Scribd Logo
Upload

Welcome to Scribd!

  • 9 views

    Permission-Based Android Security: Issues and Countermeasures

    Uploaded by

    Seifegebreal Mosisa
    The document discusses permission-based security issues and countermeasures in the Android system. It describes how Android uses a permission model to restrict apps' access to resources but that this model has direct and indirect security issues. Direct issues allow private data leakage or financial losses, while indirect issues can enable further attacks. The paper then analyzes specific issues like over-claiming of permissions, permission escalation attacks, and lack of documentation. It proposes enhanced designs and implementations to address these challenges to the permission-based Android security model.

    Copyright:

    © All Rights Reserved
    Download as PPTX, PDF, TXT or read online from Scribd
    Flag for inappropriate content

    You might also like

    Permission-Based Android Security: Issues and Countermeasures

    Uploaded by

    Seifegebreal Mosisa
    9 views15 pages
    The document discusses permission-based security issues and countermeasures in the Android system. It describes how Android uses a permission model to restrict apps' access to resources but that this model has direct and indirect security issues. Direct issues allow private data leakage or financial losses, while indirect issues can enable further attacks. The paper then analyzes specific issues like over-claiming of permissions, permission escalation attacks, and lack of documentation. It proposes enhanced designs and implementations to address these challenges to the permission-based Android security model.

    Original Description:

    Original Title

    Untitled

    Copyright

    © © All Rights Reserved

    Available Formats

    PPTX, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    The document discusses permission-based security issues and countermeasures in the Android system. It describes how Android uses a permission model to restrict apps' access to resources but that this model has direct and indirect security issues. Direct issues allow private data leakage or financial losses, while indirect issues can enable further attacks. The paper then analyzes specific issues like over-claiming of permissions, permission escalation attacks, and lack of documentation. It proposes enhanced designs and implementations to address these challenges to the permission-based Android security model.

    Copyright:

    © All Rights Reserved
    Download as PPTX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pptx, pdf, or txt
    9 views15 pages

    Permission-Based Android Security: Issues and Countermeasures

    Uploaded by

    Seifegebreal Mosisa
    The document discusses permission-based security issues and countermeasures in the Android system. It describes how Android uses a permission model to restrict apps' access to resources but that this model has direct and indirect security issues. Direct issues allow private data leakage or financial losses, while indirect issues can enable further attacks. The paper then analyzes specific issues like over-claiming of permissions, permission escalation attacks, and lack of documentation. It proposes enhanced designs and implementations to address these challenges to the permission-based Android security model.

    Copyright:

    © All Rights Reserved
    Download as PPTX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pptx, pdf, or txt
    of 15

    Permission-Based

    Android Security

    Issues and countermeasures.


    Permission Based Android Security:
    Issues and countermeasures.
    Android security has been built up on a permission based mechanism which
    restricts access of third party android application to critical resources on an
    android device.

    Depending on the features, the system might grant the permission automatically
    or might prompt the user to approve the request.

    The access to sensitive user data (such as contact and SMS), as well as certain
    system features (such as camera and internet) may lead to leakage of users
    private information stored in smartphones.

    The purpose of permission is to protect the privacy of an Android user.


    Cont…
    The paper starts by providing an overview of android permission model, which is a
    framework that allows users to control access to their device’s resources.

    Then the paper highlights that the android permission model is not entirely secure
    and can be bypassed or exploited by attackers, leading to various security threats.
    Due to insufficient control of cooperation among application and poor
    documentation on how to use various permissions. The other reason is if the
    permission request is much more then user has to either grant all permissions an
    application requests or abort the installation process, instead of granting the
    permissions one by one. This and other issues will be discussed in the paper.

    Finally the paper to investigate some of the existing solution to address the issues
    and discussed the future work.
    Issues in android
    permission framework
    Cont…
    Android security issues divided into two categories: direct issues and indirect issues.

    Direct issues may lead to leakage of user private information or financial losses directly.

    On the other hand, the indirect issues can be used as stepping stones in launching attacks to
    Android smartphones.

    Indirect issues include course granularity permissions, Incompetent permission administration,


    and Insufficient permission documentation.

    Direct issues include over-claim of permissions, permission escalation attack and TOCTOU
    attack.
    Indirect issues: Coarse granularity of
    permissions
    Coarse granularity of permissions refers to a situation where an application
    requests a broad permission that gives it access to a lot of data, when a
    more specific permission would be more appropriate.

    Taking the INTERNET permission as an example, the INTERNET permission


    allows an application to send HTTP(S) requests to all domains, and connect to
    arbitrary destinations and ports.

    The usage of this permission cannot be restricted or controlled by users. As a


    result, a malicious application may camouflage itself as a legitimate
    application which indeed requires Internet accesses, while misusing its
    Internet accesses without users’ acknowledgment.
    Insufficient permission documentation
    This refers to a lack of clear and comprehensive documentation around an
    application's permissions, making it difficult for users to understand what data an app is
    accessing and why. Permissions are usually technical for end-users to understand.

    Internet permission: FULL INTERNET ACCESS.

    What data an app is accessing and why?

    What risk he or she would face when approving the permission request?
    Incompetent permission administration
    Direct Issues: Over-claim of permissions

    Over-claim of permissions occurs when an application requests more permissions than it actually needs
    to perform its function.

    The issue of over-claim of permissions can be categorized into: malicious and unconscious.

    Developers may make wrong decisions because of…

    ● developers tend to request for permissions with names that look relevant to the functionalities
    they design, even if the permissions are not actually required;
    ● developers may request for permissions which should be requested by deputy applications
    instead of their own applications;
    ● developers may make mistakes due to using copy and paste,
    TOCTOU ATTACK

    This stands for "Time-Of-Check to Time-Of-Use" attack and refers to a vulnerability


    where an attacker can exploit the time gap between when a resource is checked for
    permission and when it is used to gain unauthorized access.

    It may also exists in Android mainly due to naming collusion. Any two permissions with
    the same name string are treated as equivalent even if they belong to unrelated
    applications.
    Permission escalation attack

    The permission escalation attack allow a malicious application to collaborate with other
    applications so as to access critical resources without requesting for corresponding
    permissions explicitly. In this issue an application with lower permissions is able to
    escalate its privileges to gain higher-level permissions than it should have. This could
    allow the application to access sensitive data or perform unauthorized actions.
    Enhanced designs and implementations

    To address these security challenges, the paper then provides several countermeasures to mitigate these
    security challenges.

    You might also like