论文信息 - Reevaluating Android Permission Gaps with Static and Dynamic Analysis

Reevaluating Android Permission Gaps with Static and Dynamic Analysis

Recent studies on the Android permission system have found that there exists a permission gap between the requested permissions and permissions actually used in an Android app. However, current approaches face some challenges when detecting such permission gaps in Android apps due to the limitation of static analysis techniques. This paper proposes a novel approach to detect permission gaps in Android apps and determine the precise set of permissions that an app needs to run correctly. Our approach includes a static analysis technique to extract permission usage information from API invocations, and a dynamic testing technique to test and monitor the runtime permission usage behaviors of apps. By combining static analysis and dynamic testing, our approach can detect significantly more permission usage information compared to static analysis, indicating that our approach could improve the detection accuracy and reduce the false positives in permission gap detection. We have implemented a prototype to study more than 1,000 popular apps from Google Play. The results show that our approach could detect on average 30% more permissions that are used in apps, while more than 8% of the overprivileged apps detected by previous approaches are false positives.

Haoyu Wang | Zihao Tang | Yao Guo | Xiangqun Chen | Guangdong Bai

[1] Steve Hanna,et al. Android permissions demystified , 2011, CCS '11.

[2] Mukul R. Prasad,et al. Automated testing with targeted event sequence generation , 2013, ISSTA.

[3] Zhen Huang,et al. PScout: analyzing the Android permission specification , 2012, CCS.

[4] Jeannette M. Wing,et al. An Attack Surface Metric , 2011, IEEE Transactions on Software Engineering.

[5] Yves Le Traon,et al. Automatically securing permission-based software by reducing the attack surface: an application to Android , 2012, 2012 Proceedings of the 27th IEEE/ACM International Conference on Automated Software Engineering.

[6] Yajin Zhou,et al. The impact of vendor customizations on android security , 2013, CCS.

[7] Kun Yang,et al. IntentFuzzer: detecting capability leaks of android applications , 2014, AsiaCCS.

[8] Thorsten Holz,et al. Slicing droids: program slicing for smali code , 2013, SAC '13.

[9] Jacques Klein,et al. Static Analysis for Extracting Permission Checks of a Large Scale Framework: The Challenges and Solutions for Analyzing Android , 2014, IEEE Transactions on Software Engineering.

[10] Iulian Neamtiu,et al. Automating GUI testing for Android applications , 2011, AST '11.

[11] Ahmad-Reza Sadeghi,et al. Privilege Escalation Attacks on Android , 2010, ISC.