Sneaky devs could abuse shared libraries to slurp smartphone data

Privilege escalation is baked in to mobile OSes, if you look for it

Oxford researchers reckon they've spotted the next emerging trend in Android advertising (and possibly malware): using common libraries to “collude” between apps with different privilege levels.

Libraries are a common enough vector for attackers to target, but the trio of boffins (Vincent Taylor, Alastair Beresford and Ivan Martinovic) point out most research looks at apps in isolation.

So they took a different approach, looking at how the same library in two different apps could expose information from a higher-privilege app to one with lower privilege.

They write that this “intra-library collusion” (ILC) happens “when individual libraries obtain greater combined privileges on a device by virtue of being embedded within multiple apps, with each app having a distinct set of permissions granted”.

How permission collusion works

As the paper explains, shared libraries can borrow permissions an app doesn't have Click to embiggen

That's a threat, because library re-use across different apps isn't a bug, it's a feature: it makes app development more efficient and keeps apps small by letting them use code pre-loaded to a device.

While noting that attackers are standardising their own libraries, the researchers focussed their effort on advertising libraries, since these are almost ubiquitous in the world of smartphone apps, and are already collecting and aggregating sensitive personal data.

Their research focussed on libraries handling location, app usage, device information, communication data like call logs and messages, access to storage (including, for example, a user's files which can indicate their interests), and the microphone.

Of more than 15,000 apps with more than a million downloads, the researchers went to work decompiling apps to identify the libraries they linked to. Those they successfully decompiled, they analysed for their intra-library collusion potential.

The 18 most popular libraries include familiar names:

Library % of apps
com/facebook 11.9
com/google/android/gms/analytics 9.8
com/flurry 6.3
com/chartboost/sdk 5.9
com/unity3d 5.2
com/applovin 3.5
com/mopub 3.1
com/inmobi 3.0
com/google/ads 3.0
com/google/android/gcm 2.7
com/tapjoy 2.4
org/cocos2d 2.4
com/amazon 2.0
com/millennialmedia 1.6
org/apache/commons 1.4
com/heyzap 1.4
com/nostra13/universalimageloader 1.3
com/adobe/air 1.0

“The main catalyst that allows ILC to happen is the failure of the Android permission system to separate the privileges of libraries and their host apps”, they write, and this at least offers opportunities for an underhanded ad network to improve their data collection without seeking extra permissions from users.

They note that in such scenarios, app developers have a strong incentive to not support library privilege separation, since “it may impact their profits negatively”.

Digging deeper into how advertiser libraries behaved, they found on average those libraries “leak sensitive data from a device up to 2.4 times a day and that the average user has their personal data sent to 1.7 different ad servers per day”.

While the focus of the paper is on how advertisers might exploit ILC, it clearly offers an attack vector, especially on jailbroken or rooted phones. There's already evidence in previous studies that as many as 7 percent of apps from the Play Store contain potentially malicious libraries, suggesting that “attackers have turned their attention to libraries as a means of malware propagation”. ®

Keep Reading

Kick Google all you like, Mozilla tells US government, so long as we keep getting our Google-bucks

In case you've forgotten: Google sends Mozilla about $400m a year

In a world where up is down, it's heartwarming to know Internet Explorer still tops list of web dev pain points

Incompatibilities and inconsistent standards support among browsers ensure an ongoing source of headaches

Azure DevOps Services reminds users that, yes, it really is time to pull the plug on Internet Explorer 11

Ignite Sure, it's still wedged in the OS, but maybe you'd prefer something shiny and Chromier?

New Google rules mandate Android 'Poundland' Edition, Go, for sub-2GB RAM phones once Android 11 is out

Chocolate Factory actively pushing lightweight OS on less powerful devices

We've come to wish you an unhappy birthday: Microsoft to yank services from Internet Explorer, kill off Legacy Edge by 2021

You need to give that plate back to us after you've finished your cake. Yes the fork too. We'll get your coat

If you think Mozilla pushed a broken Firefox Android build, good news: It didn't. Bad news: It's working as intended

Netizens up in arms over unexpected UI change, missing add-ons support

Mozilla signs fresh Google search deal worth mega-millions as 25% staff cut hits Servo, MDN, security teams

Updated $2.5m-a-year CEO set to take a pay cut, so that's all right, then

Microsoft teases Azure Data Explorer connector for picking its Synapse analytics service's brains

What do you mean you're not on board the Big Data bus?

Biting the hand that feeds IT © 1998–2020