Zero permission android applications - attacks and defenses

Google advertises the Android permission framework as one of the core security features present on its innovative and flexible mobile platform. The permissions are a means to control access to restricted AP/s and system resources. However, there are Android applications which do not request permissions at all.In this paper, we analyze the repercussions of installing an Android application that does not include any permission and the types of sensitive information that can be accessed by such an application. We found that even app/icaaons with no permissions are able to access sensitive information (such the device ID) and transmit it to third-parties.

[1]  Patrick D. McDaniel,et al.  Understanding Android Security , 2009, IEEE Security & Privacy Magazine.

[2]  Toshiaki Tanaka,et al.  A Small But Non-negligible Flaw in the Android Permission Scheme , 2010, 2010 IEEE International Symposium on Policies for Distributed Systems and Networks.

[3]  David A. Wagner,et al.  AdDroid: privilege separation for applications and advertisers in Android , 2012, ASIACCS '12.

[4]  Steve Hanna,et al.  Android permissions demystified , 2011, CCS '11.

[5]  David A. Wagner,et al.  Android permissions: user attention, comprehension, and behavior , 2012, SOUPS.

[6]  Xinwen Zhang,et al.  An Android runtime security policy enforcement framework , 2011, Personal and Ubiquitous Computing.

[7]  Jeremy Clark,et al.  Understanding and improving app installation security mechanisms through empirical analysis of android , 2012, SPSM '12.

[8]  Veelasha Moonsamy,et al.  Towards an understanding of the impact of advertising on data leaks , 2012, Int. J. Secur. Networks.

[9]  Shashi Shekhar,et al.  AdSplit: Separating Smartphone Advertising from Applications , 2012, USENIX Security Symposium.

[10]  Yves Le Traon,et al.  Automatically securing permission-based software by reducing the attack surface: an application to Android , 2012, 2012 Proceedings of the 27th IEEE/ACM International Conference on Automated Software Engineering.

[11]  Mohammad Nauman,et al.  Design and implementation of a fine-grained resource usage model for the android platform , 2011, Int. Arab J. Inf. Technol..

[12]  Mauro Conti,et al.  CRePE: Context-Related Policy Enforcement for Android , 2010, ISC.

[13]  Toshiaki Tanaka,et al.  A Formal Model to Analyze the Permission Authorization and Enforcement in the Android Framework , 2010, 2010 IEEE Second International Conference on Social Computing.

[14]  Avik Chaudhuri,et al.  Language-based security on Android , 2009, PLAS '09.

[15]  Ravi S. Sandhu,et al.  Role-Based Access Control Models , 1996, Computer.

[16]  David A. Wagner,et al.  Analyzing inter-application communication in Android , 2011, MobiSys '11.