Proceedings ArticleDOI
PScout: analyzing the Android permission specification
Kathy Wain Yee Au,Yi Fan Zhou,Zhen Huang,David Lie +3 more
- pp 217-228
Reads0
Chats0
TLDR
An analysis of the permission system of the Android smartphone OS is performed and it is found that a trade-off exists between enabling least-privilege security with fine-grained permissions and maintaining stability of the permissions specification as the Android OS evolves.Abstract:
Modern smartphone operating systems (OSs) have been developed with a greater emphasis on security and protecting privacy. One of the mechanisms these systems use to protect users is a permission system, which requires developers to declare what sensitive resources their applications will use, has users agree with this request when they install the application and constrains the application to the requested resources during runtime. As these permission systems become more common, questions have risen about their design and implementation. In this paper, we perform an analysis of the permission system of the Android smartphone OS in an attempt to begin answering some of these questions. Because the documentation of Android's permission system is incomplete and because we wanted to be able to analyze several versions of Android, we developed PScout, a tool that extracts the permission specification from the Android OS source code using static analysis. PScout overcomes several challenges, such as scalability due to Android's 3.4 million line code base, accounting for permission enforcement across processes due to Android's use of IPC, and abstracting Android's diverse permission checking mechanisms into a single primitive for analysis.We use PScout to analyze 4 versions of Android spanning version 2.2 up to the recently released Android 4.0. Our main findings are that while Android has over 75 permissions, there is little redundancy in the permission specification. However, if applications could be constrained to only use documented APIs, then about 22% of the non-system permissions are actually unnecessary. Finally, we find that a trade-off exists between enabling least-privilege security with fine-grained permissions and maintaining stability of the permission specification as the Android OS evolves.read more
Citations
More filters
Proceedings ArticleDOI
Security Analysis of Emerging Smart Home Applications
TL;DR: This paper analyzed Samsung-owned SmartThings, which has the largest number of apps among currently available smart home platforms, and supports a broad range of devices including motion sensors, fire alarms, and door locks, and discovered two intrinsic design flaws that lead to significant overprivilege in SmartApps.
Proceedings ArticleDOI
Semantics-Aware Android Malware Classification Using Weighted Contextual API Dependency Graphs
TL;DR: A novel semantic-based approach that classifies Android malware via dependency graphs that is capable of detecting zero-day malware with a low false negative rate and an acceptable false positive rate while tolerating minor implementation differences is proposed.
Proceedings ArticleDOI
Amandroid: A Precise and General Inter-component Data Flow Analysis Framework for Security Vetting of Android Apps
TL;DR: Amandroid as mentioned in this paper is a static analysis for security vetting of Android apps, and built a general framework called Amandroid for determining points-to information for all objects in an Android app in a flow-and context-sensitive way across Android apps components.
Proceedings ArticleDOI
Checking app behavior against app descriptions
TL;DR: Applied on a set of 22,500+ Android applications, the CHABADA prototype identified several anomalies and flagged 56% of novel malware as such, without requiring any known malware patterns.
Journal ArticleDOI
Amandroid: A Precise and General Inter-component Data Flow Analysis Framework for Security Vetting of Android Apps
TL;DR: Amandroid's analysis is sound in that it can provide assurance of the absence of the specified security problems in an app with well-specified and reasonable assumptions on Android runtime system and its library.
References
More filters
Journal ArticleDOI
TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones
William Enck,Peter Gilbert,Seungyeop Han,Vasant Tendulkar,Byung-Gon Chun,Landon P. Cox,Jaeyeon Jung,Patrick McDaniel,Anmol Sheth +8 more
TL;DR: TaintDroid as mentioned in this paper is an efficient, system-wide dynamic taint tracking and analysis system capable of simultaneously tracking multiple sources of sensitive data by leveraging Android's virtualized execution environment.
Proceedings ArticleDOI
TaintDroid: an information-flow tracking system for realtime privacy monitoring on smartphones
William Enck,Peter Gilbert,Byung-Gon Chun,Landon P. Cox,Jaeyeon Jung,Patrick McDaniel,Anmol Sheth +6 more
TL;DR: Using TaintDroid to monitor the behavior of 30 popular third-party Android applications, this work found 68 instances of misappropriation of users' location and device identification information across 20 applications.
Proceedings ArticleDOI
Android permissions demystified
TL;DR: Stowaway, a tool that detects overprivilege in compiled Android applications, is built and finds that about one-third of applications are overprivileged.
Proceedings ArticleDOI
Lazy abstraction
TL;DR: This work presents an algorithm for model checking safety properties using lazy abstraction and describes an implementation of the algorithm applied to C programs and provides sufficient conditions for the termination of the method.
Proceedings ArticleDOI
Soot: a Java bytecode optimization framework
TL;DR: Soot, a framework for optimizing Java* bytecode, is implemented in Java and supports three intermediate representations for representing Java bytecode: Baf, a streamlined representation of bytecode which is simple to manipulate; Jimple, a typed 3-address intermediate representation suitable for optimization; and Grimp, an aggregated version of Jimple suitable for decompilation.