1000 is on the youtube 2.Except for capability leaks,we found 10 98.00% that a lot of apps crashed when we used our exploits to launch them.which is a kind of local denial of service attack. 96.00 So these apps must be more robust,it may be leveraged by 94.00% other apps for vicious competition.Therefore,our exploits 9200 are valid and help users find bugs. C.RO3:Runtime Efficiency 8800 Table II presents static analysis part and dynamic test part's average,minimum,and maximum execution time of 891011121314151617181920212223242 439 apps.As shown in table II,The total average time for each app analysis is less than 4 minutes.The maximum time Fig.3.Accuracy of Intent Conditions for static analysis app is 5168.494s,which is about 1.43h. 1.43h is a reasonable analysis time for generating highly precise intent test cases and few apps'static analysis is more B.RO2:Can our tool apply to practical apps? than 16 min in our statistics.Therefore,our optimization 1)Experiment Results:The analysis result of 439 apps for symbolic execution of inter-component capability leaks is shown in Table I,For each capability leak,we counted detection is efficient,and our tool meets the requirement of the number of apps have the capability leak (i.e.App actual use Count column)and the number of the capability leak's points in all apps (i.e.All Count column).There are 2239 TABLE II EXECUTION-TIME capability leaks of 16 kinds of permissions.including some serious capability leaks,such as DISABLE_KEYGUARD. Execution Time Period KILL BACKGROUND PROCESSES. Average Minimum Maximum MOD- Static 185.228s(3min) 0.078s 5168.494s1.43h) IFY_AUDIO_SETTINGS and so on.Therefore, ou山 Dynamic 52.984s 7.414s 889.919s14.82min) tool can detect capability leaks efficiently. TABLE I IV.RELATED WORK CAPABILITY LEAKS LIST There are many static analysis works for detecting security Permission App Count All Count problems of inter-component communication (for example: DISABLE KEYGUARD 8 9 [13].[14)).But they all cannot determine whether the CHANGE_WIFI MULTICAST_STATE SET_WALLPAPER HINTS 4 4 vulnerability really exists and developers have to spend much BROADCAST STICKY 84 time in vulnerability analysis.Fang Liu et al.[15]proposed ACCESS FINE LOCATION 106 180 the MR-Droid to find inter-component communication vul- ACCESS COARSE LOCATION 94 157 CHANGE WIFI STATE nerabilities among practical apps.which uses the map-reduce ACCESS NETWORK STATE 323 1071 system to detect communication vulnerabilities among large- GET TASKS 216 272 scale apps.The results of the tool are limited by the dataset WAKE LOCK 56 81 and it does not take into account malicious apps.Its result ACCESS WIFI STATE 227 318 MODIFY_AUDIO_SETTINGS 4 4 can not indicate the detected app is security.And [16]also SET_WALLPAPER 1 has this problem. BLUETOOTH 10 READ PHONE_STATE V.CONCLUSION 30 35 KILL_BACKGROUND_PROCESSES We propose an effective tool which can automatically generate capability leaks'exploits of Android applications 2)Exploitation Analysis:App A is a popular lock screen with symbolic execution and test.It can aid in reducing app and has been downloaded more than 10 million times. false positives of vulnerability analysis and help developers We found that it has a DISABLE_KEYGUARD capabil- find bugs.Our tool can apply to practical apps because of ity leak.We guess that there is an illegal login vulner- our optimized symbolic execution.We analyzed 439 apps in ability.Then We use exploits generated by our tool to Wandoujia and found 2239 capability leaks of 16 kinds of attack app and they help us pass the lock sceen without permission. a password.The attack demo is on the youtube I.We ACKNOWLEDGMENT have informed the app's developers.App B is a clean This work is mainly inspired by LetterBomb [171.This app,whose function is phone clean.And we found that it work is supported partly by the National Key RD Program has KILL_BACKGROUND_PROCESSES capability leak.It of China 2018YFB0803400 and National Natural Science may be used by other apps to kill processes.The attack demo Foundation of China (NSFC)under grant 61772487. 1https://youtu.be/rWdSiWUy2bc 2https://youtu.be/YE84G4yko0A 294Fig. 3. Accuracy of Intent Conditions B. RQ2: Can our tool apply to practical apps? 1) Experiment Results: The analysis result of 439 apps is shown in Table I, For each capability leak, we counted the number of apps have the capability leak (i.e. App Count column) and the number of the capability leak’s points in all apps (i.e. All Count column). There are 2239 capability leaks of 16 kinds of permissions, including some serious capability leaks, such as DISABLE KEYGUARD, KILL BACKGROUND PROCESSES, MOD￾IFY AUDIO SETTINGS and so on. Therefore, our tool can detect capability leaks efficiently. TABLE I CAPABILITY LEAKS LIST Permission App Count All Count DISABLE KEYGUARD 8 9 CHANGE WIFI MULTICAST STATE 1 1 SET WALLPAPER HINTS 4 4 BROADCAST STICKY 84 84 ACCESS FINE LOCATION 106 180 ACCESS COARSE LOCATION 94 157 CHANGE WIFI STATE 3 4 ACCESS NETWORK STATE 323 1071 GET TASKS 216 272 WAKE LOCK 56 81 ACCESS WIFI STATE 227 318 MODIFY AUDIO SETTINGS 4 4 SET WALLPAPER 1 1 BLUETOOTH 7 10 READ PHONE STATE 30 35 KILL BACKGROUND PROCESSES 7 8 2) Exploitation Analysis: App A is a popular lock screen app and has been downloaded more than 10 million times. We found that it has a DISABLE KEYGUARD capabil￾ity leak. We guess that there is an illegal login vulner￾ability. Then We use exploits generated by our tool to attack app and they help us pass the lock sceen without a password. The attack demo is on the youtube 1. We have informed the app’s developers. App B is a clean app, whose function is phone clean. And we found that it has KILL BACKGROUND PROCESSES capability leak. It may be used by other apps to kill processes. The attack demo 1https://youtu.be/rWdSiWUy2bc is on the youtube 2. Except for capability leaks, we found that a lot of apps crashed when we used our exploits to launch them, which is a kind of local denial of service attack. So these apps must be more robust, it may be leveraged by other apps for vicious competition. Therefore, our exploits are valid and help users find bugs. C. RQ3: Runtime Efficiency Table II presents static analysis part and dynamic test part’s average, minimum, and maximum execution time of 439 apps. As shown in table II, The total average time for each app analysis is less than 4 minutes. The maximum time for static analysis app is 5168.494s, which is about 1.43h. 1.43h is a reasonable analysis time for generating highly precise intent test cases and few apps’ static analysis is more than 16 min in our statistics. Therefore, our optimization for symbolic execution of inter-component capability leaks detection is efficient, and our tool meets the requirement of actual use. TABLE II EXECUTION-TIME Period Execution Time Average Minimum Maximum Static 185.228s(3min) 0.078s 5168.494s(1.43h) Dynamic 52.984s 7.414s 889.919s(14.82min) IV. RELATED WORK There are many static analysis works for detecting security problems of inter-component communication (for example: [13], [14]). But they all cannot determine whether the vulnerability really exists and developers have to spend much time in vulnerability analysis. Fang Liu et al. [15] proposed the MR-Droid to find inter-component communication vul￾nerabilities among practical apps, which uses the map-reduce system to detect communication vulnerabilities among large￾scale apps. The results of the tool are limited by the dataset and it does not take into account malicious apps. Its result can not indicate the detected app is security. And [16] also has this problem. V. CONCLUSION We propose an effective tool which can automatically generate capability leaks’ exploits of Android applications with symbolic execution and test. It can aid in reducing false positives of vulnerability analysis and help developers find bugs. Our tool can apply to practical apps because of our optimized symbolic execution. We analyzed 439 apps in Wandoujia and found 2239 capability leaks of 16 kinds of permission. ACKNOWLEDGMENT This work is mainly inspired by LetterBomb [17]. This work is supported partly by the National Key RD Program of China 2018YFB0803400 and National Natural Science Foundation of China (NSFC) under grant 61772487. 2https://youtu.be/YE84G4yko0A 294