Professional Documents
Culture Documents
Permission-Based Android Security: Issues and Countermeasures
Permission-Based Android Security: Issues and Countermeasures
Permission-Based Android Security: Issues and Countermeasures
Android Security
Depending on the features, the system might grant the permission automatically
or might prompt the user to approve the request.
The access to sensitive user data (such as contact and SMS), as well as certain
system features (such as camera and internet) may lead to leakage of users
private information stored in smartphones.
Then the paper highlights that the android permission model is not entirely secure
and can be bypassed or exploited by attackers, leading to various security threats.
Due to insufficient control of cooperation among application and poor
documentation on how to use various permissions. The other reason is if the
permission request is much more then user has to either grant all permissions an
application requests or abort the installation process, instead of granting the
permissions one by one. This and other issues will be discussed in the paper.
Finally the paper to investigate some of the existing solution to address the issues
and discussed the future work.
Issues in android
permission framework
Cont…
Android security issues divided into two categories: direct issues and indirect issues.
Direct issues may lead to leakage of user private information or financial losses directly.
On the other hand, the indirect issues can be used as stepping stones in launching attacks to
Android smartphones.
Direct issues include over-claim of permissions, permission escalation attack and TOCTOU
attack.
Indirect issues: Coarse granularity of
permissions
Coarse granularity of permissions refers to a situation where an application
requests a broad permission that gives it access to a lot of data, when a
more specific permission would be more appropriate.
What risk he or she would face when approving the permission request?
Incompetent permission administration
Direct Issues: Over-claim of permissions
Over-claim of permissions occurs when an application requests more permissions than it actually needs
to perform its function.
The issue of over-claim of permissions can be categorized into: malicious and unconscious.
● developers tend to request for permissions with names that look relevant to the functionalities
they design, even if the permissions are not actually required;
● developers may request for permissions which should be requested by deputy applications
instead of their own applications;
● developers may make mistakes due to using copy and paste,
TOCTOU ATTACK
It may also exists in Android mainly due to naming collusion. Any two permissions with
the same name string are treated as equivalent even if they belong to unrelated
applications.
Permission escalation attack
The permission escalation attack allow a malicious application to collaborate with other
applications so as to access critical resources without requesting for corresponding
permissions explicitly. In this issue an application with lower permissions is able to
escalate its privileges to gain higher-level permissions than it should have. This could
allow the application to access sensitive data or perform unauthorized actions.
Enhanced designs and implementations
To address these security challenges, the paper then provides several countermeasures to mitigate these
security challenges.