报告题目:Direct Resource Hijacking in Android is Still Dangerous
报告日期及时间:2016年9月9日周五14:00
报告地点:E202
报告人:李琦
报告人单位: 清华大学
报告人简介: Qi Li received his Ph.D. degree from Tsinghua University. Now he is an associate professor of Graduate School at Shenzhen, Tsinghua University. He has ever worked at ETH Zurich, the University of Texas at San Antonio, The Chinese University of Hong Kong, Chinese Academy of Sciences, and Intel. His research interests are in network and system security, particularly in Internet security, mobile security, and security of large scale distributed systems. He is currently an editorial board member of IEEE Transactions on Dependable and Secure Computing, and has served on the organization or program committees of various premier conferences.
报告摘要: Android provides flexible inter-application (or app) communication by exporting the components of one app to others. Each app can define customized permissions to control the access from others to its exposed components. However, an attacker can easily access the exported components and private app information by evading permissioncheck in Android. In this talk, we present a new attack called direct resource hijacking attack by hijacking exported components or permissions on components. We find that among top 230 popular apps 53 apps are vulnerable to this attack. To tackle this vulnerability, we propose a fine-grained resource access control framework in Android and introduce a certificate-augmented resource naming mechanism. With this, malicious apps cannot hijack a victim app's permissions to steal its data, or hijack a victim app's components to receive its data. We hope our scheme will shed light on a new design of resource protection in Android.
邀请人:王骞教授 严飞副教授
