Abstract
Android applications are extremely popular, as they are widely used for banking, social media, e-commerce, etc. Such applications typically leverage a series of Permissions, which serve as a convenient abstraction for mediating access to security-sensitive functionality within the Android Ecosystem, e.g., sending data over the Internet. However, several malicious applications have recently deployed attacks such as data leaks and spurious credit card charges by abusing the Permissions granted initially to them by unaware users in good faith. To alleviate this pressing concern, we present DyPolDroid, a dynamic and semi-automated security framework that builds upon Android Enterprise, a device-management framework for organizations, to allow for users and administrators to design and enforce so-called Counter-Policies, a convenient user-friendly abstraction to restrict the sets of Permissions granted to potential malicious applications, thus effectively protecting against serious attacks without requiring advanced security and technical expertise. Additionally, as a part of our experimental procedures, we introduce Laverna, a fully operational application that uses permissions to provide benign functionality at the same time it also abuses them for malicious purposes. To fully support the reproducibility of our results, and to encourage future work, the source code of both DyPolDroid and Laverna is publicly available as open-source.
This is a preview of subscription content, log in via an institution to check access.
Similar content being viewed by others
Notes
We assumed that apps are installed only from Google Play and not from any other stores
References
Android Authority. (2020). Report: Hundreds of apps have hidden tracking software used by the government. https://www.androidauthority.com/government-tracking-apps-1145989/. Accessed 14 Sept 2022.
Android Developers Reference. (2022). Manifest.permission. https://developer.android.com/reference/android/Manifest.permission. Accessed 14 Sept 2022.
Arora, A., Peddoju, S. K., & Conti, M. (2020). Permpair: Android malware detection using permission pairs. IEEE Transactions on Information Forensics and Security, 15, 1968–1982.
Au, K.W.Y., Zhou, Y.F., Huang, Z., et al. (2012). Pscout: Analyzing the android permission specification. In Proceedings of the 2012 ACM Conf. on computer and communications security, New York, NY, USA, CCS ’12, pp. 217–228.
Backes, M., Bugiel, S., Derr, E., et al. (2016). On demystifying the android application framework: Re-visiting android permission specification analysis. In Proceedings of the 25th USENIX Conf. on security symposium, USA, SEC’16, pp. 1101–1118.
Bartel, A., Klein, J., Le Traon, Y., et al. (2012). Automatically securing permission-based software by reducing the attack surface: an application to android. In 2012 Proc. of the 27th IEEE/ACM international Conf. on automated software engineering (pp. 274–277).
Calciati, P., & Gorla, A. (2017). How do apps evolve in their permission requests? A preliminary study. In 2017 IEEE/ACM 14th Int. Conf. on mining software repositories (MSR) (pp. 37–41).
Chung, F.D., Kuhn, D., et al. (2019). Guide to attribute based access control (abac) definition and considerations. https://tsapps.nist.gov/publication/get_pdf.cfm?pub_id=927500. Accessed 14 Sept 2022.
Dawoud, A., & Bugiel, S. (2019). Droidcap: Os support for capability-based permissions in android. In Proc. of the network and distributed system security symposium (NDSS) 2019.
Diamantaris, M., Papadopoulos, E. P., Markatos, E. P., et al. (2019). Reaper: Real-time app analysis for augmenting the android permission system, ACM New York NY, USA, CODASPY ’19, pp. 37–48.
Drupal. (2021). Xposed module repository. https://repo.xposed.info/. Accessed 14 Sept 2022.
Enck, W. (2020). Analysis of access control enforcement in android. In Proc. of the 25th ACM symposium on access control models and technologies. ACM, New York, NY, USA, SACMAT ’20, pp. 117–118.
Felt, A.P., Chin, E., Hanna, S., et al. (2011). Android permissions demystified. In Proceedings of the 18th ACM Conf. on computer and communications security. ACM, New York, NY, USA, CCS ’11, pp. 627–638.
Felt, A.P., Ha, E., Egelman, S., et al. (2012a). Android permissions: User attention, comprehension, and behavior. In Proc. of the Eighth Symp. on usable privacy and Sec. ACM, New York, NY, USA.
Felt, A.P., Ha, E., Egelman, S., et al. (2012b). Android permissions: user attention, comprehension, and behavior. In Proceedings of the eighth symposium on usable privacy and security, pp. 1–14.
Gao, H., Cheng, S., & Zhang, W. (2021). Gdroid: Android malware detection and classification with graph convolutional network. Computers & Security, 106–102, 264.
Gasparis, I., Qian, Z., Song, C., et al. (2017). Detecting android root exploits by learning from root providers. In 26th USENIX security symposium (pp. 1129–1144). USENIX Association.
Google. (2021a). Android enterprise. https://www.android.com/enterprise/. Accessed 14 Sept 2022.
Google. (2021b). Permissions on android. https://developer.android.com/guide/topics/permissions/overview. Accessed 14 Sept 2022.
Hill, M., & Rubio-Medrano, C. E. (2021). DyPolDroid Github Repository. https://github.com/sefcom/DyPolDroid. Accessed 14 Sept 2022.
IETF OAuth Working Group. (2022). OAuth 2.0. https://oauth.net/2/. Accessed 14 Sept 2022.
Mahindru, A., & Sangal, A. (2021). Mldroid—framework for android malware detection using machine learning techniques. Neural Computing and Applications, 33(10), 5183–5240.
OASIS Standard. (2013). eXtensible Access control markup language (XACML) Version 3.0. (2013, January 22). http://docs.oasis-open.org/xacml/3.0/xacml-3.0-core-spec-os-en.html. Accessed 14 Sept 2022.
Paderborn University. (2022). Soot - A framework for analyzing and transforming Java and Android applications. http://soot-oss.github.io/soot/. Accessed 14 Sept 2022.
PC Magazine. (2020). Android users need to manually remove these 16 infected apps. https://www.pcmag.com/news/android-users-need-to-manually-remove-these-17-infected-apps. Accessed 14 Sept 2022.
Ramachandran, S., Dimitri, A., Galinium, M., et al. (2017). Understanding and granting android permissions: A user survey. In 2017 Int. Carnahan Conf. on security technology (ICCST) (pp. 1–6).
Rubio-Medrano, C.E., Jogani, S., Leitner, M., et al. (2019). Effectively enforcing authorization constraints for emerging space-sensitive technologies. In Proc. of the 24th ACM symposium on access control models and technologies. ACM, New York, NY, USA, SACMAT ’19, pp. 195–206.
Rubio-Medrano, C.E., Hill, M., Claramunt, L., et al. (2020a). DyPolDroid: Protecting Users and Organizations Against Permission-Abuse Attacks in Android. In Proceedings of the international conference on secure knowledge management in the artificial intelligence Era. Springer.
Rubio-Medrano, C.E., Hill, M., Claramunt, L., et al. (2020b). Poster: DyPolDroid: protecting users and organizations against permission-abuse attacks in android. In Proceedings of the 6th IEEE european symposium on security and privacy. IEEE.
Seraj, S., Khodambashi, S., Pavlidis, M., et al. (2022). Hamdroid: permission-based harmful android anti-malware detection using neural networks. Neural Computing and Applications, pp. 1–10.
Shao, Y., Ott, J., Chen, Q. A., et al. (2016). Kratos: Discovering inconsistent security policy enforcement in the android framework. In Proc. of the network and distributed system security symposium (NDSS) 2016.
Slavin, R., Wang, X., Hosseini, M. B., et al. (2016). Toward a framework for detecting privacy policy violations in android application code. In Proceedings of the 38th international Conf. on software engineering, New York, NY, USA, ICSE ’16, pp. 25–36.
Steven Arzt. (2022). FlowDroid data flow analysis tool. https://github.com/secure-software-engineering/FlowDroid/. Accessed 14 Sept 2022.
Sunday Express. (2020). Android’s biggest issue is far worse than we ever imagined, new research proves. https://www.express.co.uk/life-style/science-technology/1362551/Android-Google-Play-Store-malware-problem-researc. Accessed 14 Sept 2022.
The New York Times. (2020). The lesson we’re learning from TikTok? It’s all about our data. https://www.nytimes.com/2020/08/26/technology/personaltech/tiktok-data-apps.html. Accessed 14 Sept 2022.
Vallée-Rai, R., Co, P., Gagnon, E., et al. (1999). Soot - a java bytecode optimization framework. In Proceedings of the 1999 conference of the Centre for advanced studies on collaborative research. IBM Press, CASCON ’99, pp. 13.
Vidas, T., Votipka, D., & Christin, N. (2011). All your droid are belong to us: A survey of current android attacks. In Proceedings of the 5th USENIX Conf. on offensive technologies. USENIX Association, USA, WOOT’11, pp. 10.
Wang, H., Guo, Y., Tang, Z., et al. (2015). Reevaluating android permission gaps with static and dynamic analysis. In 2015 IEEE global communications Conf. (GLOBECOM) (pp. 1–6).
Wei, X., Gomez, L., Neamtiu, I., et al. (2012). Permission evolution in the android ecosystem. In Proc. of the 28th annual computer security applications Conf. ACM, New York, NY, USA, ACSAC ’12, pp. 31–40.
Wired. (2020). A barcode scanner app with millions of downloads goes rogue. https://www.wired.com/story/barcode-scanner-app-millions-downloads-goes-rogue/. Accessed 14 Sept 2022.
Wu, S., & Liu, J. (2019). Overprivileged permission detection for android applications. In ICC 2019 - 2019 IEEE Int. Conf. on communications (ICC) (pp. 1–6).
Zachariah, R., Akash, K., Yousef, M. S., et al. (2017). Android malware detection a survey. In 2017 IEEE Int. Conf. on circuits and systems (ICCS) (pp. 238–244).
ZDNet. (2020). Play Store identified as main distribution vector for most Android malware. https://www.zdnet.com/article/play-store-identified-as-main-distribution-vector-for-most-android-malware/. Accessed 14 Sept 2022.
Zhang, Y., Yang, M., Xu, B., et al. (2013). Vetting undesirable behaviors in android apps with permission use analysis. In Proceedings of the 2013 ACM SIGSAC Conf. on computer and communications security. ACM, New York, NY, USA, CCS ’13, pp. 611–622.
Zhauniarovich, Y., Ahmad, M., Gadyatskaya, O., et al. (2015). Stadyna: Addressing the problem of dynamic code updates in the security analysis of android applications. In Proc. of the 5th ACM conf. on data and application security and privacy. ACM, New York, NY, USA, pp. 37–48.
Zhu, D.Y., Jung, J., Song, D., et al. (2011). Tainteraser: Protecting sensitive data leaks using application-level taint tracking. SIGOPS Operating Systems Review, 45(1), 142–154.
Zungur, O., Suarez-Tangil, G., Stringhini, G., et al. (2019). Borderpatrol: Securing byod using fine-grained contextual information. In 2019 49th Annual IEEE/IFIP Int, Conf. on dependable systems and networks (DSN) (pp. 460–472).
Acknowledgements
This work is partially supported by a grant from the Institute for Information & Communications Technology Promotion(IITP) grant funded by the Korea government (MSIT) (No. 2017-0-00168, Automatic Deep Malware Analysis Technology for CyberThreat Intelligence), a grant from the Center for Cybersecurity and Digital Forensics (CDF) at Arizona State University, and a startup funds grant from Texas A&M University - Corpus Christi.
Author information
Authors and Affiliations
Corresponding author
Ethics declarations
Conflict of Interests
All authors declare that they have no conflicts of interest.
Additional information
Publisher’s Note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
Matthew Hill is an independent researcher.
Rights and permissions
Springer Nature or its licensor holds exclusive rights to this article under a publishing agreement with the author(s) or other rightsholder(s); author self-archiving of the accepted manuscript version of this article is solely governed by the terms of such publishing agreement and applicable law.
About this article
Cite this article
Rubio-Medrano, C.E., Soundrapandian, P.K.D., Hill, M. et al. DyPolDroid: Protecting Against Permission-Abuse Attacks in Android. Inf Syst Front 25, 529–548 (2023). https://doi.org/10.1007/s10796-022-10328-8
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s10796-022-10328-8