: Update for each locale SpellCheckerInfo sci = getCurrentSpellChecker(null); if (sci == null) return; final String packageName = sci.getPackageName(); final int change = isPackageDisappearing(packageName); if (// Package disappearing change == PACKAGE_PERMANENT_CHANGE || change == PACKAGE_TEMPORARY_CHANGE // Package modified || isPackageModified(packageName)) { sci= findAvailSpellCheckerLocked(null, packageName); if (sci != null) { setCurrentSpellCheckerLocked(sci.getId()); } } } } }

slide-15
SLIDE 15

Conclusion

  • Data Residue Vulnerability
  • Systematic Study
  • Comprehensive Evaluation
  • Trigger more research efforts
slide-16
SLIDE 16

Questions? xzhang35@syr.edu https://sites.google.com/site/droidnotsecure/