Abstract
An Android app must be authorized for permissions, defined by the Android platform, in order to access certain capabilities of an Android device. An app developer specifies which permissions an app will require and these permissions must be authorized by the user of the device when the app is installed. Permissions, and the tools that are used to manage them, form the basis of the Android permission architecture, which is an essential part of the access control services provided by the Android platform.
We have analyzed the evolution of the Android permission architecture across six versions of the Android platform, identifying various changes which have occurred during that period and a considerable amount of information about the permission architecture which is not included in the Android documentation. Using this information, we have identified a weakness in the way that the Android platform handles app permissions during platform upgrades. We explain how this weakness may be exploited by a developer to produce malicious software which the average user is unlikely to detect. We conclude with a discussion of potential mitigation techniques for this weakness, highlighting concerns drawn from other research in this area.
We have analyzed the evolution of the Android permission architecture across six versions of the Android platform, identifying various changes which have occurred during that period and a considerable amount of information about the permission architecture which is not included in the Android documentation. Using this information, we have identified a weakness in the way that the Android platform handles app permissions during platform upgrades. We explain how this weakness may be exploited by a developer to produce malicious software which the average user is unlikely to detect. We conclude with a discussion of potential mitigation techniques for this weakness, highlighting concerns drawn from other research in this area.
| Original language | English |
|---|---|
| Title of host publication | Proceedings of the ACM Conference on Computer and Communications Security |
| Publisher | ACM |
| Pages | 55-66 |
| Number of pages | 12 |
| ISBN (Print) | 9781450324915 |
| DOIs | |
| Publication status | Published - 8 Nov 2013 |
| Event | 3rd ACM Workshop on Security and Privacy in Smartphones and Mobile Devices, SPSM 2013, Held in Association with the 20th ACM Conference on Computer and Communications Security, CCS 2013 - Berlin, Germany Duration: 8 Nov 2013 → 8 Nov 2013 |
Conference
| Conference | 3rd ACM Workshop on Security and Privacy in Smartphones and Mobile Devices, SPSM 2013, Held in Association with the 20th ACM Conference on Computer and Communications Security, CCS 2013 |
|---|---|
| Country/Territory | Germany |
| City | Berlin |
| Period | 8/11/13 → 8/11/13 |
Keywords
- android
- authorization
- malware
- permission architecture
- permissions
- privacy