Dissecting Residual APIs in Custom Android ROMs

Many classic software vulnerabilities (e.g., Heartbleed) are rooted in unused code. In this work, we aim to understand whether unused Android functionality may similarly open unnecessary attack opportunities. Our study focuses on OEM-introduced APIs, which are added and removed erratically through different device models and releases. This instability contributes to the production of bloated custom APIs, some of which may not even be used on a particular device. We call such unused APIs Residuals. In this work, we conduct the first large-scale investigation of custom Android Residuals to understand whether they may lead to access control vulnerabilities. Our investigation is driven by the intuition that it is challenging for vendor developers to ensure proper protection of Residuals. Since they are deemed unnecessary, Residuals are naturally overlooked during integration and maintenance. This is particularly exacerbated by the complexities of Android's ever-evolving access control mechanism. To facilitate the study at large, we propose a set of analysis techniques that detect and evaluate Residuals' access control enforcement. Our techniques feature a synergy between application and framework program analysis to recognize potential Residuals in specially curated ROM samples. The Residual implementations are then statically analyzed to detect potential evolution-induced access control vulnerabilities. Our study reveals that Residuals are prevalent among OEMs. More importantly, we find that their presence may even lead to security-critical vulnerabilities.