Mobile Safe, and Terminal Emulator on Android. Moreover,
we showed that our four IFL attacks can be launched remotely,
without implanting malicious apps in victim’s smartphones.
This remote attack capability significantly increases the im-
pact of the IFL attacks. Finally, we analyzed the differences
between Android and iOS in terms of the IFL attacks’ impacts
and proposed several methods to mitigate the attacks.
Acknowledgements. We thank all three anonymous re-
viewers for their helpful comments. This work was partially
supported by a grant (ref. no. ITS/073/12) from the Innovation
Technology Fund in Hong Kong.
Additional materials. We will provide supplementary ma-
terials, such as detailed vulnerability reports, at this link
(https://daoyuan14.github.io/pp/most15.html).
REFERENCES
[1] According to Apple, people have all but stopped upgrading to iOS 8.
http://9to5mac.com/2014/10/06/ios8-market-share-stagnated/.
[2] App store review guidelines. https://developer.apple.com/app-store/
review/guidelines/.
[3] Apps have overtaken the web in popularity according to the
latest statistics. http://www.dailymail.co.uk/sciencetech/article-
2119332/Apps-overtaken-Web-popularity-according-latest-statistics-
actually-theres-probably-app-tell-that.html.
[4] Apps more popular than the mobile web, data shows.
http://www.theguardian.com/technology/appsblog/2014/apr/02/apps-
more-popular-than-the-mobile-web-data-shows.
[5] CVE-2014-0521. http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=
CVE-2014-0521.
[6] Evernote patches vulnerability in Android app. http://blog.trendmicro.
com/trendlabs-security-intelligence/evernote-patches-vulnerability-in-
android-app/.
[7] Fixing issue #374 in android-terminal-emulator. https://github.com/
jackpal/Android-Terminal-Emulator/commit/51129616.
[8] How to upload arbitrary file contents cross-domain. http://blog.kotowicz.
net/2011/04/how-to-upload-arbitrary-file-contents.html.
[9] iOS apps created with PhoneGap. http://phonegap.com/app/ios/.
[10] iOS background application network access. http://stackoverflow.com/
questions/9613357/ios-background-application-network-access.
[11] Old habits die hard: Cross-zone scripting in dropbox & google drive
mobile apps. http://blog.watchfire.com/wfblog/2012/10/old-habits-die-
hard.html.
[12] Opera mobile for Android insecure file permissions cache poisoning
vulnerability. http://www.securityfocus.com/bid/49702/discuss.
[13] Outlook Android app stores emails in plain text on mobile.
http://securityaffairs.co/wordpress/25103/digital-id/outlook-app-leaks-
encryption.html.
[14] Pull request #375 in android-terminal-emulator. https://github.com/
jackpal/Android-Terminal-Emulator/pull/375.
[15] Technical note TN2277: Networking and multitasking. https://developer.
apple.com/library/ios/technotes/tn2277/.
[16] Vulnerability id: Look-11-001. https://blog.lookout.com/look-11-001/.
[17] S. Acker, N. Nikiforakis, L. Desmet, W. Joosen, and F. Piessens.
FlashOver: Automated discovery of cross-site scripting vulnerabilities
in rich internet applications. In Proc. ACM AsiaCCS, 2012.
[18] S. Arzt, S. Rasthofer, C. Fritz, E. Bodden, A. Bartel, J. Klein, Y. Traon,
D. Octeau, and P. McDaniel. Flowdroid: Precise context, flow, field,
object-sensitive and lifecycle-aware taint analysis for android apps. In
ACM PLDI, 2014.
[19] R. Bhoraskar, S. Han, J. Jeon, T. Azim, S. Chen, J. Jung, S. Nath,
R. Wang, and D. Wetherall. Brahmastra: Driving apps to test the security
of third-party components. In Proc. Usenix Security, 2014.
[20] S. Bugiel, L. Davi, A. Dmitrienko, T. Fischer, A. Sadeghi, and B. Shas-
try. Towards taming privilege-escalation attacks on Android. In Proc.
ISOC NDSS, 2012.
[21] S. Bugiel, S. Heuser, and A. Sadeghi. Flexible and fine-grained
mandatory access control on Android for diverse security and privacy
policies. In Proc. Usenix Security, 2013.
[22] P. Chan, L. Hui, and S. Yiu. DroidChecker: Analyzing Android
applications for capability leak. In Proc. ACM WiSec, 2012.
[23] E. Chin, A. Felt, K. Greenwood, and D. Wagner. Analyzing inter-
application communication in Android. In Proc. ACM MobiSys, 2011.
[24] E. Chin and D. Wagner. Bifocals: Analyzing webview vulnerabilities in
Android applications. In Proc. Springer WISA, 2013.
[25] L. Davi, A. Dmitrienko, A. Sadeghi, and M. Winandy. Privilege
escalation attacks on Android. In Proc. Springer ISC, 2010.
[26] M. Dietz, S. Shekhar, Y. Pisetsky, A. Shu, and D. Wallach. Quire:
Lightweight provenance for smart phone operating systems. In Proc.
USENIX Security, 2011.
[27] W. Enck, P. Gilbert, B. Chun, L. Cox, J. Jung, P. McDaniel, and A. Sheth.
Taintdroid: An information-flow tracking system for realtime privacy
monitoring on smartphones. In Proc. Usenix OSDI, 2010.
[28] A. Felt, H. Wang, A. Moshchuk, S. Hanna, and E. Chin. Permission
re-delegation: Attacks and defenses. In Proc. Usenix Security, 2011.
[29] M. Georgiev, S. Jana, and V. Shmatikov. Breaking and fixing origin-
based access control in hybrid web/mobile application frameworks. In
Proc. ISOC NDSS, 2014.
[30] M. Grace, Y. Zhou, Z. Wang, and X. Jiang. Systematic detection of
capability leaks in stock Android smartphones. In Proc. ISOC NDSS,
2012.
[31] N. Hardy. The confused deputy: (or why capabilities might have been
invented). In ACM SIGPOS Operating Systems Review, 1988.
[32] Y. Jang, C. Song, S. Chung, T. Wang, and W. Lee. A11y attacks:
Exploiting accessibility in operating systems. In Proc. ACM CCS, 2014.
[33] X. Jin, X. Hu, K. Ying, W. Du, H. Yin, and G. Peri. Code injection
attacks on HTML5-based mobile apps: Characterization, detection and
mitigation. In Proc. ACM CCS, 2014.
[34] C. Lin, H. Li, X. Zhou, and X. Wang. Screenmilker: How to milk your
Android screen for secrets. In Proc. ISOC NDSS, 2014.
[35] L. Lu, Z. Li, Z. Wu, W. Lee, and G. Jiang. CHEX: Statically vetting
Android apps for component hijacking vulnerabilities. In Proc. ACM
CCS, 2012.
[36] T. Luo, H. Hao, W. Du, Y. Wang, and H. Yin. Attacks on webview in
the Android system. In Proc. ACM ACSAC, 2011.
[37] A. Moshchuk, H. Wang, and Y. Liu. Content-based isolation: Rethinking
isolation policy design on client systems. In Proc. ACM CCS, 2013.
[38] A. Nadkarni, V. Tendulkar, and W. Enck. Nativewrap: Ad hoc smart-
phone application creation for end users. In Proc. ACM WiSec, 2014.
[39] D. Octeau, P. McDaniel, S. Jha, A. Bartel, E. Bodden, J. Klein, and Y. L.
Traon. Effective inter-component communication mapping in Android
with Epicc: An essential step towards holistic security analysis. In Proc.
Usenix Security, 2013.
[40] F. Roesner, T. Kohno, A. Moshchuk, B. Parno, H. Wang, and C. Cowan.
User-driven access control: Rethinking permission granting in modern
operating systems. In Proc. IEEE Symposium on Security and Privacy,
2012.
[41] S. Smalley and R. Craig. Security Enhanced (SE) Android: Bringing
flexible MAC to Android. In Proc. ISOC NDSS, 2013.
[42] D. Sounthiraraj, J. Sahs, G. Greenwood, Z. Lin, and L. Khan. SMV-
Hunter: Large scale, automated detection of SSL/TLS man-in-the-middle
vulnerabilities in Android apps. In Proc. ISOC NDSS, 2014.
[43] T. Terada. Attacking Android browsers via intent scheme urls. http:
//www.mbsd.jp/Whitepaper/IntentScheme.pdf, 2014.
[44] R. Wang, L. Xing, X. Wang, and S. Chen. Unauthorized origin crossing
on mobile platforms: Threats and mitigation. In Proc. ACM CCS, 2013.
[45] T. Wang, K. Lu, L. Lu, S. Chung, and W. Lee. Jekyll on iOS: When
benign apps become evil. In Proc. Usenix Security, 2013.
[46] F. Wei, S. Roy, X. Ou, and Robby. Amandroid: A precise and general
inter-component data flow analysis framework for security vetting of
Android apps. In Proc. ACM CCS, 2014.
[47] D. Wu and R. Chang. Analyzing Android browser apps for file://
vulnerabilities. In Proc. Springer ISC, 2014.
[48] L. Wu, M. Grace, Y. Zhou, C. Wu, and X. Jiang. The impact of vendor
customizations on Android security. In Proc. ACM CCS, 2013.
[49] L. Yan and H. Yin. Droidscope: Seamlessly reconstructing the OS and
Dalvik semantic views for dynamic Android malware analysis. In Proc.
USENIX Security, 2012.
[50] Y. Zhou and X. Jiang. Dissecting Android malware: Characterization
and evolution. In Proc. IEEE Symposium on Security and Privacy, 2012.
[51] Y. Zhou and X. Jiang. Detecting passive content leaks and pollution in
Android applications. In Proc. ISOC NDSS, 2013.