Permlyzer: Analyzing permission usage in Android applications

As one of the most popular mobile platforms, the Android system implements an install-time permission mechanism to provide users with an opportunity to deny potential risky permissions requested by an application. In order for both users and application vendors to make informed decisions, we designed and built Permlyzer, a general-purpose framework to automatically analyze the uses of requested permissions in Android applications. Permlyzer leverages the combination of runtime analysis and static examination to perform an accurate and in-depth analysis. The call stack-based analysis in Permlyzer can provide fine-grained information of the permission uses from various aspects include location, cause and purpose. More importantly, Permlyzer can automatically explore the functionality of an application and analyze the permission uses. Our evaluation using 51 malware/spyware families and over 110,000 Android applications demonstrates that Permlyzer can provide detailed permission use analysis and discover the characteristics of the permission uses in both benign and malicious applications.

[1]  Manu Sridharan,et al.  Refinement-based context-sensitive points-to analysis for Java , 2006, PLDI '06.

[2]  Manu Sridharan,et al.  TAJ: effective taint analysis of web applications , 2009, PLDI '09.

[3]  Byung-Gon Chun,et al.  Vision: automated security validation of mobile apps at app markets , 2011, MCS '11.

[4]  Steve Hanna,et al.  Android permissions demystified , 2011, CCS '11.

[5]  Yajin Zhou,et al.  RiskRanker: scalable and accurate zero-day android malware detection , 2012, MobiSys '12.

[6]  Byung-Gon Chun,et al.  TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones , 2010, OSDI.

[7]  Peter Druschel,et al.  Proceedings of the Twenty-Third ACM Symposium on Operating Systems Principles , 2011, SOSP 2011.

[8]  David A. Wagner,et al.  Analyzing inter-application communication in Android , 2011, MobiSys '11.

[9]  Alastair R. Beresford,et al.  MockDroid: trading privacy for application functionality on smartphones , 2011, HotMobile '11.

[10]  J. Foster,et al.  SCanDroid: Automated Security Certification of Android , 2009 .

[11]  Swarat Chaudhuri,et al.  A Study of Android Application Security , 2011, USENIX Security Symposium.

[12]  David Wetherall,et al.  Privacy oracle: a system for finding application leaks with black box differential testing , 2008, CCS.

[13]  Christopher Krügel,et al.  PiOS: Detecting Privacy Leaks in iOS Applications , 2011, NDSS.

[14]  Helen J. Wang,et al.  Permission Re-Delegation: Attacks and Defenses , 2011, USENIX Security Symposium.

[15]  Shashi Shekhar,et al.  QUIRE: Lightweight Provenance for Smart Phone Operating Systems , 2011, USENIX Security Symposium.

[16]  Yajin Zhou,et al.  Taming Information-Stealing Smartphone Applications (on Android) , 2011, TRUST.

[17]  Yajin Zhou,et al.  Dissecting Android Malware: Characterization and Evolution , 2012, 2012 IEEE Symposium on Security and Privacy.

[18]  Ahmad-Reza Sadeghi,et al.  XManDroid: A New Android Evolution to Mitigate Privilege Escalation Attacks , 2011 .

[19]  Yajin Zhou,et al.  Systematic Detection of Capability Leaks in Stock Android Smartphones , 2012, NDSS.

[20]  Avik Chaudhuri,et al.  SCanDroid: Automated Security Certification of Android , 2009 .

[21]  Jeremy Andrus,et al.  Cells: a virtual mobile smartphone architecture , 2011, SOSP '11.

[22]  Landon P. Cox,et al.  TightLip: Keeping Applications from Spilling the Beans , 2007, NSDI.

[23]  Patrick D. McDaniel,et al.  On lightweight mobile phone application certification , 2009, CCS.

[24]  Yajin Zhou,et al.  Hey, You, Get Off of My Market: Detecting Malicious Apps in Official and Alternative Android Markets , 2012, NDSS.

[25]  Paul C. van Oorschot,et al.  A methodology for empirical analysis of permission-based security models and its application to android , 2010, CCS '10.

[26]  David A. Wagner,et al.  The Effectiveness of Application Permissions , 2011, WebApps.

[27]  Zhen Huang,et al.  Short paper: a look at smartphone permission models , 2011, SPSM '11.