Prison Break of Android Reflection Restriction and Defense

Java reflection technique is pervasively used in the Android system. To reduce the risk of reflection abuse, Android restricts the use of reflection at the Android Runtime (ART) to hide potentially dangerous methods/fields. We perform the first comprehensive study of the reflection restrictions and have discovered three novel approaches to bypass the reflection restrictions. Novel reflection-based attacks are also presented, including the password stealing attack. To mitigate the threats, we analyze these restriction bypassing approaches and find three techniques crucial to these approaches, i.e., double reflection, memory manipulation, and inline hook. We propose a defense mechanism that consists of classloader double checker, ART variable protector, and ART method protector, to prohibit the reflection restriction bypassing. Finally, we design and implement an automatic reflection detection framework and have discovered 5,531 reflection powered apps out of 100,000 downloaded apps, which are installed on our defense enabled Android system of a Google Pixel 2 to evaluate the effectiveness and efficiency of our defense mechanism. Extensive empirical experiment results demonstrate that our defense enabled system can accurately obstruct the malicious reflection attempts.