Abstract
A common attack goal on Android phones is to steal private data, which is primarily protected by permission system. Therefore, permission system is more vulnerable to attackers, especially when a phone is rooted (which is common nowadays). On rooted phones, malware is able to run with root privilege. Three weak points of permission system have been identified, which can be used to carry out various permission escalation attacks by malware with root privilege. Unrooting a phone can make malware lose root privilege, but it cannot solve the security issues caused by these attacks. In this paper, we present a scheme that aims at patching up the three weak points of permission system. We expect that the scheme is used in the scenario where a user wants to unroot his phone and get his phone under protection. The scheme can apply to any version of Android system. In order to facilitate the scheme’s deployment, we develop an app to automatically do the patching work. Moreover, the evaluation result shows that the scheme is small-footprint and only introduces 1.8 % overhead.
This work is supported by National Natural Science Foundation of China grant 70890084/G021102 and 61003274, Strategy Pilot Project of Chinese Academy of Sciences sub-project XDA06010702, and National High Technology Research and Development Program of China (863 Program, No. 2013AA01A214 and 2012AA013104).
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
References
Au, K.W.Y., Zhou, Y.F., Huang, Z., Lie, D.: Pscout: analyzing the android permission specification. In: ACM CCS (2012)
Bugiel, S., Davi, L., Dmitrienko, A., Fischer, T., Sadeghi, A.R., Shastry, B.: Towards taming privilege-escalation attacks on android. In: 19th NDSS (2012)
Chan, P.P., Hui, L.C., Yiu, S.: A privilege escalation vulnerability checking system for android applications. In: ICCT. IEEE (2011)
Chin, E., Felt, A.P., Greenwood, K., Wagner, D.: Analyzing inter-application communication in android. In: 9th MobiSys (2011)
Conti, M., Nguyen, V.T.N., Crispo, B.: CRePE: context-related policy enforcement for android. In: Burmester, M., Tsudik, G., Magliveras, S., Ilić, I. (eds.) ISC 2010. LNCS, vol. 6531, pp. 331–345. Springer, Heidelberg (2011)
Davi, L., Dmitrienko, A., Sadeghi, A.-R., Winandy, M.: Privilege escalation attacks on android. In: Burmester, M., Tsudik, G., Magliveras, S., Ilić, I. (eds.) ISC 2010. LNCS, vol. 6531, pp. 346–360. Springer, Heidelberg (2011)
Duo Security: X-ray for Android. http://www.xray.io/ (2012)
Enck, W., Ongtang, M., McDaniel, P.: On lightweight mobile phone application certification. In: 16th ACM CCS, pp. 235–245. ACM (2009)
Felt, A.P., Chin, E., Hanna, S., Song, D., Wagner, D.: Android permissions demystified. In: 18th ACM CCS, pp. 627–638. ACM (2011)
Fuchs, A.P., Chaudhuri, A., Foster, J.S.: Scandroid: automated security certification of android applications. Manuscript, University of Maryland (2009)
Google: Dashboards. http://developer.android.com/about/dashboards/index.html?utm_source=ausdroid.net#Platform (2014). Accessed Mar 2014
Hardy, N.: The confused deputy: (or why capabilities might have been invented). ACM SIGOPS Oper. Syst. Rev. 22(4), 36–38 (1988)
LifeHacker: Top 10 reasons to root your android phone. http://lifehacker.com/top-10-reasons-to-root-your-android-phone-1079161983 (2013). Accessed 10 Aug 2013
Nauman, M., Khan, S., Zhang, X.: Apex: extending android permission model and enforcement with user-defined runtime constraints. In: 5th ACM CCS (2010)
NetQin: 2012 moblie phone security report. http://cn.nq.com/neirong/2012shang.pdf (2012)
Ongtang, M., McLaughlin, S., Enck, W., McDaniel, P.: Semantically rich application-centric security in android. Secur. Commun. Netw. 5(6), 658–673 (2012)
Smalley, S., Craig, R.: Security Enhanced (SE) Android: Bringing Flexible MAC to Android. In: NDSS (2013)
viaForensics: Defeating seandroid defcon 21 presentation. https://viaforensics.com/mobile-security/implementing-seandroid-defcon-21-presentation.html (2013). Accessed 3 Aug 2013
Zhang, Z., Wang, Y., Jing, J., Wang, Q., Lei, L.: Once root always a threat: analyzing the security threats of android permission system. In: Susilo, W., Mu, Y. (eds.) ACISP 2014. LNCS, vol. 8544, pp. 354–369. Springer, Heidelberg (2014)
Zhou, Y., Jiang, X.: Dissecting android malware: characterization and evolution. In: Security and Privacy (SP), pp. 95–109. IEEE (2012)
Zhou, Y., Zhang, X., Jiang, X., Freeh, V.W.: Taming information-stealing smartphone applications (on Android). In: McCune, J.M., Balacheff, B., Perrig, A., Sadeghi, A.-R., Sasse, A., Beres, Y. (eds.) Trust 2011. LNCS, vol. 6740, pp. 93–107. Springer, Heidelberg (2011)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2015 Springer International Publishing Switzerland
About this paper
Cite this paper
Zhang, Z. (2015). Before Unrooting your Android Phone, Patching up Permission System First!. In: Rhee, KH., Yi, J. (eds) Information Security Applications. WISA 2014. Lecture Notes in Computer Science(), vol 8909. Springer, Cham. https://doi.org/10.1007/978-3-319-15087-1_4
Download citation
DOI: https://doi.org/10.1007/978-3-319-15087-1_4
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-15086-4
Online ISBN: 978-3-319-15087-1
eBook Packages: Computer ScienceComputer Science (R0)