Embedded Files
Understanding Hazards of Duplicate Resource Mismediation in Android Software Supply Chain
Malicious third-party libraries have become a major source of security risks to the Android software supply chain. A recent study shows that a malicious library could harvest data from other libraries hosted in the same app via unauthorized access to the libraries’ APIs. However, it remains unexplored whether third-party libraries could still pose a threat to the other libraries after their code and runtime behaviors have been thoroughly vetted for security.
A third-party Android library typically contains diverse resources to support its operations. These resources, together with the other libraries’ resources, are managed by the Android resource compiler (ARC) in the app build process. ARC needs to mediate the resources in cases where multiple libraries have duplicate or incompatible resources.
In this paper, we report a new attack surface on the Android app supply chain: duplicate resource mismediation (Duress). This attack surface opens an opportunity for attackers to contaminate the security- and privacy-sensitive resources of a victim library with a carefully crafted malicious library, by exploiting the intrinsic flaws in the duplicate resource mediation process of ARC. With the attack, an attacker can stealthily mislead the victim library and its users to expose sensitive data, and lower down the security protections of the victim library. Further, we conduct the first systematic study to measure the security impacts of Duress risks. Our study has brought to light the pervasiveness of the Duress risks in third-party libraries: our analysis of over 23K libraries discovered that 18.4% libraries are exposed to the Duress threat, and 25.7% of them have sensitive resources that duplicate resources of other libraries in the wild (causing integration risks). We also identified the presence of real-world attacks in over 400 apps. We made responsible disclosure of Duress risks to Google, and the developers of affected apps. To mitigate the risks, we discuss a lightweight and compile-time mitigation to prevent a malicious library from contaminating the sensitive resources of other libraries using resource isolation.
Major contributions
Major contributions
Discovery of the new attack surface
Discovery of the new attack surface
We discovered a new attack surface on the Android software supply chain, whose build process cannot effectively mediate duplicated resources from different libraries. This opens an opportunity for the adversary to contaminate the supply chain with a carefully crafted library to perform a highly stealthy, cross-library attack, which lowers down a target library’s protection or misleads the target or its users to expose sensitive information.
Understanding of the new threat
Understanding of the new threat
We performed the first systematic study on the impacts of the new threat. Our analysis has brought to light the pervasiveness of the risks on the supply chain and even the presence of real-world attacks, which highlight the importance of elevating security protection of today’s supply chain to address the threat.
Questions?
Questions?
Contact [email] to get more information on the project
Page updated
Google Sites
Report abuse