Permission in Android Security: Threats and solution

Threats and Solution

Permission in Android Security

Tandhy Simanjuntak

Permissions in Android Security:Threats and Solutions

Permissions Threats

Solutions Conclusion and Future Work

Permissions Allow apps to access resources

Limited access to resources

Installation time

User approval

System Permissions

URI Permissions

Self-declare Permissions

Permissions Type

System Permissions

URI Permissions


Permissions Type

Owned by system

Allow access to system resources

<manifest xmlns:android="http://schemas.android.com/apk/res/android" package="com.android.app.myapp" ><uses-permission android:name="android.permission.RECEIVE_SMS" /> <uses-permission android:name="android.permission.INTERNET" /></manifest>

System Permissions

URI Permissions


Permissions Type

version name Version number

API Level Total Permissions

KitKat 4.4 19 145Jelly Bean 4.3 18 134

4.2 17 1304.1 16 130

Ice Cream Sandwich 4.0.3 15 1244.0 14 122

Honeycomb 3.2 13 1173.1 12 1163.0 11 116

Gingerbread 2.3.4 10 1152.3.3 9 115

Froyo 2.2 8 112

System Permissions

URI Permissions


Permissions Type

Owned by system

Allow access to data without grant permission to access content provider

Email app and document/pdf reader app

System Permissions

URI Permissions


Permissions Type

Owned by apps

Allow processes to access apps resources

<manifest xmlns:android="http://schemas.android.com/apk/res/android" package="com.me.app.myapp" > <permission android:name="com.me.app.myapp.permission.CHANGE_ROOT_PASSWD" android:label="@string/label_changeRootPasswd" android:description="@string/description_changeRootPasswd" android:permissionGroup="android.permission-group.PERSONAL_INFO" android:protectionLevel="dangerous" /></manifest>

Normal

Dangerous

Signature

Signature or System

Permissions Protection Level

Permissions Request Flow

1. Install an app2. System check permissions in

AndroidManifest.xml

3. System ask user for approval

User Approve ?

System grants all permissions

System cancel the installation

System continue to installation process and App is installed

System denies all permissions

No

Yes

Permissions Threats

Permission Re-delegation

Over-privilege

Permission inheritance

Permissions Threats

A: an App

No INTERNET permission

B: another App

INTERNET permission

A: Malicious App

No INTERNET permission

Android System ServicesIN

TERN

ET

Reje

cted

B: Vulnerable App

INTERNET permission

INTERNET

INTE

RNET

Acce

pted

AcceptedPermission Re-delegation

Over-privilege


Permissions Threats

Flashlight App

Permission list:FLASHLIGHTINTERNETACCESS_FINE_LOCATIONREAD_CONTACT

B: Social Media App

Permission list:INTERNETACCESS_FINE_LOCATIONREAD_CONTACTREAD_PROFILECAMERA

Over Privilege App


Over-privilege


Flashlight App

Permission list:FLASHLIGHT

Social Media App

Permission list:INTERNETACCESS_FINE_LOCATIONREAD_CONTACTREAD_PROFILECAMERA

UID: 0123-4567-8910 UID: 0123-4567-8910

Permissions Threats

Flashlight App

Permission list:FLASHLIGHTINTERNETACCESS_FINE_LOCATIONREAD_CONTACTREAD_PROFILECAMERA

UID: 0123-4567-8910

Social Media App

Permission list:INTERNETACCESS_FINE_LOCATIONREAD_CONTACTREAD_PROFILECAMERAFLASHLIGHT

UID: 0123-4567-8910


Over-privilege


Solutions Permission Re-delegation

Over-privilege


Solutions Type of solution

• System modification / Hook modification and services• Android services• Non-android application

Implementation level• System/Kernel• Application• Separate system

Run-time mode• Static• Dynamic


Over-privilege


Solutions Name Type of Solution Implementation Running mode

IPC Inspection System modification System Dynamic

Quire System modification System Dynamic

Solutions Name Type of Solution Implementation Running mode

Webifest Manifest file Application Static

Stowaway Non-android apps Separate system Static

Pscout Non-android apps Separate system Static

RefineDroid Non-android apps Separate system Static

Mr. Hide Android service Application Dynamic

Dr. Android Non-android apps Separate system Static

Apex System modification System Static

SAINT System modification System Static and Dynamic

Analysis Tool Non-android apps Separate system Static


Over-privilege


Solutions

Sign with different keys

• Android apps• Application• Static


Over-privilege


Solutions -Complete Matrix

Threats Proposed Solution Type of Solution Implementation Level Solution Running mode Ref


IPC Inspection System modification System level Dynamic [9]

Quire System modification System level Dynamic [18]

Over Privilege Webifest website manifest file Application level Static [11]

Stowaway Non-android application Separate system Static [12]

PScout Non-android application Separate system Static [13]

RefineDroid Non-android application Separate system Static [14]

Mr. Hide Android service Application level Dynamic [14]

Dr. Android Non-android application Separate system Static [14]

Apex System modification System level Static [20]

SAINT System modification System level Static and Dynamic [17]

Static analysis tool Non-android application Separate system Static [23]


Sign apps with different keys

android apps Application level Static [16]

Conclusion 3 threats found

Numbers of solutions

Different implementation level

Future Work Combination of solutions

Are solutions implemented?

Cost matrix of solutions: performance, speed, power consumption, complexity

Permission in Android Security: Threats and solution

Devices & Hardware

Transcript of Permission in Android Security: Threats and solution