Stowaway, a tool that detects overprivilege in compiled Android applications, is built and finds that about one-third of applications are overprivileged.
Abstract:
Android provides third-party applications with an extensive API that includes access to phone hardware, settings, and user data. Access to privacy- and security-relevant parts of the API is controlled with an install-time application permission system. We study Android applications to determine whether Android developers follow least privilege with their permission requests. We built Stowaway, a tool that detects overprivilege in compiled Android applications. Stowaway determines the set of API calls that an application uses and then maps those API calls to permissions. We used automated testing tools on the Android API in order to build the permission map that is necessary for detecting overprivilege. We apply Stowaway to a set of 940 applications and find that about one-third are overprivileged. We investigate the causes of overprivilege and find evidence that developers are trying to follow least privilege but sometimes fail due to insufficient API documentation.
TL;DR: Systematize or characterize existing Android malware from various aspects, including their installation methods, activation mechanisms as well as the nature of carried malicious payloads reveal that they are evolving rapidly to circumvent the detection from existing mobile anti-virus software.
TL;DR: DREBIN is proposed, a lightweight method for detection of Android malware that enables identifying malicious applications directly on the smartphone and outperforms several related approaches and detects 94% of the malware with few false alarms.
TL;DR: It is found that current Android permission warnings do not help most users make correct security decisions, however, a notable minority of users demonstrated both awareness of permission warnings and reasonable rates of comprehension.
TL;DR: A permissionbased behavioral footprinting scheme to detect new samples of known Android malware families and a heuristics-based filtering scheme to identify certain inherent behaviors of unknown malicious families are proposed.
TL;DR: An analysis of the permission system of the Android smartphone OS is performed and it is found that a trade-off exists between enabling least-privilege security with fine-grained permissions and maintaining stability of the permissions specification as the Android OS evolves.
TL;DR: It is found that current Android permission warnings do not help most users make correct security decisions, however, a notable minority of users demonstrated both awareness of permission warnings and reasonable rates of comprehension.
TL;DR: The Kirin security service for Android is proposed, which performs lightweight certification of applications to mitigate malware at install time and indicates that security configuration bundled with Android applications provides practical means of detecting malware.
TL;DR: A horizontal study of popular free Android applications uncovered pervasive use/misuse of personal/ phone identifiers, and deep penetration of advertising and analytics networks, but did not find evidence of malware or exploitable vulnerabilities in the studied applications.
TL;DR: This work examines Android application interaction and identifies security risks in application components and provides a tool, ComDroid, that detects application communication vulnerabilities and found 34 exploitable vulnerabilities.
TL;DR: Experimental results indicate that feedback-directed random test generation can outperform systematic and undirectedrandom test generation, in terms of coverage and error detection.
Q1. What contributions have the authors mentioned in the paper "Android permissions demystified" ?
The authors study Android applications to determine whether Android developers follow least privilege with their permission requests. The authors investigate the causes of overprivilege and find evidence that developers are trying to follow least privilege but sometimes fail due to insufficient API documentation.
Q2. What are the common native method parameters?
Many native method parameters are integers that represent pointers to objects in native code, making it difficult to supply correct parameters.
Q3. What other packages provide access to the Internet?
Applications can access the Internet through the Android API, but other packages such as java.net and org.apache also provide Internet access.
Q4. What is the prevalence of reflection in Android?
The prevalence of reflection indicates that it is important for an Android static analysis tool to handle Java reflection, even if the static analysis tool is not intended for obfuscated or malicious code.
Q5. What did the authors do to test the permissions needed to receive system broadcast Intents?
In order to test the permissions needed to receive system broadcast Intents, the authors triggered system broadcasts by sending and receiving text messages, sending and receiving phone calls, connecting and disconnecting WiFi, connecting and disconnecting Bluetooth devices, etc.
Q6. Why are developers incentivized to ask for unnecessary permissions?
Developers are incentivized to ask for unnecessary permissions because applications will not receive automatic updates if the updated version of the application requests more permissions [15].
Q7. How many classes require permissions to instantiate an object?
Of these classes, only 8 require permissions to instantiate an object, and 4 require permissions only for the object constructor.
Q8. Why did Randoop fail to provide permission checks in the first phase?
The uncovered portion of the API is due to native calls and the omission of second-phase tests for packages that did not yield permission checks in the first phase.
Q9. How many applications were not resolved by Stowaway?
This left us with 105 applications with reflective calls that Stowaway could not resolve or dismiss, which is 12% of the 900 applications.
Q10. What are the types of tests that the authors created to test the permissions of API methods?
When confirming permissions for potentially asynchronous or order-dependent API calls, the authors also created confirmation test cases for related methods in the pertinent class that were not initially associated with permission checks.