Arf: Identifying Re-Delegation Vulnerabilities In Android System Services

Over the past decade, the security of the Android platform has undergone significant scrutiny by both academic and industrial researchers. This scrutiny has been largely directed towards third-party applications and a few critical system interfaces, leaving much of Android's middleware unstudied. Building upon recent efforts to more rigorously analyze authorization logic in Android's system services, we revisit the problem of permission re-delegation, but in the context of system service entry points. In this paper, we propose the Android Re-delegation Finder (ARF) analysis framework for helping security analysts identify permission re-delegation vulnerabilities within Android's system services. ARF analyzes an interconnected graph of entry points in system services, deriving calling dependencies, annotating permission checks, and identifying potentially vulnerable deputies that improperly expose information or functionality to third-party applications. We apply ARF to Android AOSP version 8.1.0 and find that it refines the set of 15,483 paths between entry points down to a manageable set of 490 paths. Upon manual inspection, we found that 170 paths improperly exposed information or functionality, consisting of 86 vulnerable deputies. Through this effort, we demonstrate the need for continued investigation of automated tools to analyze the authorization logic within the Android middleware.