Skip to main content
SpringerLink
Log in

Hey Doc, Is This Normal?: Exploring Android Permissions in the Post Marshmallow Era

  • Conference paper
  • First Online:
Security, Privacy, and Applied Cryptography Engineering (SPACE 2017)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 10662))

Abstract

Billions of hand-held devices are used globally in daily basis. The main reasons for their wide adoption can be considered the introduction of various sensors that have completely reshaped user interaction standards as well as the development of myriads of applications that provide various services to the users. Due to the daily usage of these applications and the wide information that can be deduced from the sensors, a lot of private and sensitive information can be leaked unless access control is applied to the installed applications. In Android, this control was applied upon installation of each application, when the user would be asked to grant the requested permissions. However, this policy has changed in the last versions, allowing users to revoke permissions and grant “dangerous” permissions on demand. In this work we illustrate several flaws in the new permission architecture that can be exploited to gain more access to sensitive user data than what the user considers to have granted.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    http://bits-please.blogspot.gr/2016/06/extracting-qualcomms-keymaster-keys.html.

  2. 2.

    http://blog.checkpoint.com/2016/08/07/quadrooter/.

  3. 3.

    http://repo.xposed.info/module/biz.bokhorst.xprivacy.

  4. 4.

    http://www.cyanogenmod.org/.

  5. 5.

    https://developer.Android.com/about/versions/marshmallow/Android-6.0-changes.html.

  6. 6.

    https://developer.Android.com/training/permissions/requesting.html.

  7. 7.

    https://www.elevenpaths.com/technology/tacyt/index.html.

  8. 8.

    According to AppBrain (http://www.appbrain.com/stats/free-and-paid-android-aplications) the ratio of free to paid apps is more than 10 at the time of writing. Free apps with in app purchases are considered free.

References

  1. Achara, J.P., Cunche, M., Roca, V., Francillon, A.: WifiLeaks: underestimated privacy implications of the access_wifi_state Android permission. In: Proceedings of the 2014 ACM Conference on Security and Privacy in Wireless and Mobile Networks, pp. 231–236. ACM (2014)

    Google Scholar 

  2. Alepis, E., Patsakis, C.: Monkey says, monkey does: security and privacy on voice assistants. IEEE Access 5, 17841–17851 (2017)

    Article  Google Scholar 

  3. Alepis, E., Patsakis, C.: Theres wally! location tracking in Android without permissions. In: Proceedings of the 3rd International Conference on Information Systems Security and Privacy, ICISSP, vol. 1, pp. 278–284. INSTICC, ScitePress (2017)

    Google Scholar 

  4. Alepis, E., Patsakis, C.: Trapped by the UI: the Android case. In: Dacier, M., Bailey, M., Polychronakis, M., Antonakakis, M. (eds.) RAID 2017. LNCS, vol. 10453, pp. 334–354. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-66332-6_15

    Chapter  Google Scholar 

  5. Android Developer: Manifest.permission - System_Alert_Window. https://developer.android.com/reference/android/Manifest.permission.html#SYSTEM_ALERT_WINDOW. Accessed 28 Mar 2017

  6. Android Source Code: platform_frameworks_base/core/res/AndroidManifest.xml (2017). https://github.com/Android/platform_frameworks_base/blob/master/core/res/AndroidManifest.xml

  7. Balebako, R., Jung, J., Lu, W., Cranor, L.F., Nguyen, C.: Little brothers watching you: raising awareness of data leaks on smartphones. In: Proceedings of the Ninth Symposium on Usable Privacy and Security, p. 12. ACM (2013)

    Google Scholar 

  8. Barrera, D., Kayacik, H.G., van Oorschot, P.C., Somayaji, A.: A methodology for empirical analysis of permission-based security models and its application to Android. In: Proceedings of the 17th ACM Conference on Computer and Communications Security, pp. 73–84. ACM (2010)

    Google Scholar 

  9. Bartel, A., Klein, J., Le Traon, Y., Monperrus, M.: Automatically securing permission-based software by reducing the attack surface: an application to Android. In: Proceedings of the 27th IEEE/ACM International Conference on Automated Software Engineering, pp. 274–277. ACM (2012)

    Google Scholar 

  10. Blasco, J., Chen, T.M.: Automated generation of colluding apps for experimental research. J. Comput. Virol. Hacking Tech. 1–12 (2017). https://doi.org/10.1007/s11416-017-0296-4

  11. Book, T., Pridgen, A., Wallach, D.S.: Longitudinal analysis of Android ad library permissions. arXiv preprint arXiv:1303.0857 (2013)

  12. Book, T., Wallach, D.S.: A case of collusion: a study of the interface between ad libraries and their apps. In: Proceedings of the Third ACM Workshop on Security and Privacy in Smartphones and Mobile Devices, pp. 79–86. ACM (2013)

    Google Scholar 

  13. Davi, L., Dmitrienko, A., Sadeghi, A.-R., Winandy, M.: Privilege escalation attacks on Android. In: Burmester, M., Tsudik, G., Magliveras, S., Ilić, I. (eds.) ISC 2010. LNCS, vol. 6531, pp. 346–360. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-18178-8_30

    Chapter  Google Scholar 

  14. Diao, W., Liu, X., Zhou, Z., Zhang, K.: Your voice assistant is mine: how to abuse speakers to steal information and control your phone. In: Proceedings of the 4th ACM Workshop on Security and Privacy in Smartphones and Mobile Devices, pp. 63–74. ACM (2014)

    Google Scholar 

  15. Dimitriadis, A., Efraimidis, P.S., Katos, V.: Malevolent app pairs: an Android permission overpassing scheme. In: Proceedings of the ACM International Conference on Computing Frontiers, pp. 431–436. ACM (2016)

    Google Scholar 

  16. Durumeric, Z., Kasten, J., Adrian, D., Halderman, J.A., Bailey, M., Li, F., Weaver, N., Amann, J., Beekman, J., Payer, M., et al.: The matter of heartbleed. In: Proceedings of the 2014 Conference on Internet Measurement Conference, pp. 475–488. ACM (2014)

    Google Scholar 

  17. Enck, W., Gilbert, P., Han, S., Tendulkar, V., Chun, B.G., Cox, L.P., Jung, J., McDaniel, P., Sheth, A.N.: TaintDroid: an information-flow tracking system for realtime privacy monitoring on smartphones. ACM Trans. Comput. Syst. (TOCS) 32(2), 5 (2014)

    Article  Google Scholar 

  18. Fahl, S., Harbach, M., Oltrogge, M., Muders, T., Smith, M.: Hey, you, get off of my clipboard. In: Sadeghi, A.-R. (ed.) FC 2013. LNCS, vol. 7859, pp. 144–161. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-39884-1_12

    Chapter  Google Scholar 

  19. Faruki, P., Bharmal, A., Laxmi, V., Ganmoor, V., Gaur, M.S., Conti, M., Rajarajan, M.: Android security: a survey of issues, malware penetration, and defenses. IEEE Commun. Surv. Tutor. 17(2), 998–1022 (2015)

    Article  Google Scholar 

  20. Felt, A.P., Chin, E., Hanna, S., Song, D., Wagner, D.: Android permissions demystified. In: Proceedings of the 18th ACM Conference on Computer and Communications Security, pp. 627–638. ACM (2011)

    Google Scholar 

  21. Felt, A.P., Greenwood, K., Wagner, D.: The effectiveness of application permissions. In: Proceedings of the 2nd USENIX Conference on Web Application Development, p. 7 (2011)

    Google Scholar 

  22. Felt, A.P., Ha, E., Egelman, S., Haney, A., Chin, E., Wagner, D.: Android permissions: user attention, comprehension, and behavior. In: Proceedings of the Eighth Symposium on Usable Privacy and Security, p. 3. ACM (2012)

    Google Scholar 

  23. Fratantonio, Y., Qian, C., Chung, S., Lee, W.: Cloak and Dagger: from two permissions to complete control of the UI feedback loop. In: Proceedings of the IEEE Symposium on Security and Privacy (Oakland), San Jose, CA, May 2017

    Google Scholar 

  24. Goodin, D.: Beware of ads that use inaudible sound to link your phone, TV, Tablet, and PC (2015). http://arstechnica.com/tech-policy/2015/11/beware-of-ads-that-use-inaudible-sound-to-link-your-phone-tv-tablet-and-pc/

  25. Grace, M.C., Zhou, Y., Wang, Z., Jiang, X.: Systematic detection of capability leaks in stock Android smartphones. In: NDSS (2012)

    Google Scholar 

  26. Jeon, J., Micinski, K.K., Vaughan, J.A., Fogel, A., Reddy, N., Foster, J.S., Millstein, T.: Dr. Android and Mr. Hide: fine-grained permissions in Android applications. In: Proceedings of the Second ACM Workshop on Security and Privacy in Smartphones and Mobile Devices, pp. 3–14. ACM (2012)

    Google Scholar 

  27. Kelley, P.G., Consolvo, S., Cranor, L.F., Jung, J., Sadeh, N., Wetherall, D.: A conundrum of permissions: installing applications on an Android smartphone. In: Blyth, J., Dietrich, S., Camp, L.J. (eds.) FC 2012. LNCS, vol. 7398, pp. 68–79. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-34638-5_6

    Chapter  Google Scholar 

  28. Kywe, S.M., Li, Y., Petal, K., Grace, M.: Attacking Android smartphone systems without permissions. In: 2016 14th Annual Conference on Privacy, Security and Trust (PST), pp. 147–156. IEEE (2016)

    Google Scholar 

  29. Orthacker, C., Teufl, P., Kraxberger, S., Lackner, G., Gissing, M., Marsalek, A., Leibetseder, J., Prevenhueber, O.: Android security permissions – can we trust them? In: Prasad, R., Farkas, K., Schmidt, A.U., Lioy, A., Russello, G., Luccio, F.L. (eds.) MobiSec 2011. LNICSSITE, vol. 94, pp. 40–51. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-30244-2_4

    Chapter  Google Scholar 

  30. Peles, O., Hay, R.: One class to rule them all: 0-day deserialization vulnerabilities in Android. In: 9th USENIX Workshop on Offensive Technologies (WOOT 2015) (2015)

    Google Scholar 

  31. Poeplau, S., Fratantonio, Y., Bianchi, A., Kruegel, C., Vigna, G.: Execute this! analyzing unsafe and malicious dynamic code loading in Android applications. In: 21st Annual Network and Distributed System Security Symposium, NDSS 2014, San Diego, California, USA, 23–26 February 2014. The Internet Society (2014)

    Google Scholar 

  32. SnoopWall: Flashlight apps threat assessment report (2014). http://www.snoopwall.com/wp-content/uploads/2015/02/Flashlight-Spyware-Report-2014.pdf

  33. Tsiakos, V., Patsakis, C.: AndroPatchApp: taming rogue ads in Android. In: Boumerdassi, S., Renault, É., Bouzefrane, S. (eds.) MSPN 2016. LNCS, vol. 10026, pp. 183–196. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-50463-6_15

    Chapter  Google Scholar 

  34. Wei, X., Gomez, L., Neamtiu, I., Faloutsos, M.: Permission evolution in the Android ecosystem. In: Proceedings of the 28th Annual Computer Security Applications Conference, pp. 31–40. ACM (2012)

    Google Scholar 

  35. Yang, L., Boushehrinejadmoradi, N., Roy, P., Ganapathy, V., Iftode, L.: Short paper: enhancing users’ comprehension of Android permissions. In: Proceedings of the Second ACM Workshop on Security and Privacy in Smartphones and Mobile Devices, pp. 21–26. ACM (2012)

    Google Scholar 

  36. Zhang, X., Du, W.: Attacks on Android clipboard. In: Dietrich, S. (ed.) DIMVA 2014. LNCS, vol. 8550, pp. 72–91. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-08509-8_5

    Google Scholar 

Download references

Acknowledgments

This work was supported by the European Commission under the Horizon 2020 Programme (H2020), as part of the OPERANDO project (Grant Agreement no. 653704). The authors would like to thank ElevenPaths for their valuable feedback and granting them access to Tacyt.

Author information

Authors and Affiliations

  1. Department of Informatics, University of Piraeus, 80, Karaoli & Dimitriou, 18534, Piraeus, Greece

    Efthimios Alepis & Constantinos Patsakis

Authors
  1. Efthimios Alepis
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Constantinos Patsakis
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Constantinos Patsakis .

Editor information

Editors and Affiliations

  1. Indian Institute of Technology, Tirupati, Andhra Pradesh, India

    Sk Subidh Ali

  2. Institut Mines-Télécom, Paris, France

    Jean-Luc Danger

  3. University of Lübeck, Lübeck, Germany

    Thomas Eisenbarth

Rights and permissions

Reprints and permissions

Copyright information

© 2017 Springer International Publishing AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Alepis, E., Patsakis, C. (2017). Hey Doc, Is This Normal?: Exploring Android Permissions in the Post Marshmallow Era. In: Ali, S., Danger, JL., Eisenbarth, T. (eds) Security, Privacy, and Applied Cryptography Engineering. SPACE 2017. Lecture Notes in Computer Science(), vol 10662. Springer, Cham. https://doi.org/10.1007/978-3-319-71501-8_4

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-71501-8_4

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-71500-1

  • Online ISBN: 978-3-319-71501-8

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation