Xuetao Wei
ABSTRACT
Android uses a system of permissions to control how apps access sensitive devices and data stores. Unfortunately, we have little understanding of the evolution of Android permissions since their inception (2008). Is the permission model allowing the Android platform and apps to become more secure? In this paper, we present arguably the first long-term study that is centered around both permission evolution and usage, of the entire Android ecosystem (platform, third-party apps, and pre-installed apps). First, we study the Android platform to see how the set of permissions has evolved; we find that this set tends to grow, and the growth is not aimed towards providing finer-grained permissions but rather towards offering access to new hardware features; a particular concern is that the set of Dangerous permissions is increasing. Second, we study Android third-party and pre-installed apps to examine whether they follow the principle of least privilege. We find that this is not the case, as an increasing percentage of the popular apps we study are overprivileged. In addition, the apps tend to use more permissions over time. Third, we highlight some concerns with pre-installed apps, e.g., apps that vendors distribute with the phone; these apps have access to, and use, a larger set of higher-privileged permissions which pose security and privacy risks. At the risk of oversimplification, we state that the Android ecosystem is not becoming more secure from the user's point of view. Our study derives four recommendations for improving the Android security and suggests the need to revisit the practices and policies of the ecosystem.
- Freewarelovers, May 2012. http://www.freewarelovers.com/android.Google Scholar
- Google Play. https://play.google.com/store, May 2012.Google Scholar
- Android. Android-defined Permission Category. http://developer.android.com/reference/android/Manifest.permission_group.html, May 2012.Google Scholar
- Android Developer. Android API. http://developer.android.com/guide/appendix/api-levels.html, May 2012.Google Scholar
- Android Police. Massive Security Vulnerability In HTC Android Devices. http://www.androidpolice.com/2011/10/01/massive-security-vulnerability-in-htc-android-devices, October 2011.Google Scholar
- A. P. Felt, E. Ha, S. Egelman, A. Haney, E. Chin and D. Wagner. Android Permissions: User Attention, Comprehension, and Behavior. In SOUPS, 2012. Google ScholarDigital Library
- A. P. Felt, H. Wang, A. Moshchuk, S. Hanna and E. Chin. Permission Re-Delegation: Attacks and Defenses. In USENIX Security Symposium, 2011. Google ScholarDigital Library
- A. P. Felt, E. Chin, S. Hanna, D. Song, and D. Wagner. Android Permissions Demystified. In ACM CCS, 2011. Google ScholarDigital Library
- D. Barrera, H. G. Kayacik, P. C. van Oorschot and A. Somayaji. A Methodology for Empirical Analysis of Permission-based Security Models and its Application to Android. In ACM CCS, 2010. Google ScholarDigital Library
- Google. Android Open Source Project, May 2012. http://source.android.com/.Google Scholar
- M. Grace, Y. Zhou, Z. Wang, and X. Jiang. Systematic Detection of Capability Leaks in Stock Android Smartphones. In NDSS, 2012.Google Scholar
- M. Ongtang, S. McLaughlin, W. Enck and P. McDaniel. Semantically Rich Application-Centric Security in Android. In ACSAC, 2009. Google ScholarDigital Library
- P. H. Chia, Y. Yamamoto, and N. Asokan. Is this App Safe? A Large Scale Study on Application Permissions and Risk Signals. In WWW, 2012. Google ScholarDigital Library
- P. Pearce, A. P. Felt, G. Nunez and D. Wagner. AdDroid: Privilege Separation for Applications and Advertisers in Android. In ACM AsiaCCS, 2012. Google ScholarDigital Library
- S. Bugiel, L. Davi, A. Dmitrienko, T. Fischer, A. Sadeghi, and B. Shastry. Towards Taming Privilege-Escalation Attacks on Android. In NDSS, 2012.Google Scholar
- W. Enck, D. Octeau, P. McDaniel, and S. Chaudhuri. A Study of Android Application Security. In USENIX Security Symposium, 2011. Google ScholarDigital Library
- W. Enck, M. Ongtang and P. McDaniel. On Lightweight Mobile Phone Application Certification. In ACM CCS, 2009. Google ScholarDigital Library
- Y. Zhou and X. Jiang. Dissecting Android Malware: Characterization and Evolution. In IEEE S &P, 2012. Google ScholarDigital Library
- Y. Zhou, Z. Wang, Wu Zhou and X. Jiang. Hey, You, Get off of My Market: Detecting Malicious Apps in Official and Alternative Android Markets. In NDSS, 2012.Google Scholar
Index Terms
- Permission evolution in the Android ecosystem
Recommendations
Vetting undesirable behaviors in android apps with permission use analysis
CCS '13: Proceedings of the 2013 ACM SIGSAC conference on Computer & communications securityAndroid platform adopts permissions to protect sensitive resources from untrusted apps. However, after permissions are granted by users at install time, apps could use these permissions (sensitive resources) with no further restrictions. Thus, recent ...
Messing with Android's Permission Model
TRUSTCOM '12: Proceedings of the 2012 IEEE 11th International Conference on Trust, Security and Privacy in Computing and CommunicationsPermission models have become very common on smartphone operating systems to control the rights granted to installed third party applications (apps). Prior to installing an app, the user is typically presented with a dialog box showing the permissions ...
Permission Use Analysis for Vetting Undesirable Behaviors in Android Apps
The android platform adopts permissions to protect sensitive resources from untrusted apps. However, after permissions are granted by users at install time, apps could use these permissions (sensitive resources) with no further restrictions. Thus, ...
Comments