A study on a feasible no-root approach on Android

Cheng, Yao; Li, Yingjiu; Deng, Robert; Ying, Lingyun; He, Wei

doi:10.3233/JCS-16866

Journal of Computer Security

A study on a feasible no-root approach on Android

Yao Cheng Yingjiu Li Robert Deng All authors (5)

https://doi.org/10.3233/JCS-16866

Pub. online: 5 September 2023 Type: Research Article

Published
5 September 2023

Abstract

Root is the administrative privilege on Android, which is however inaccessible on stock Android devices. Due to the desire for privileged functionalities and the reluctance of rooting their devices, Android users seek for no-root approaches, which provide users with part of root privileges without rooting their devices. Existing no-root approaches require users to launch a separate service via Android Debug Bridge (ADB) on an Android device, which would perform user-desired tasks. However, it is unusual for a third-party Android application to work with a separate native service via sockets, and it requires the application developers to have extra knowledge such as Linux programming in application development. In this paper, we propose a feasible no-root approach based on new functionalities added on Android, which creates no separate service but an ADB loopback. To ensure such no-root approach is not misused in a proactive instead of reactive manner, we examine its dark side. We find out that while this approach makes it easy for no-root applications to work, it may lead to a “permission explosion,” which enables any third-party application to attain shell permissions beyond its granted permissions. The permission explosion can further lead to exploits including privacy leakage, account takeover, application UID abuse, and user input inference. A practical experiment is carried out to evaluate the situation in the real world, which shows that many real-world applications from Google Play and four third-party application markets are indeed vulnerable to these exploits. To mitigate the dark side of the new no-root approach and make it more suitable for users to adopt, we identify the causes of the exploits, and propose a permission-based solution. We also provide suggestions to application developers and application markets on how to prevent these exploits.

References

[1]

Clockworkmod tether (no root). https://play.google.com/store/apps/details?id=com.koushikdutta.tether.

[2]

No root screenshot it. https://play.google.com/store/apps/details?id=com.edwardkim.android.screenshotitfullnoroot.

[3]

Log. http://developer.android.com/reference/android/util/Log.html.

[4]

Android debug bridge. http://developer.android.com/tools/help/adb.html.

[5]

Android security. http://googlemobile.blogspot.sg/2012/02/android-and-security.html.

[6]

D. Barrera, H. Güneş Kayacik, P.C. van Oorschot and A. Somayaji, A methodology for empirical analysis of permission-based security models and its application to Android, in: Proceedings of the 17th ACM Conference on Computer and Communications Security, 2010, pp. 73–84.

[7]

L. Cai and H. Chen, Touchlogger: Inferring keystrokes on touch screen from smartphone motion, in: HotSec, 2011.

[8]

L. Davi, A. Dmitrienko, A.-R. Sadeghi and M. Winandy, Privilege escalation attacks on Android, in: Information Security, 2011, pp. 346–360. doi:10.1007/978-3-642-18178-8_30.

[9]

W. Enck, M. Ongtang and P. McDaniel, On lightweight mobile phone application certification, in: Proceedings of the 16th ACM Conference on Computer and Communications Security, 2009, pp. 235–245.

[10]

S. Fahl, M. Harbach, M. Oltrogge, T. Muders and M. Smith, Hey, you, get off of my clipboard, in: Financial Cryptography and Data Security, 2013, pp. 144–161. doi:10.1007/978-3-642-39884-1_12.

[11]

A.P. Felt and D. Wagner, Phishing on Mobile Devices, 2011.

[12]

Flurry. http://www.flurry.com/.

[13]

Helium - app sync and backup. https://play.google.com/store/apps/details?id=com.koushikdutta.backup.

[14]

S. Hwang, S. Lee, Y. Kim and S. Ryu, Bittersweet adb: Attacks and defenses, in: Proceedings of the 10th ACM Symposium on Information, Computer and Communications Security, 2015, pp. 579–584.

[15]

Y.Z.X. Jiang, Detecting passive content leaks and pollution in Android applications, in: NDSS, 2013.

[16]

C.-C. Lin, H. Li, X. Zhou and X. Wang, Screenmilker: How to milk your Android screen for secrets, in: NDSS, 2014.

[17]

A. Lineberry, D.L. Richardson and T. Wyatt, These aren’t the permissions you’re looking for. https://www.defcon.org/images/defcon-18/dc-18-presentations/Lineberry/DEFCON-18-Lineberry-Not-The-Permissions-You-Are-Looking-For.pdf (2010).

[18]

C. Marforio, A. Francillon, S. Capkun, S. Capkun and S. Capkun, Application Collusion Attack on the Permission-Based Security Model and Its Implications for Modern Smartphone Systems, Department of Computer Science, ETH, Zurich, 2011.

[19]

E. Owusu, J. Han, S. Das, A. Perrig and J. Zhang, Accessory: Password inference using accelerometers on smartphones, in: Proceedings of the Twelfth Workshop on Mobile Computing Systems & Applications, HotMobile ’12, 2012, pp. 9:1–9:6.

[20]

Platform versions distribution. http://developer.android.com/about/dashboards/index.html.

[21]

A. Porter Felt, E. Ha, S. Egelman, A. Haney, E. Chin and D. Wagner, Android permissions: User attention, comprehension, and behavior, in: Proceedings of the Eighth Symposium on Usable Privacy and Security, ACM, 2012, p. 3.

[22]

A. Porter Felt, H.J. Wang, A. Moshchuk, S. Hanna and E. Chin, Permission re-delegation: Attacks and defenses, in: USENIX Security Symposium, 2011.

[23]

R. Raguram, A.M. White and D. Goswami, Fabian Monrose, and Jan-Michael Frahm. ispy: Automatic reconstruction of typed input from compromising reflections, in: Proceedings of the 18th ACM Conference on Computer and Communications Security, 2011, pp. 527–536.

[24]

R. Schlegel, K. Zhang, X. Zhou, M. Intwala, A. Kapadia and X. Wang, Soundcomber: A stealthy and context-aware sound trojan for smartphones, in: NDSS, 2011, pp. 17–33.

[25]

Screenshot free. https://play.google.com/store/apps/details?id=com.androidscreenshotapptool.free.

[26]

Screenshot shakeshot trial. https://play.google.com/store/apps/details?id=com.designkontrol.screenshottrial.

[27]

Screenshot ultimate. https://play.google.com/store/apps/details?id=com.icecoldapps.screenshotultimate.

[28]

Smartphone OS market share, q1 2015. http://www.idc.com/prodserv/smartphone-os-market-share.jsp.

[29]

Snapchat. https://play.google.com/store/apps/details?id=com.snapchat.android.

[30]

T. Vidas, D. Votipka and N. Christin, All your droid are belong to us: A survey of current Android attacks, in: WOOT, 2011, pp. 81–90.

[31]

Vine. https://play.google.com/store/apps/details?id=co.vine.android.

[32]

Windows malware attempts to infect android devices. http://www.symantec.com/connect/blogs/windows-malware-attempts-infect-android-devices.

[33]

X. Zhang and W. Du, Attacks on Android clipboard, in: Detection of Intrusions and Malware, and Vulnerability Assessment, 2014, pp. 72–91.

[34]

W. Zhou, Y. Zhou, X. Jiang and P. Ning, Detecting repackaged smartphone applications in third-party Android marketplaces, in: Proceedings of the Second ACM Conference on Data and Application Security and Privacy, 2012, pp. 317–326.

[35]

Y. Zhou and X. Jiang, Dissecting Android malware: Characterization and evolution, in: 2012 IEEE Symposium on Security and Privacy (SP), 2012, pp. 95–109. doi:10.1109/SP.2012.16.

[36]

Y. Zhou, Z. Wang, W. Zhou and X. Jiang, Hey, you, get off of my market: Detecting malicious apps in official and alternative Android markets, in: NDSS, 2012.

Full article Related articles

Keywords

Android root no-root approach permission explosion Android Debug Bridge (ADB) exploits analysis

Metrics

since February 2017

Article info
views

Full article
views

PDF
downloads

XML
downloads

RSS

Authors

Abstract

References

Export citation

Copy and paste formatted citation

Download citation in file

PDF Preview