Permission in Android Security: Threats and solution

Permissions in Android Security:
Threats and Solutions
Permissions
Threats
Solutions
Conclusion and Future Work

Permissions Allow apps to access resources
Limited access to resources
Installation time
User approval

System Permissions
URI Permissions
Self-declare Permissions
Permissions
Type

System
Permissions
URI Permissions
Self-declare
Permissions
Permissions
Type
Owned by system
Allow access to system resources
<manifest xmlns:android="http://schemas.android.com/apk/res/android"
package="com.android.app.myapp" >
<uses-permission android:name="android.permission.RECEIVE_SMS" />
<uses-permission android:name="android.permission.INTERNET" />
</manifest>

System
Permissions
URI Permissions
Self-declare
Permissions
Permissions
Type
version name Version
number
API Level Total
Permissions
KitKat 4.4 19 145
Jelly Bean 4.3 18 134
4.2 17 130
4.1 16 130
Ice Cream Sandwich 4.0.3 15 124
4.0 14 122
Honeycomb 3.2 13 117
3.1 12 116
3.0 11 116
Gingerbread 2.3.4 10 115
2.3.3 9 115
Froyo 2.2 8 112

System
Permissions
URI Permissions
Self-declare
Permissions
Permissions
Type
Owned by system
Allow access to data without grant
permission to access content provider
Email app and document/pdf reader app

System
Permissions
URI Permissions
Self-declare
Permissions
Permissions
Type
Owned by apps
Allow processes to access apps resources
<manifest xmlns:android="http://schemas.android.com/apk/res/android"
package="com.me.app.myapp" >
<permission
android:name="com.me.app.myapp.permission.CHANGE_ROOT_PASSWD"
android:label="@string/label_changeRootPasswd"
android:description="@string/description_changeRootPasswd"
android:permissionGroup="android.permission-group.PERSONAL_INFO"
android:protectionLevel="dangerous" />
</manifest>

Normal
Dangerous
Signature
Signature or System
Permissions
Protection
Level

Permissions
Request
Flow
1. Install an app
2. System check
permissions in
AndroidManifest.xml
3. System ask user
for approval
User
Approve ?
System grants all
permissions
System cancel the
installation
System continue to
installation process
and App is installed
System denies all
permissions
No
Yes

Permissions
Threats
Permission Re-delegation
Over-privilege
Permission inheritance

Permissions
Threats
A: an App
No INTERNET
permission
B: another App
INTERNET permission
A: Malicious App
No INTERNET
permission
Android System Services
INTERNET
Rejected
B: Vulnerable App
INTERNET permission
INTERNET
INTERNET
Accepted
AcceptedPermission
Re-delegation
Over-privilege
Permission
inheritance

Permissions
Threats
Flashlight App
Permission list:
FLASHLIGHT
INTERNET
ACCESS_FINE_LOCATION
READ_CONTACT
B: Social Media App
Permission list:
INTERNET
READ_CONTACT
READ_PROFILE
CAMERA
Over Privilege App
Permission
Re-delegation
Over-privilege
Permission
inheritance

Flashlight App
Permission list:
FLASHLIGHT
Social Media App
Permission list:
INTERNET
READ_CONTACT
READ_PROFILE
CAMERA
UID: 0123-4567-8910 UID: 0123-4567-8910
Permissions
Threats
Flashlight App
Permission list:
FLASHLIGHT
INTERNET
READ_CONTACT
READ_PROFILE
CAMERA
UID: 0123-4567-8910
Social Media App
Permission list:
INTERNET
READ_CONTACT
READ_PROFILE
CAMERA
FLASHLIGHT
UID: 0123-4567-8910
Permission
Re-delegation
Over-privilege
Permission
inheritance

Solutions Permission Re-delegation
Over-privilege
Permission inheritance

Solutions Type of solution
• System modification / Hook modification and services
• Android services
• Non-android application
Implementation level
• System/Kernel
• Application
• Separate system
Run-time mode
• Static
• Dynamic

Permission
Re-delegation
Over-privilege
Permission
inheritance
Solutions Name Type of Solution Implementation Running mode
IPC Inspection System modification System Dynamic
Quire System modification System Dynamic

Solutions Name Type of Solution Implementation Running mode
Webifest Manifest file Application Static
Stowaway Non-android apps Separate system Static
Pscout Non-android apps Separate system Static
RefineDroid Non-android apps Separate system Static
Mr. Hide Android service Application Dynamic
Dr. Android Non-android apps Separate system Static
Apex System modification System Static
SAINT System modification System Static and Dynamic
Analysis Tool Non-android apps Separate system Static
Permission
Re-delegation
Over-privilege
Permission
inheritance

Solutions
Sign with different keys
• Android apps
• Application
• Static
Permission
Re-delegation
Over-privilege
Permission
inheritance

Solutions
-
Complete
Matrix
Threats Proposed Solution Type of Solution Implementation Level Solution Running mode Ref
Permission Re-
delegation
IPC Inspection System modification System level Dynamic [9]
Quire System modification System level Dynamic [18]
Over Privilege Webifest website manifest file Application level Static [11]
Stowaway Non-android application Separate system Static [12]
PScout Non-android application Separate system Static [13]
RefineDroid Non-android application Separate system Static [14]
Mr. Hide Android service Application level Dynamic [14]
Dr. Android Non-android application Separate system Static [14]
Apex System modification System level Static [20]
SAINT System modification System level Static and Dynamic [17]
Static analysis tool Non-android application Separate system Static [23]
Permission
inheritance
Sign apps with different
keys
android apps Application level Static [16]

Conclusio
n 3 threats found
Numbers of solutions
Different implementation level

Future
Work Combination of solutions
Are solutions implemented?
Cost matrix of solutions: performance,
speed, power consumption, complexity

Permission in Android Security: Threats and solution

Recommandé

Recommandé

Contenu connexe

Tendances

Tendances (20)

En vedette

En vedette (20)

Similaire à Permission in Android Security: Threats and solution

Similaire à Permission in Android Security: Threats and solution (20)

Dernier

Dernier (20)

Permission in Android Security: Threats and solution

Notes de l'éditeur