Sleeping Android: The Danger of Dormant Permissions

James Sellwood, Jason Crampton

Research output: Chapter in Book/Report/Conference proceedingConference contribution

124 Downloads (Pure)

Abstract

An Android app must be authorized for permissions, defined by the Android platform, in order to access certain capabilities of an Android device. An app developer specifies which permissions an app will require and these permissions must be authorized by the user of the device when the app is installed. Permissions, and the tools that are used to manage them, form the basis of the Android permission architecture, which is an essential part of the access control services provided by the Android platform.

We have analyzed the evolution of the Android permission architecture across six versions of the Android platform, identifying various changes which have occurred during that period and a considerable amount of information about the permission architecture which is not included in the Android documentation. Using this information, we have identified a weakness in the way that the Android platform handles app permissions during platform upgrades. We explain how this weakness may be exploited by a developer to produce malicious software which the average user is unlikely to detect. We conclude with a discussion of potential mitigation techniques for this weakness, highlighting concerns drawn from other research in this area.
Original languageEnglish
Title of host publicationProceedings of the ACM Conference on Computer and Communications Security
PublisherACM
Pages55-66
Number of pages12
ISBN (Print)9781450324915
DOIs
Publication statusPublished - 8 Nov 2013
Event3rd ACM Workshop on Security and Privacy in Smartphones and Mobile Devices, SPSM 2013, Held in Association with the 20th ACM Conference on Computer and Communications Security, CCS 2013 - Berlin, Germany
Duration: 8 Nov 20138 Nov 2013

Conference

Conference3rd ACM Workshop on Security and Privacy in Smartphones and Mobile Devices, SPSM 2013, Held in Association with the 20th ACM Conference on Computer and Communications Security, CCS 2013
Country/TerritoryGermany
CityBerlin
Period8/11/138/11/13

Keywords

  • android
  • authorization
  • malware
  • permission architecture
  • permissions
  • privacy

Cite this