Curbing Android Permission Creep

The Android platform has about 130 application level permissions that govern access to resources. The determination of which permissions to request is left solely to the application developer. Users are prompted to approve all application permissions at install time, and permissions are silently enforced at execution time. Although many applications make use of a wide range of permissions, we have observed that some applications request permissions that are not required for the application to execute, and that existing developer APIs make it difficult for developers to align their permission requests with application functionality. In this paper we describe a tool we developed to assist developers in utilizing least privilege.

[1]  Jerome H. Saltzer,et al.  The protection of information in computer systems , 1975, Proc. IEEE.

[2]  Alessandro Acquisti,et al.  Privacy and rationality in individual decision making , 2005, IEEE Security & Privacy.

[3]  Sahin Albayrak,et al.  Enhancing security of linux-based android devices , 2008 .

[4]  Patrick D. McDaniel,et al.  Semantically Rich Application-Centric Security in Android , 2009, 2009 Annual Computer Security Applications Conference.

[5]  Toshiaki Tanaka,et al.  Towards Formal Analysis of the Permission-Based Security Model for Android , 2009, 2009 Fifth International Conference on Wireless and Mobile Communications.

[6]  Sahin Albayrak,et al.  Static Analysis of Executables for Collaborative Malware Detection on Android , 2009, 2009 IEEE International Conference on Communications.

[7]  Avik Chaudhuri,et al.  Language-based security on Android , 2009, PLAS '09.

[8]  Byung-Gon Chun,et al.  TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones , 2010, OSDI.

[9]  Xinwen Zhang,et al.  Apex: extending Android permission model and enforcement with user-defined runtime constraints , 2010, ASIACCS '10.

[10]  Yuval Elovici,et al.  Securing Android-Powered Mobile Devices Using SELinux , 2010, IEEE Security & Privacy.

[11]  Yuval Elovici,et al.  Google Android: A Comprehensive Security Assessment , 2010, IEEE Security & Privacy.

[12]  Adam Barth,et al.  Protecting Browsers from Extension Vulnerabilities , 2010, NDSS.

[13]  Patrick D. McDaniel,et al.  Porscha: policy oriented secure content handling in Android , 2010, ACSAC '10.

[14]  Paul C. van Oorschot,et al.  A methodology for empirical analysis of permission-based security models and its application to android , 2010, CCS '10.