Cruel intentions : enhancing androids intent firewall


The inter process communication (IPC) functionality of the Android platform has received the attention of security researchers since the first release of the operating system. Since the IPC mechanism employs a publish-subscribe pattern in which applications decide what kind of intent messages they are prepared to receive, the system is prone to misuse by malicious applications. While unsecured messages, sent system-wide, may leak sensitive data when intercepted by unintended recipients, unguarded exposed application components may be targeted by malicious intents to inject data to trigger unwanted behaviour. To mitigate those dangers, the operating system received a mandatory access control system named Intent Firewall (IFW) in version 4.4, which allows to monitor and block IPC traffic according to user defined rules. Since this system is limited in its efficiency due to its coarse filter granularity as well as difficult usability and lack of automatic threat detection, an upgraded version of the system was needed. After reviewing both static and dynamic research approaches as well as policy based security tools aiming to identify and regulate malicious intent traffic, the Enhanced Intent Firewall (EFW) has been created to remedy some of the shortcomings in the design of the original Intent Firewall implementation. Using this system, a set of both malicious and benign applications has been analyzed to be able to characterize dangerous intent traffic and subsequently counteract it with user created policies. Furthermore a detection module is presented to show the capability of the system to analyze and monitor IPC communication in real time to detect and automatically block malicious behavior. Finally the effects of the tool on the operating systems runtime performance is measured to demonstrate the feasibility of the approach.