Hey, You, Get Off of My Image: Detecting Data Residue in Android Images

Android’s data cleanup mechanism has been called into question with the recently discovered data residue vulnerability. However, the existing study only focuses on one particular Android version and demands heavy human involvement. In this project, we aim to fill the gap by providing a comprehensive understanding of the data residue situation across the entire Android ecosystem. To this end, we propose ANRED1, an ANdroid REsidue Detector that performs static analysis on Android framework bytecode and automatically quantifies the risk for each identified data residue instance within collected system services. The design of ANRED has overcome several challenges imposed by the special characteristic of Android framework and data residue vulnerability. We have implemented ANRED in WALA and further evaluated it against 606 Android images. The analysis results have demonstrated the effectiveness, efficiency and reliability of ANRED. In particular, we have confirmed the effect of vendor customization and version upgrade on data residue vulnerability. We have also identified five new data residue instances that have been overlooked in the previous study, leading to data leakage and privilege escalation attacks.