Android is a complex platform with diverse, concurrently running services.
Looking at user-space the assumption is that each app is isolated from all
others running on top of the rich Android runtime system. Unfortunately, the
available system libraries are heavily limited and Android apps often ship
diverse libraries. These libraries are often written in low level languages like
C/C++ and called through JNI (the Java Native Interface). Sadly, many of these
libraries are not updated and, surprisingly, many libraries are shared among
many apps.
We set out to study this ecosystem by analyzing how diverse these libraries are,
if they are updated, and, if they are exploitable. Our goal was to analyze how
libraries are used, create fuzz harnesses that replicate the library usage, and
fuzz the libraries using a mock Android environment.
The key contribution of Poirot/Droidot is an analysis platform that takes
Android apps and creates a realistic fuzz harness for the included native
libraries. A challenge is the extraction of realistic interactions with the
library. Our approach analyzes the Java part of the app and extracts JNI calls
to recover the interaction between high-level and low-level interfaces. Our
analysis is sensitive to call sequences and argument-value flow, creating
realistic interaction patterns. We then create a customized lightweight Android
environment that allows multiple round trips between high-level and native code.
We fuzz the 3,967 most popular APKs from the Google Play store that contain
native libraries, discover 4,282 crashes. After triaging the top 200, we
identify 34 vulnerabilities across 34 apps with 3 CVEs assigned. Droidot is
open-source and we invite you to play
with it!
This work was a collaboration among Luca di Bartolomeo, Philipp Mao, Yu-Jye
Tung, Jessy Ayala, Samuele Doria, Paolo Celada, Marcel Busch, Joshua Garcia,
Eleonora Losiouk, and Mathias Payer. Luca was the main student on the project
working on the mock environment and, together with Philipp, triaged all the
crashes. Kudos to them for the heavy lifting!