Skip to main content
SpringerLink
Log in
Book cover

European Dependable Computing Conference

EDCC 2021: Dependable Computing - EDCC 2021 Workshops pp 132–143Cite as

Assisting Developers in Preventing Permissions Related Security Issues in Android Applications

  • Conference paper
  • First Online:

Part of the book series: Communications in Computer and Information Science ((CCIS,volume 1462))

Abstract

Permissions related attacks are a widespread security issue in Android environment. Permissions misuse enables attackers to steal the application rights and perform malicious actions. While most of the existing solutions are advocated from end-users perspective, we take in this paper the developers perspective because security should be a software design concern. We propose a formal specification covering the permissions use by the current developers of Android applications, who are almost a third party developers. We underline a set of security properties. Then, we formally verify them by applying a Model Driven Reverse Engineering approach that enables abstraction and property verification. We implement the analysis approach as an IDE plug-in called PermDroid. Finally, we show the applicability of our approach through a case study.

This is a preview of subscription content, log in via an institution.

Chapter
USD   29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD   39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD   54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions

Notes

  1. 1.

    https://gs.statcounter.com/os-market-share/mobile/worldwide/#monthly-201905-202005.

  2. 2.

    https://www.cvedetails.com/product/19997/Google-Android.html?vendor_id=1224.

  3. 3.

    http://developer.android.com/sdk/api_diff/30/changes.

  4. 4.

    https://www.techrepublic.com/article/ios-and-android-security-a-timeline-of-the-highlights-and-the-lowlights/.

  5. 5.

    https://source.android.com/devices/architecture/modular-system/permissioncontroller.

  6. 6.

    https://pagesperso.ls2n.fr/~andre-p/download/androidPerm.pdf.

  7. 7.

    See the web appendix (See Footnote 6).

  8. 8.

    https://wiki.eclipse.org/MoDisco.

  9. 9.

    https://www.vogella.com/tutorials/EclipseJDT/article.html.

  10. 10.

    https://www.eclipse.org/atl/.

  11. 11.

    https://f-droid.org/app/org.telegram.messenger.

References

  1. Almomani, I.M., Khayer, A.A.: A comprehensive analysis of the Android permissions system. IEEE Access 8, 216671–216688 (2020). https://doi.org/10.1109/ACCESS.2020.3041432

    Article  Google Scholar 

  2. Armando, A., Carbone, R., Costa, G., Merlo, A.: Android permissions unleashed. In: 2015 IEEE 28th Computer Security Foundations Symposium, pp. 320–333. IEEE (2015)

    Google Scholar 

  3. Au, K.W.Y., Zhou, Y.F., Huang, Z., Lie, D.: PScout: analyzing the android permission specification. In: Proceedings of the 2012 ACM Conference on Computer and Communications Security, pp. 217–228 (2012)

    Google Scholar 

  4. Bagheri, H., Kang, E., Malek, S., Jackson, D.: A formal approach for detection of security flaws in the Android permission system. Formal Aspects Comput. 30(5), 525–544 (2017). https://doi.org/10.1007/s00165-017-0445-z

    Article  Google Scholar 

  5. Bello-Ogunu, E., Shehab, M.: PERMITME: integrating Android permissioning support in the IDE. In: Proceedings of the 2014 Workshop on Eclipse Technology eXchange, pp. 15–20 (2014)

    Google Scholar 

  6. Betarte, G., Campo, J., Cristiá, M., Gorostiaga, F., Luna, C., Sanz, C.: Towards formal model-based analysis and testing of Android’s security mechanisms. In: 2017 XLIII Latin American Computer Conference (CLEI), pp. 1–10. IEEE (2017)

    Google Scholar 

  7. Betarte, G., Campo, J., Luna, C., Romano, A.: Formal analysis of Android’s permission-based security model. Sci. Ann. Comput. Sci. 26(1), 27–68 (2016)

    MathSciNet  MATH  Google Scholar 

  8. Betarte, G., Campo, J., Luna, C., Sanz, C., Gorostiaga, F., Cristiá, M.: A formal approach for the verification of the permission-based security model of Android. CLEI Electron. J. 21(2) (2018)

    Google Scholar 

  9. Buchanan, W.: Introduction to Security and Network Forensics. Taylor & Francis (2011). https://books.google.fr/books?id=8uzM63AYi_MC

  10. Chester, P., Jones, C., Mkaouer, M.W., Krutz, D.E.: M-Perm: a lightweight detector for Android permission gaps. In: 4th International Conference on Mobile Software Engineering and Systems (MOBILESoft), pp. 217–218. IEEE (2017)

    Google Scholar 

  11. Fang, Z., Han, W., Li, Y.: Permission based android security: issues and countermeasures. Comput. Secur. 43, 205–218 (2014)

    Article  Google Scholar 

  12. Fragkaki, Elli, Bauer, Lujo, Jia, Limin, Swasey, David: Modeling and enhancing Android’s permission system. In: Foresti, Sara, Yung, Moti, Martinelli, Fabio (eds.) ESORICS 2012. LNCS, vol. 7459, pp. 1–18. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-33167-1_1

    Chapter  Google Scholar 

  13. Guo, W.: Management system for secure mobile application development. In: Proceedings of the ACM Turing Celebration Conference, China, pp. 1–4 (2019)

    Google Scholar 

  14. He, X.: Modeling and analyzing the Android permission framework using high level Petri Nets. In: 2017 IEEE International Conference on Software Quality, Reliability and Security (QRS), pp. 232–239. IEEE (2017)

    Google Scholar 

  15. Hoffmann, J., Ussath, M., Holz, T., Spreitzenbarth, M.: Slicing droids: program slicing for smali code. In: Proceedings of the 28th Annual ACM Symposium on Applied Computing, pp. 1844–1851 (2013)

    Google Scholar 

  16. Jha, A.K., Lee, S., Lee, W.J.: Developer mistakes in writing Android manifests: an empirical study of configuration errors. In: 2017 IEEE/ACM 14th International Conference on Mining Software Repositories (MSR), pp. 25–36. IEEE (2017)

    Google Scholar 

  17. Saaltink, M.: The Z/EVES system. In: Bowen, J.P., Hinchey, M.G., Till, D. (eds.) ZUM 1997. LNCS, vol. 1212, pp. 72–85. Springer, Heidelberg (1997). https://doi.org/10.1007/BFb0027284

    Chapter  Google Scholar 

  18. Sadeghi, A., Jabbarvand, R., Ghorbani, N., Bagheri, H., Malek, S.: A temporal permission analysis and enforcement framework for Android. In: Proceedings of the 40th International Conference on Software Engineering, ICSE 2018, pp. 846–857. ACM, New York (2018)

    Google Scholar 

  19. Scoccia, G.L., Peruma, A., Pujols, V., Malavolta, I., Krutz, D.E.: Permission issues in open-source Android apps: an exploratory study. In: 2019 19th International Working Conference on Source Code Analysis and Manipulation (SCAM), pp. 238–249. IEEE (2019)

    Google Scholar 

  20. Seo, J., Kim, D., Cho, D., Shin, I., Kim, T.: FLEXDROID: enforcing in-app privilege separation in Android. In: NDSS (2016)

    Google Scholar 

  21. Spivey, J.M.: Z Notation - A Reference Manual, 2nd edn. Prentice Hall International Series in Computer Science. Prentice Hall (1992)

    Google Scholar 

  22. Vidas, T., Christin, N., Cranor, L.: Curbing Android permission creep. In: Proceedings of the Web, vol. 2, pp. 91–96 (2011)

    Google Scholar 

  23. Wu, S., Liu, J.: Overprivileged permission detection for Android applications. In: ICC 2019–2019 IEEE International Conference on Communications (ICC), pp. 1–6. IEEE (2019)

    Google Scholar 

  24. Xu, G., Xu, S., Gao, C., Wang, B., Xu, G.: PerHelper: helping developers make better decisions on permission uses in Android apps. Appl. Sci. 9(18), 3699 (2019)

    Article  Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Univ. Grenoble Alpes, Grenoble INP, LCIS, Valence, France

    Mohammed El Amin Tebib & Oum-El-Kheir Aktouf

  2. LS2N CNRS UMR 6004 - University of Nantes, Nantes, France

    Pascal André

  3. IMT ATLANTIQUE, Nantes, France

    Mariem Graa

Authors
  1. Mohammed El Amin Tebib
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Pascal André
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Oum-El-Kheir Aktouf
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Mariem Graa
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Mohammed El Amin Tebib .

Editor information

Editors and Affiliations

  1. Fraunhofer IESE, Kaiserslautern, Germany

    Rasmus Adler

  2. The Open University, Milton Keynes, UK

    Amel Bennaceur

  3. Fraunhofer IKS, Munich, Germany

    Simon Burton

  4. University of L'Aquila, L’Aquila, Italy

    Amleto Di Salle

  5. ResilTech S.R.L., Pontedera, Italy

    Nicola Nostro

  6. Aalborg University, Aalborg, Denmark

    Rasmus Løvenstein Olsen

  7. TU Dortmund, Dortmund, Germany

    Selma Saidi

  8. Fraunhofer IKS, Munich, Germany

    Philipp Schleiss

  9. Fraunhofer IESE, Kaiserslautern, Germany

    Daniel Schneider

  10. Aalborg University, Aalborg, Denmark

    Hans-Peter Schwefel

Rights and permissions

Reprints and permissions

Copyright information

© 2021 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Tebib, M.E.A., André, P., Aktouf, OEK., Graa, M. (2021). Assisting Developers in Preventing Permissions Related Security Issues in Android Applications. In: Adler, R., et al. Dependable Computing - EDCC 2021 Workshops. EDCC 2021. Communications in Computer and Information Science, vol 1462. Springer, Cham. https://doi.org/10.1007/978-3-030-86507-8_13

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-86507-8_13

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-86506-1

  • Online ISBN: 978-3-030-86507-8

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation