Droidot: Vulnerable Native Libraries on Android

Android is a complex platform with diverse, concurrently running services. Looking at user-space the assumption is that each app is isolated from all others running on top of the rich Android runtime system. Unfortunately, the available system libraries are heavily limited and Android apps often ship diverse libraries. These libraries are often written in low level languages like C/C++ and called through JNI (the Java Native Interface). Sadly, many of these libraries are not updated and, surprisingly, many libraries are shared among many apps.

We set out to study this ecosystem by analyzing how diverse these libraries are, if they are updated, and, if they are exploitable. Our goal was to analyze how libraries are used, create fuzz harnesses that replicate the library usage, and fuzz the libraries using a mock Android environment.

The key contribution of Poirot/Droidot is an analysis platform that takes Android apps and creates a realistic fuzz harness for the included native libraries. A challenge is the extraction of realistic interactions with the library. Our approach analyzes the Java part of the app and extracts JNI calls to recover the interaction between high-level and low-level interfaces. Our analysis is sensitive to call sequences and argument-value flow, creating realistic interaction patterns. We then create a customized lightweight Android environment that allows multiple round trips between high-level and native code.

We fuzz the 3,967 most popular APKs from the Google Play store that contain native libraries, discover 4,282 crashes. After triaging the top 200, we identify 34 vulnerabilities across 34 apps with 3 CVEs assigned. Droidot is open-source and we invite you to play with it!

This work was a collaboration among Luca di Bartolomeo, Philipp Mao, Yu-Jye Tung, Jessy Ayala, Samuele Doria, Paolo Celada, Marcel Busch, Joshua Garcia, Eleonora Losiouk, and Mathias Payer. Luca was the main student on the project working on the mock environment and, together with Philipp, triaged all the crashes. Kudos to them for the heavy lifting!

Random ramblings of a security nerd

Other articles

NASS: Fuzzing Native Android System Services

From Fuzzing to Frameworks: 2024 Research Highlights

Milkomeda: colliding galaxies or how to repurpose security checks across domains

Other articles

links

social