Abstract
The popularity of the Android System in combination with the lax market approval process may attract the injection of malicious applications (apps) into the market. Android features a permission system allowing a user to review the permissions an app requests and grant or deny access to resources prior to installation. This system conveys a level of trust due to the fact that an app only has access to resources granted by the stated permissions. Thereby, not only the meaning of single permissions, but especially their combination plays an important role for understanding the possible implications. In this paper we present a method that circumvents the permission system by spreading permissions over two or more apps that communicate with each other via arbitrary communication channels. We discuss relevant details of the Android system, describe the permission spreading process, possible implications and countermeasures. Furthermore, we present three apps that demonstrate the problem and a possible detection method.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Enck, W., Ongtang, M., McDaniel, P.: Understanding Android Security. IEEE Security and Privacy 7, 50–57 (2009)
Nauman, M., Khan, S., Zhang, X.: Apex: extending Android permission model and enforcement with user-defined runtime constraints. In: Proceedings of the 5th ACM Symposium on Information, Computer and Communications Security, pp. 328–332. ACM (2010)
Ongtang, M., McLaughlin, S., Enck, W., McDaniel, P.: Semantically Rich Application-Centric Security in Android. In: 2009 Annual Computer Security Applications Conference, pp. 340–349 (December 2009)
Shabtai, A., Fledel, Y., Kanonov, U., Elovici, Y., Dolev, S., Glezer, C.: Google Android: A Comprehensive Security Assessment. IEEE Security & Privacy Magazine 8(2), 35–44 (2010)
Toninelli, A., Montanari, R., Lassila, O., Khushraj, D.: What’s on Users’ Minds? Toward a Usable Smart Phone Security Model. IEEE Pervasive Computing 8(2), 32–39 (2009)
Vennon, T., Stroop, D.: Android Market: Threat Analysis of the Android Market (2010)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2012 ICST Institute for Computer Science, Social Informatics and Telecommunications Engineering
About this paper
Cite this paper
Orthacker, C. et al. (2012). Android Security Permissions – Can We Trust Them?. In: Prasad, R., Farkas, K., Schmidt, A.U., Lioy, A., Russello, G., Luccio, F.L. (eds) Security and Privacy in Mobile Information and Communication Systems. MobiSec 2011. Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering, vol 94. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-30244-2_4
Download citation
DOI: https://doi.org/10.1007/978-3-642-30244-2_4
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-30243-5
Online ISBN: 978-3-642-30244-2
eBook Packages: Computer ScienceComputer Science (R0)