Abstract
Android applications are extremely popular, as they are widely used for banking, social media, e-commerce, etc. Such applications typically leverage a series of Permissions, which serve as a convenient abstraction for mediating access to security-sensitive functionality, e.g., sending data over the Internet, within the Android Ecosystem. However, several malicious applications have recently deployed attacks such as data leaks and spurious credit card charges by abusing the Permissions granted initially to them by unaware users in good faith. To alleviate this pressing concern, we present DyPolDroid, a dynamic and semi-automated security framework that builds upon Android Enterprise, a device-management framework for organizations, to allow for users and administrators to design and enforce so-called Counter-Policies, a convenient user-friendly abstraction to restrict the sets of Permissions granted to potential malicious applications, thus effectively protecting against serious attacks without requiring advanced security and technical expertise. Additionally, as a part of our experimental procedures, we introduce Laverna, a fully operational application that uses permissions to provide benign functionality at the same time it also abuses them for malicious purposes. To fully support the reproducibility of our results, and to encourage future work, the source code of both DyPolDroid and Laverna is publicly available as open-source.
Keywords
M. Hill—Independent Researcher.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsReferences
ZDNet: Play store identified as main distribution vector for most android malware (2020). https://www.zdnet.com/article/play-store-identified-as-main-distribution-vector-for-most-android-malware/
The New York Times: The Lesson We’re Learning From TikTok? It’s All About Our Data (2020). https://www.nytimes.com/2020/08/26/technology/personaltech/tiktok-data-apps.html
Wired: A barcode scanner app with millions of downloads goes rogue (2020). https://www.wired.com/story/barcode-scanner-app-millions-downloads-goes-rogue/
Android Authority: Report: Hundreds of apps have hidden tracking software used by the government (2020). https://www.androidauthority.com/government-tracking-apps-1145989/
Shao, Y., Ott, J., Chen, Q.A., Qian, Z., Mao, Z.: Kratos: discovering inconsistent security policy enforcement in the android framework. In: Proceedings of the Network and Distributed System Security Symposium (NDSS), January 2016
Sunday Express: Android’s biggest issue is far worse than we ever imagined, new research proves (2020). https://www.express.co.uk/life-style/science-technology/1362551/Android-Google-Play-Store-malware-problem-researc
PC Magazine: Android Users Need to Manually Remove These 16 Infected Apps (2020). https://www.pcmag.com/news/android-users-need-to-manually-remove-these-17-infected-apps
Google: Android Enterprise (2021). https://www.android.com/enterprise/
Arora, A., Peddoju, S.K., Conti, M.: PermPair: android malware detection using permission pairs. IEEE Trans. Inf. Forensics Secur. 15, 1968–1982 (2020)
Vidas, T., Votipka, D., Christin, N.: All your droid are belong to us: a survey of current android attacks. In: Proceedings of the 5th USENIX Conference on Offensive Technologies, Series WOOT 2011. USENIX Association, USA, p. 10 (2011)
Zachariah, R., Akash, K., Yousef, M.S., Chacko, A.M.: Android malware detection a survey. In: 2017 IEEE International Conference on Circuits and Systems (ICCS), pp. 238–244 (2017)
Hill, M., Rubio-Medrano, C.E.: DyPolDroid Github Repository (2021). https://github.com/sefcom/DyPolDroid
IEEE: The 6th IEEE European symposium on security and privacy (2021). http://www.ieee-security.org/TC/EuroSP2021/
Felt, A.P., Chin, E., Hanna, S., Song, D., Wagner, D.: Android permissions demystified. In: Proceedings of the 18th ACM Conference on Computer and Communications Security, Series CCS 2011, pp. 627–638. ACM, New York (2011)
Felt, A.P., Ha, E., Egelman, S., Haney, A., Chin, E., Wagner, D.: Android permissions: user attention, comprehension, and behavior. In: Proceedings of the Eighth Symposium on Usable Privacy and Security. ACM, New York (2012)
Ramachandran, S., et al.: Understanding and granting android permissions: a user survey. In: 2017 International Carnahan Conference on Security Technology (ICCST), pp. 1–6 (2017)
Google: Permissions on android (2021). https://developer.android.com/guide/topics/permissions/overview
Enck, W.: Analysis of access control enforcement in android. In: Proceedings of the 25th ACM Symposium on Access Control Models and Technologies, Series SACMAT 2020, pp. 117–118. ACM, New York (2020)
Wei, X., Gomez, L., Neamtiu, I., Faloutsos, M.: Permission evolution in the android ecosystem. In: Proceedings of the 28th Annual Computer Security Applications Conference, Series ACSAC 2012, pp. 31–40. ACM, New York (2012)
Wang, H., Guo, Y., Tang, Z., Bai, G., Chen, X.: Reevaluating android permission gaps with static and dynamic analysis. In: 2015 IEEE Global Communications Conference (GLOBECOM), pp. 1–6 (2015)
Calciati, P., Gorla, A.: How do apps evolve in their permission requests? a preliminary study. In: 2017 IEEE/ACM 14th International Conference on Mining Software Repositories (MSR), pp. 37–41 (2017)
Wu, S., Liu, J.: Overprivileged permission detection for android applications. In: ICC 2019-2019 IEEE International Conference on Communications (ICC), pp. 1–6 (2019)
Zhauniarovich, Y., Ahmad, M., Gadyatskaya, O., Crispo, B., Massacci, F.: Stadyna: addressing the problem of dynamic code updates in the security analysis of android applications. In: Proceedings of the 5th ACM Conference on Data and Application Security and Privacy, pp. 37–48. ACM, New York (2015)
Zhang, Y., et al.: Vetting undesirable behaviors in android apps with permission use analysis. In: Proceedings of the 2013 ACM SIGSAC Conference on Computer and Communications Security, Series CCS 2013, pp. 611–622. ACM, New York (2013)
OASIS Standard: eXtensible Access Control Markup Language (XACML) Version 3.0, 22 January 2013. http://docs.oasis-open.org/xacml/3.0/xacml-3.0-core-spec-os-en.html
Zhu, D.Y., Jung, J., Song, D., Kohno, T., Wetherall, D.: TaintEraser: protecting sensitive data leaks using application-level taint tracking. SIGOPS Oper. Syst. Rev. 45(1), 142–154 (2011)
Arzt, S., et al.: FlowDroid: precise context, flow, field, object-sensitive and lifecycle-aware taint analysis for android apps, Series PLDI 2014, pp. 259–269. ACM, New York (2014)
Slavin, R., et al.: Toward a framework for detecting privacy policy violations in android application code. In: Proceedings of the 38th International Conference on Software Engineering, Series ICSE 2016, pp. 25–36, New York (2016)
Dawoud, A., Bugiel, S.: DroidCap: OS support for capability-based permissions in android. In: Proceedings of the Network and Distributed System Security Symposium (NDSS) (2019)
Zungur, O., Suarez-Tangil, G., Stringhini, G., Egele, M.: BorderPatrol: securing BYOD using fine-grained contextual information. In: 2019 49th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN) (2019)
Drupal: Xposed Module Repository (2021). https://repo.xposed.info/
Gasparis, I., Qian, Z., Song, C., Krishnamurthy, S.V.: Detecting android root exploits by learning from root providers. In: 26th USENIX Security Symposium. Vancouver, BC: USENIX Association, pp. 1129–1144, August 2017. https://www.usenix.org/Conf./usenixsecurity17/technical-sessions/presentation/gasparis
Diamantaris, M., Papadopoulos, E.P., Markatos, E.P., Ioannidis, S., Polakis, J.: REAPER: real-time app analysis for augmenting the android permission system, Series CODASPY 2019, pp. 37–48. ACM, New York (2019)
Backes, M., Bugiel, S., Derr, E., McDaniel, P., Octeau, D., Weisgerber, S.: On demystifying the android application framework: Re-visiting android permission specification analysis. In: Proceedings of the 25th USENIX Conference on Security Symposium, Series SEC 2016, pp. 1101–1118 (2016)
Au, K.W.Y., Zhou, Y.F., Huang, Z., Lie, D.: PScout: analyzing the android permission specification. In: Proceedings of the 2012 ACM Conference on Computer and Communications Security, Series CCS 2012, pp. 217–228, New York (2012)
Acknowledgments
This work is partially supported by a grant from the National Science Foundation (NSF-SFS-1129561), a grant from the Center for Cybersecurity and Digital Forensics at Arizona State University, and by a startup funds grant from Texas A&M University – Corpus Christi.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2022 Springer Nature Switzerland AG
About this paper
Cite this paper
Rubio-Medrano, C.E., Hill, M., Claramunt, L.M., Baek, J., Ahn, GJ. (2022). DyPolDroid: Protecting Users and Organizations from Permission-Abuse Attacks in Android. In: Krishnan, R., Rao, H.R., Sahay, S.K., Samtani, S., Zhao, Z. (eds) Secure Knowledge Management In The Artificial Intelligence Era. SKM 2021. Communications in Computer and Information Science, vol 1549. Springer, Cham. https://doi.org/10.1007/978-3-030-97532-6_2
Download citation
DOI: https://doi.org/10.1007/978-3-030-97532-6_2
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-97531-9
Online ISBN: 978-3-030-97532-6
eBook Packages: Computer ScienceComputer Science (R0)