论文信息 - Android Security Permissions - Can We Trust Them?

Android Security Permissions - Can We Trust Them?

The popularity of the Android System in combination with the lax market approval process may attract the injection of malicious applications (apps) into the market. Android features a permission system allowing a user to review the permissions an app requests and grant or deny access to resources prior to installation. This system conveys a level of trust due to the fact that an app only has access to resources granted by the stated permissions. Thereby, not only the meaning of single permissions, but especially their combination plays an important role for understanding the possible implications. In this paper we present a method that circumvents the permission system by spreading permissions over two or more apps that communicate with each other via arbitrary communication channels. We discuss relevant details of the Android system, describe the permission spreading process, possible implications and countermeasures. Furthermore, we present three apps that demonstrate the problem and a possible detection method.

[1] Patrick D. McDaniel,et al. Semantically rich application-centric security in Android , 2012 .

[2] Patrick D. McDaniel,et al. Understanding Android Security , 2009, IEEE Security & Privacy Magazine.

[3] Rebecca Montanari,et al. What's on Users' Minds? Toward a Usable Smart Phone Security Model , 2009, IEEE Pervasive Computing.

[4] Yuval Elovici,et al. Google Android: A Comprehensive Security Assessment , 2010, IEEE Security & Privacy.

[5] Xinwen Zhang,et al. Apex: extending Android permission model and enforcement with user-defined runtime constraints , 2010, ASIACCS '10.