{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,5,21]],"date-time":"2025-05-21T06:35:33Z","timestamp":1747809333751},"reference-count":46,"publisher":"Springer Science and Business Media LLC","issue":"1","license":[{"start":{"date-parts":[[2023,8,2]],"date-time":"2023-08-02T00:00:00Z","timestamp":1690934400000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0"},{"start":{"date-parts":[[2023,8,2]],"date-time":"2023-08-02T00:00:00Z","timestamp":1690934400000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0"}],"funder":[{"name":"Strategic Priority Research Program of Chinese Academy of Sciences","award":["XDC02040100"],"award-info":[{"award-number":["XDC02040100"]}]}],"content-domain":{"domain":["link.springer.com"],"crossmark-restriction":false},"short-container-title":["Cybersecurity"],"abstract":"<jats:title>Abstract<\/jats:title><jats:p>Statistics show that more than 80 applications are installed on each android smartphone. Vulnerability research on Android applications is of critical importance. Recently, academic researchers mainly focus on single bug patterns, while few of them investigate the relations between multiple bugs. Industrial researchers proposed a series of logic exploit chains leveraging multiple logic bugs. However, there is no general model to evaluate the chaining abilities between bugs. This paper presents a formal model to elucidate the relations between multiple bugs in Android applications. To prove the effectiveness of the model, we design and implement a prototype system named AppChainer. AppChainer automatically identifies attack surfaces of Android applications and investigates whether the payloads entering these attack surfaces are \u201cchainable\u201d. Experimental results on 2138 popular Android applications show that AppChainer is effective in identifying and chaining attacker-controllable payloads. It identifies 14467 chainable payloads and constructs 5458 chains both inside a single application and among various applications. The time cost and resource consumption of AppChainer are also acceptable. For each application, the average analysis time is 317\u00a0s, and the average memory consumed is 2368\u00a0MB. Compared with the most relevant work Jandroid, the experiment results on our custom DroidChainBench show that AppChainer outperforms Jandroid at the precision rate and performs equally with Jandroid at the recall rate.<\/jats:p>","DOI":"10.1186\/s42400-023-00151-2","type":"journal-article","created":{"date-parts":[[2023,8,2]],"date-time":"2023-08-02T02:01:22Z","timestamp":1690941682000},"update-policy":"http:\/\/dx.doi.org\/10.1007\/springer_crossmark_policy","source":"Crossref","is-referenced-by-count":2,"title":["AppChainer: investigating the chainability among payloads in android applications"],"prefix":"10.1186","volume":"6","author":[{"given":"Xiaobo","family":"Xiang","sequence":"first","affiliation":[]},{"given":"Yue","family":"Jiang","sequence":"additional","affiliation":[]},{"given":"Qingli","family":"Guo","sequence":"additional","affiliation":[]},{"given":"Xiu","family":"Zhang","sequence":"additional","affiliation":[]},{"given":"Xiaorui","family":"Gong","sequence":"additional","affiliation":[]},{"given":"Baoxu","family":"Liu","sequence":"additional","affiliation":[]}],"member":"297","published-online":{"date-parts":[[2023,8,2]]},"reference":[{"key":"151_CR1","doi-asserted-by":"crossref","unstructured":"Aldoseri A, Oswald D (2022) insecure:\/\/vulnerability analysis of URI scheme handling in android mobile browsers. In: Proceedings of the workshop on measurements, attacks, and defenses for the web (MADWeb)","DOI":"10.14722\/madweb.2022.23003"},{"key":"151_CR2","doi-asserted-by":"crossref","unstructured":"Au KWY, Zhou YF, Huang Z, Lie D (2012) Pscout: analyzing the android permission specification. In: Proceedings of the 2012 ACM conference on Computer and communications security, pp. 217\u2013228","DOI":"10.1145\/2382196.2382222"},{"key":"151_CR3","doi-asserted-by":"publisher","first-page":"525","DOI":"10.1007\/s00165-017-0445-z","volume":"30","author":"H Bagheri","year":"2018","unstructured":"Bagheri H, Kang E, Malek S, Jackson D (2018) A formal approach for detection of security flaws in the android permission system. Form Asp Comput 30:525\u2013544","journal-title":"Form Asp Comput"},{"key":"151_CR4","doi-asserted-by":"crossref","unstructured":"Bagheri H, Kang E, Malek S, Jackson D (2015) Detection of design flaws in the android permission protocol through bounded verification. In: International symposium on formal methods. Springer (Veranst.), pp. 73\u201389","DOI":"10.1007\/978-3-319-19249-9_6"},{"key":"151_CR5","unstructured":"Buchanan E, Roemer R, Savage S, Shacham H (2008) Return-oriented programming: exploitation without code injection. Black Hat 8"},{"key":"151_CR6","unstructured":"Buildfile (2022) Mobile app download statistics & usage statistics (2022) https:\/\/buildfire.com\/app-statistic. \u2013 Zugriffsdatum. Accessed 16 June"},{"key":"151_CR7","doi-asserted-by":"crossref","unstructured":"Chen L, Liu X, Ma T, Shi CC, Li NG (2016) Research on static analysis technology of android application security defects. In: Proceedings of the international conference on electrical engineering and automation, pp. 113\u2013119","DOI":"10.12783\/dtetr\/iceea2016\/6710"},{"issue":"9","key":"151_CR8","first-page":"4248","volume":"12","author":"K Choi","year":"2018","unstructured":"Choi K, Ko M, Chang B-M (2018) A practical intent fuzzing tool for robustness of inter-component communication in android apps. KSII Trans Internet Inf Syst TIIS 12(9):4248\u20134270","journal-title":"KSII Trans Internet Inf Syst TIIS"},{"key":"151_CR9","unstructured":"Dawn Security Lab (2022) Mystique in the house: the droid vulnerability chain that owns all your applications. https:\/\/dawnslab.jd.com\/mystique-paper\/mystique-paper.pdf. \u2013 Zugriffsdatum: Accessed 16 June 2022"},{"issue":"6","key":"151_CR10","doi-asserted-by":"publisher","first-page":"5084","DOI":"10.1007\/s10664-020-09879-8","volume":"25","author":"BF Demissie","year":"2020","unstructured":"Demissie BF, Mariano C, Shar LK (2020) Security analysis of permission re-delegation vulnerabilities in Android apps. Empir Softw Eng 25(6):5084\u20135136","journal-title":"Empir Softw Eng"},{"key":"151_CR11","doi-asserted-by":"publisher","unstructured":"Demissie Biniam\u00a0F, Ceccato M (2020) Security testing of second order permission re-delegation vulnerabilities in android apps. In: Proceedings of the IEEE\/ACM 7th international conference on mobile software engineering and systems. Association for Computing Machinery (MOBILESoft \u201920), New York, pp. 1\u201311. https:\/\/doi.org\/10.1145\/3387905.3388592. ISBN 9781450379595","DOI":"10.1145\/3387905.3388592"},{"issue":"1","key":"151_CR12","doi-asserted-by":"publisher","first-page":"39","DOI":"10.1007\/s10207-020-00491-x","volume":"20","author":"MA El-Zawawy","year":"2021","unstructured":"El-Zawawy MA, Eleonora L, Mauro C (2021) Do not let Next-Intent Vulnerability be your next nightmare: type system-based approach to detect it in Android apps. Int J Inf Secur 20(1):39\u201358","journal-title":"Int J Inf Secur"},{"key":"151_CR13","doi-asserted-by":"crossref","unstructured":"Elgharabawy M, Kojusner B, Mannan M, Butler KB, Williams B, Youssef A (2022) SAUSAGE: security analysis of unix domain socket usage in android. In:\u00a02022 IEEE 7th European Symposium on Security and Privacy (EuroS&P). p\u00a0572\u2013586","DOI":"10.1109\/EuroSP53844.2022.00042"},{"key":"151_CR14","unstructured":"Felt AP, Wang HJ, Moshchuk A, Hanna S, Chin E (2011) Permission re-delegation: attacks and defenses. In: USENIX security symposium, vol. 30, pp. 88"},{"key":"151_CR15","unstructured":"f-secure Lab (2022) Xiaomi Mi9 (Pwn2Own 2019). 2019. https:\/\/labs.f-secure.com\/advisories\/xiaomi-mi9\/. Zugriffsdatum: Accessed 16 June 2022"},{"key":"151_CR16","doi-asserted-by":"crossref","unstructured":"Gao J, Li L, Kong P, Bissyand\u00e9 TF, Klein J (2018) Poster: on vulnerability evolution in android apps. In: 2018 IEEE\/ACM 40th international conference on software engineering: companion (ICSE-Companion) IEEE (Veranst.), pp. 276\u2013277","DOI":"10.1145\/3183440.3194968"},{"key":"151_CR17","doi-asserted-by":"crossref","unstructured":"Gao X, Tan SH, Dong Z, Roychoudhury A (2018) Android testing via synthetic symbolic execution. In: 2018 33rd IEEE\/ACM international conference on automated software engineering (ASE) IEEE (Veranst.), pp. 419\u2013429","DOI":"10.1145\/3238147.3238225"},{"key":"151_CR18","doi-asserted-by":"crossref","unstructured":"Garg S, Baliyan N (2020) Machine learning based android vulnerability detection: a roadmap. In: International conference on information systems security. Springer (Veranst.), pp. 87\u201393","DOI":"10.1007\/978-3-030-65610-2_6"},{"key":"151_CR19","unstructured":"Geshev G, Miller R (2018) Chainspotting: building exploit chains with logic bugs. https:\/\/labs.f-secure.com\/archive\/chainspotting-building-exploit-chains-with-logic-bugs\/. Zugriffsdatum: Accessed 16 June 2022"},{"key":"151_CR20","unstructured":"Google (2022) File observer - android developers. https:\/\/developer.android.com\/reference\/android\/os\/FileObserver. Zugriffsdatum: Accessed 16 June 2022"},{"key":"151_CR21","unstructured":"Google (2022) PendingIntent | Android Developers. https:\/\/developer.android.com\/reference\/android\/app\/PendingIntent. Zugriffsdatum: Accessed 16 June 2022"},{"key":"151_CR22","doi-asserted-by":"crossref","unstructured":"Gorski\u00a0III Sigmund\u00a0A, Enck W (2019) Arf: identifying re-delegation vulnerabilities in android system services. In: Proceedings of the 12th conference on security and privacy in wireless and mobile networks, pp. 151\u2013161","DOI":"10.1145\/3317549.3319725"},{"key":"151_CR23","doi-asserted-by":"crossref","unstructured":"Gro\u00df S, Tiwari A, Hammer C (2018) Pianalyzer: a precise approach for pendingintent vulnerability analysis. In: European symposium on research in computer security. Springer (Veranst.), pp. 41\u201359","DOI":"10.1007\/978-3-319-98989-1_3"},{"key":"151_CR24","doi-asserted-by":"publisher","DOI":"10.1155\/2018\/2489214","author":"C Hyunwoo","year":"2018","unstructured":"Hyunwoo C, Yongdae K (2018) Large-scale analysis of remote code injection attacks in android apps. Secur Commun Netw. https:\/\/doi.org\/10.1155\/2018\/2489214","journal-title":"Secur Commun Netw"},{"key":"151_CR25","unstructured":"III Sigmund Albert\u00a0G., Thorn S, Enck W, Chen H (2022) FReD: identifying file re-delegation in android system services. In: 31st USENIX security symposium (USENIX Security 22).USENIX Association, Boston, pp. 1525\u20131542. https:\/\/www.usenix.org\/conference\/usenixsecurity22\/presentation\/gorski. ISBN 978-1-939133-31-1"},{"key":"151_CR26","unstructured":"Initiative Zero\u00a0D (2022) Pwn2Own Miami 2022 Rules. https:\/\/www.zerodayinitiative.com\/Pwn2OwnMiami2022Rules.html. Zugriffsdatum: Accessed 16 June 2022"},{"key":"151_CR27","unstructured":"JoMing Y (2022) Google Play Scraper. https:\/\/github.com\/JoMingyu\/google-play-scraper. Zugriffsdatum: Accessed 16 June 2022"},{"key":"151_CR28","unstructured":"Lab f-secure (2019) Automating Pwn2Own with Jandroid. https:\/\/labs.f-secure.com\/blog\/automating-pwn2own-with-jandroid. Zugriffsdatum: Accessed 16 June 2022"},{"key":"151_CR29","doi-asserted-by":"crossref","unstructured":"Lerch J, Hermann B, Bodden E, Mezini M (2014) FlowTwist: efficient context-sensitive inside-out taint analysis for large codebases. In: Proceedings of the 22nd ACM SIGSOFT international symposium on foundations of software engineering, pp. 98\u2013108","DOI":"10.1145\/2635868.2635878"},{"key":"151_CR30","doi-asserted-by":"crossref","unstructured":"Linares-V\u00e1squez M, Bavota G, Escobar-Vel\u00e1squez C (2017) An empirical study on android-related vulnerabilities. In: 2017 IEEE\/ACM 14th international conference on mining software repositories (MSR), pp. 2\u201313","DOI":"10.1109\/MSR.2017.60"},{"key":"151_CR31","unstructured":"Liu F, Wang C, Pico A, Yao D, Wang G (2017) Measuring the insecurity of mobile deep links of android. In: 26th USENIX security symposium (USENIX Security 17), pp. 953\u2013969"},{"key":"151_CR32","doi-asserted-by":"crossref","unstructured":"Lu L, Li Z, Wu Z, Lee W, Jiang G (2012) Chex: statically vetting android apps for component hijacking vulnerabilities. In: Proceedings of the 2012 ACM conference on Computer and communications security, pp. 229\u2013240","DOI":"10.1145\/2382196.2382223"},{"issue":"12","key":"151_CR33","doi-asserted-by":"publisher","first-page":"2946","DOI":"10.1109\/TMC.2019.2936561","volume":"19","author":"L Luo","year":"2019","unstructured":"Luo L, Zeng Q, Cao C, Chen K, Liu J, Liu L, Gao N, Yang M, Xing X, Liu P (2019) Tainting-assisted and context-migrated symbolic execution of android framework for vulnerability discovery and exploit generation. IEEE Trans Mob Comput 19(12):2946\u20132964","journal-title":"IEEE Trans Mob Comput"},{"key":"151_CR34","doi-asserted-by":"publisher","first-page":"110386","DOI":"10.1016\/j.jss.2019.07.088","volume":"159","author":"A Maqsood","year":"2020","unstructured":"Maqsood A, Valerio C, Bruno C, Francesco B, Yury Z (2020) StaDART: addressing the problem of dynamic code updates in the security analysis of android applications. J Syst Softw 159:110386","journal-title":"J Syst Softw"},{"key":"151_CR35","doi-asserted-by":"crossref","unstructured":"Min Z, Haimin Y, Ping C, Zhengxing Y (2019) Android software vulnerability mining framework based on dynamic taint analysis technology. In: 2019 IEEE 3rd information technology, networking, electronic and automation control conference (ITNEC) IEEE (Veranst.), pp. 2112\u20132115","DOI":"10.1109\/ITNEC.2019.8729217"},{"key":"151_CR36","unstructured":"Owasp (2022) OWASP mobile top 10. https:\/\/owasp.org\/www-project-mobile-top-10\/. Zugriffsdatum: Accessed 16 June 2022"},{"key":"151_CR37","unstructured":"Plaskett A, Loureiro J (2018) The mate escape. https:\/\/labs.f-secure.com\/archive\/the-mate-escape-huawei-pwn2owning\/. Zugriffsdatum: Accessed 16 June 2022"},{"key":"151_CR38","doi-asserted-by":"crossref","unstructured":"Qu Z, Alam S, Chen Y, Zhou X, Hong W, Riley R (2017) Dydroid: measuring dynamic code loading and its security implications in android applications. In: 2017 47th annual IEEE\/IFIP international conference on dependable systems and networks (DSN). IEEE (Veranst.), pp. 415\u2013426","DOI":"10.1109\/DSN.2017.14"},{"key":"151_CR39","doi-asserted-by":"crossref","unstructured":"Sherman M (2014) Attack surfaces for mobile devices. In: Proceedings of the 2nd international workshop on software development lifecycle for mobile, pp. 5\u20138","DOI":"10.1145\/2661694.2661696"},{"key":"151_CR40","doi-asserted-by":"publisher","first-page":"259","DOI":"10.1145\/2666356.2594299","volume":"49","author":"A Steven","year":"2014","unstructured":"Steven A, Siegfried R, Christian F, Eric B, Alexandre B, Jacques K, Yves LT, Damien O, Patrick MD (2014) Flowdroid: precise context, flow, field, object-sensitive and lifecycle-aware taint analysis for android apps. Acm Sigplan Not 49:259\u2013269","journal-title":"Acm Sigplan Not"},{"key":"151_CR41","doi-asserted-by":"publisher","unstructured":"Wang R, Xing L, Wang XF, Chen S (2013) Unauthorized origin crossing on mobile platforms: threats and mitigation. Association for Computing Machinery, (CCS \u201913), New York, pp. 635\u2013646. https:\/\/doi.org\/10.1145\/2508859.2516727. ISBN 9781450324779","DOI":"10.1145\/2508859.2516727"},{"key":"151_CR42","doi-asserted-by":"crossref","unstructured":"Yang K, Zhuge J, Wang Y, Zhou L, Duan H (2014) IntentFuzzer: detecting capability leaks of android applications. In: Proceedings of the 9th ACM symposium on Information, computer and communications security,pp. 531\u2013536","DOI":"10.1145\/2590296.2590316"},{"key":"151_CR43","doi-asserted-by":"crossref","unstructured":"Ye H, Cheng S, Zhang L, Jiang F (2013) Droidfuzzer: fuzzing the android apps with intent-filter tag. In: Proceedings of international conference on advances in mobile computing & multimedia, pp. 68\u201374","DOI":"10.1145\/2536853.2536881"},{"key":"151_CR44","doi-asserted-by":"crossref","unstructured":"Zhang C, Li S, Diao W, Guo S (2022) PITracker: detecting android pendingintent vulnerabilities through intent flow analysis. In: Proceedings of the 15th ACM conference on security and privacy in wireless and mobile networks, pp. 20\u201325","DOI":"10.1145\/3507657.3528555"},{"key":"151_CR45","doi-asserted-by":"crossref","unstructured":"Zhang H, Li Z, Shahriar H, Lo D, Wu F, Qian Y (2019) Protecting data in android external data storage. In: 2019 IEEE 43rd annual computer software and applications conference (COMPSAC), vol. 1, pp. 924\u2013925","DOI":"10.1109\/COMPSAC.2019.00143"},{"key":"151_CR46","doi-asserted-by":"crossref","unstructured":"Zhauniarovich Y, Ahmad M, Gadyatskaya O, Crispo B, Massacci F (2015) Stadyna: addressing the problem of dynamic code updates in the security analysis of android applications. In: Proceedings of the 5th ACM conference on data and application security and privacy, pp. 37\u201348","DOI":"10.1145\/2699026.2699105"}],"container-title":["Cybersecurity"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1186\/s42400-023-00151-2.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/link.springer.com\/article\/10.1186\/s42400-023-00151-2\/fulltext.html","content-type":"text\/html","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1186\/s42400-023-00151-2.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2023,8,2]],"date-time":"2023-08-02T02:06:35Z","timestamp":1690941995000},"score":1,"resource":{"primary":{"URL":"https:\/\/cybersecurity.springeropen.com\/articles\/10.1186\/s42400-023-00151-2"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2023,8,2]]},"references-count":46,"journal-issue":{"issue":"1","published-online":{"date-parts":[[2023,12]]}},"alternative-id":["151"],"URL":"https:\/\/doi.org\/10.1186\/s42400-023-00151-2","relation":{},"ISSN":["2523-3246"],"issn-type":[{"value":"2523-3246","type":"electronic"}],"subject":[],"published":{"date-parts":[[2023,8,2]]},"assertion":[{"value":"14 December 2022","order":1,"name":"received","label":"Received","group":{"name":"ArticleHistory","label":"Article History"}},{"value":"9 March 2023","order":2,"name":"accepted","label":"Accepted","group":{"name":"ArticleHistory","label":"Article History"}},{"value":"2 August 2023","order":3,"name":"first_online","label":"First Online","group":{"name":"ArticleHistory","label":"Article History"}},{"order":1,"name":"Ethics","group":{"name":"EthicsHeading","label":"Declarations"}},{"value":"The authors declare that they have no competing interests.","order":2,"name":"Ethics","group":{"name":"EthicsHeading","label":"Competing interest"}}],"article-number":"16"}}