The document summarizes a research project investigating "Hanging Attribute References (HARE)" problems in customized Android images. The researchers decompiled vendor images to compare them with stock Android Open Source Project (AOSP) images and identify differences that could create vulnerabilities. They learned how to analyze app permissions, decompose images, and build a tool to compare two images. Comparing a Samsung image to AOSP showed insights into customizations and highlighted potential security issues from resources referred to by system apps that were removed.
2. What is a HARE Problem…
Translate Email
你好
Translate Email
你好
Send Email
你好
Email App
Email App
• A HARE is when pre-installed apps are referring to a resource that might not be present on
a customized image.
• This creates opportunities for an attacker to squat the resource.
• We want to understand the security issues.
Google Translate App
Malicious App Database
3. Investigation of Hare…
• Image Repository
• Collect as many vendor images of the
android operating system
• Image Handling
• Decompile the images and framework
code
• Automating Image Comparison
• Find the differences between the images
• Understand the differences
• Google makes the Android Operating
System image
• Vendors: Samsung, LG, HTC, Huwaei, etc.
manufacture the phones
• They change the image based on phone’s
features and customize it.
• Customization causes apps to be changed or
removed. Framework code is altered.
• Once the code is altered it provides
vulnerabilities for malicious actions.
Root Cause HARE…
4. What we learned…
• We learned how to decompile an image.
• Once we decompiled it we began to understand the image’s structure.
• We then learned how to parse the android manifest file by decompiling the apps.
• We viewed the build properties to understand the type of phone and its build properties
• We learned the difference between declared permissions vs used permissions.
• Find all resources that are referred by the system apps but do not exist on the phone
• We built a tool to show the differences between two images. (A base image from AOSP and a
customized image)
5. • Compared the samsung image to
an AOSP image.
• Could easily see differences
Comparing Images…
• Showed us insight in how
Samsung changes the image.
• Different customizations
• Picture on the right shows the
differences between vendors
• Some have more methods
• Some have less methods
6. Summer learning…
• We did a lot of general learning
• Intents
• Difference between explicit
and implicit
• Experienced brainstorming
sessions with Phd students
• Getting a Phd require a lot of
perseverance and hard work
• Classes are not as difficult as
Research
• Research is much more
exciting
• Learned a lot from other projects
• Learned about the Data
Residue attack form Xiao’s
project
• Learned a lot from the
BigPhone project.
• Sometimes its difficult to
justify an idea
• Learned about Static Analysis
• Learned how to use the
Flowdroid tool
• Understood its benefits
• Performed SEED Labs
7. What we thought…
• Research is a pretty exciting and it
was really fun to be involved
• Possibly having the opportunity to
address an idea from the Android
class and then evolving it into a
research program for the summer
• Begin working with the Phd mentor
earlier in the summer. Get to know
them a little better.