Vulnerable Implicit Service: A Revisit

e services in Android applications can be invoked either explicitly or implicitly before Android 5.0. However, since the implicit service invocations su er service hijacking a acks and thus lead to sensitive information leakage, they have been forbidden since Android 5.0. erea er since the Android system will simply throw an exception and crash the application that still invokes services implicitly, it was expected that application developers will be forced to convert the implicit service invocations to explicit ones by specifying the package name of the service to be called. In this paper, we revisit the service invocations by analyzing two sets of the same 1390 applications downloaded from Google Play Store before and a er the the implicit service forbidden policy is enforced. We develop a static analysis framework called ISA to perform our study. Our analysis results show that the forbidden policy e ectively reduces the number of vulnerable service invocations from 643 to 112, namely, 82.58% reduction. However, a er a detailed analysis of the remaining 112 vulnerable invocations, we discover that the forbidden policy fails to resolve the service hijacking a acks. Among the 1390 applications downloaded in May 2017, we nd 36 popular applications still vulnerable to service hijacking a acks, which can lead to the loss of user bank account and VPN login credentials, etc. Moreover, we nd that the forbidden policy introduces a new type of denial of service a acks. Finally, we discuss the root challenges on resolving service hijacking a acks and propose countermeasures to help mitigate the service hijacking a acks.