【 摘 要 】

Updating applications is an important mechanism to enhance their availability, functionality, and security. However, without careful considerations, application updates can bring other security problems. In this paper, we consider a novel attack that exploits application updates on Android: a cross-update privacy-leak attack called COUPLE. The COUPLE attack allows an application to secretly leak sensitive data through the cross-update interaction between its old and new versions; each version only has permissions and logic for either data collection or transmission to evade detection. We implement a runtime security system, BREAKUP, that prevents cross-update sensitive data transactions by tracking permission-use histories of individual applications. Evaluation results show that BREAKUP’s time overhead is below 5%. We further show the feasibility of the COUPLE attack by analyzing the versions of 2;009 applications (28;682 APKs).

【 授权许可】

CC BY-NC-ND   

【 预 览 】

附件列表

Files	Size	Format	View
RO201911044409208ZK.pdf	539KB	PDF	download