Vulnerable Implicit Service: A Revisit

The services in Android applications can be invoked either explicitly or implicitly before Android 5.0. However, since the implicit service invocations suffer service hijacking attacks and thus lead to sensitive information leakage, they have been forbidden since Android 5.0. Thereafter since the Android system will simply throw an exception and crash the application that still invokes services implicitly, it was expected that application developers will be forced to convert the implicit service invocations to explicit ones by specifying the package name of the service to be called. In this paper, we revisit the service invocations by analyzing two sets of the same 1390 applications downloaded from Google Play Store before and after the the implicit service forbidden policy is enforced. We develop a static analysis framework called ISA to perform our study. Our analysis results show that the forbidden policy effectively reduces the number of vulnerable service invocations from 643 to 112, namely, 82.58% reduction. However, after a detailed analysis of the remaining 112 vulnerable invocations, we discover that the forbidden policy fails to resolve the service hijacking attacks. Among the 1390 applications downloaded in May 2017, we find 36 popular applications still vulnerable to service hijacking attacks, which can lead to the loss of user bank account and VPN login credentials, etc. Moreover, we find that the forbidden policy introduces a new type of denial of service attacks. Finally, we discuss the root challenges on resolving service hijacking attacks and propose countermeasures to help mitigate the service hijacking attacks.