Skip to main content
SpringerLink
Log in

Unravelling Security Issues of Runtime Permissions in Android

  • Published:
Journal of Hardware and Systems Security Aims and scope Submit manuscript

Abstract

Mobile computing is conquering human-computer interaction and user Internet access over the last years. At the same time, smartphone devices are equipped with an increasing number of sensors, realizing context awareness, while accompanying their users in their daily life. As a result, these highly sophisticated and multi-modal devices deal with a surprisingly big amount of data, much of which is private and sensitive. To control data access, OSes have special permission mechanisms, often controlled by the users. The Android permission model has radically changed over the last years, in an effort to become more flexible and protect its users more effectively. This work presents a thorough analysis of the new android permission architecture, accompanied with a criticism regarding its advantages and disadvantages based on a number of disclosed security issues.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Listing 1
Fig. 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8

Similar content being viewed by others

Notes

  1. https://developer.android.com/distribute/best-practices/develop/target-sdk

  2. http://repo.xposed.info/module/biz.bokhorst.xprivacy

  3. https://lineageos.org/

  4. https://developer.android.com/about/versions/marshmallow/android-6.0-changes

  5. https://developer.Android.com/training/permissions/requesting.html

  6. https://www.theverge.com/2018/3/7/17091104/android-p-prevents-apps-using-mic-camera-idle-background

  7. https://www.elevenpaths.com/technology/tacyt/index.html

  8. According to AppBrain(http://www.appbrain.com/stats/free-and-paid-android-applications) the ratio of free to paid apps is more than 10 at the time of writing. Free apps with in app purchases are considered free.

References

  1. Achara JP, Cunche M, Roca V, Francillon A (2014) Wifileaks: underestimated privacy implications of the access_wifi_state android permission. In: Proceedings of the 2014 ACM conference on security and privacy in wireless & mobile networks, ACM, pp 231–236

  2. Alepis E, Patsakis C (2017) Hey doc, is this normal?: exploring android permissions in the post marshmallow era. In: Ali SS, Danger J, Eisenbarth T (eds) Security, privacy, and applied cryptography engineering - 7th international conference, SPACE 2017, Goa, India, december 13-17, 2017, proceedings. Lecture notes in computer science, vol 10662. Springer, pp 53–73

  3. Alepis E, Patsakis C (2017) Monkey says, monkey does: security and privacy on voice assistants. IEEE Access

  4. Alepis E, Patsakis C (2017) There’s wally! location tracking in android without permissions. In: Proceedings of the 3rd international conference on information systems security and privacy - Volume 1: ICISSP, INSTICC. ScitePress, pp 278–284. https://doi.org/10.5220/0006125502780284

  5. Alepis E, Patsakis C (2017) Trapped by the ui: the android case. In: Proceedings of the 20th international symposium on research in attacks, intrusions and defenses. Springer. (To appear)

  6. Alepis E, Patsakis C (2018) Session fingerprinting in android via web-to-app intercommunication. Security and Communication Networks 2018:7352030:1–7352030:13. https://doi.org/10.1155/2018/7352030

    Article  Google Scholar 

  7. Android Developer Manifest.permission – SYSTEM_ALERT_ WINDOW. https://developer.android.com/reference/android/Manifest.permission.html#SYSTEM_ALERT_WINDOW, date retrieved: 28/03/2017

  8. Android Source Code (2017) platform_frameworks_base/core/ res/AndroidManifest.xml. https://github.com/Android/platform_frameworks_base/blob/master/core/res/AndroidManifest.xml

  9. Balebako R, Jung J, Lu W, Cranor LF, Nguyen C (2013) Little brothers watching you: raising awareness of data leaks on smartphones. In: Proceedings of the ninth symposium on usable privacy and security. ACM, p 12

  10. Barrera D, Kayacik HG, van Oorschot PC, Somayaji A (2010) A methodology for empirical analysis of permission-based security models and its application to android. In: Proceedings of the 17th ACM conference on computer and communications security, ACM, pp 73–84

  11. Bartel A, Klein J, Le Traon Y, Monperrus M (2012) Automatically securing permission-based software by reducing the attack surface: an application to android. In: Proceedings of the 27th IEEE/ACM international conference on automated software engineering, ACM, pp 274–277

  12. Blasco J, Chen TM (2017) Automated generation of colluding apps for experimental research. Journal of Computer Virology and Hacking Techniques 1–12

  13. Book T, Pridgen A, Wallach DS (2013) Longitudinal analysis of android ad library permissions. arXiv:1303.0857

  14. Book T, Wallach DS (2013) A case of collusion: a study of the interface between ad libraries and their apps. In: Proceedings of the third ACM workshop on security and privacy in smartphones & mobile devices, ACM, pp 79–86

  15. Calciati P, Kuznetsov K, Bai X, Gorla A (2018) What did really change with the new release of the app?. In: Proceedings of the 15th international conference on mining software repositories, ACM, pp 142–152

  16. Chen QA, Qian Z, Mao ZM (2014) Peeking into your app without actually seeing it: UI state inference and novel android attacks. In: 23rd USENIX security symposium (USENIX security 14). USENIX Association, San Diego, pp 1037–1052

  17. Davi L, Dmitrienko A, Sadeghi AR, Winandy M (2011) Privilege escalation attacks on android. In: Information security. Springer, pp 346–360

  18. Diao W, Liu X, Zhou Z, Zhang K (2014) Your voice assistant is mine: how to abuse speakers to steal information and control your phone. In: Proceedings of the 4th ACM workshop on security and privacy in smartphones & mobile devices, ACM, pp 63–74

  19. Dimitriadis A, Efraimidis PS, Katos V (2016) Malevolent app pairs: an android permission overpassing scheme. In: Proceedings of the ACM international conference on computing frontiers, ACM, pp 431–436

  20. Durumeric Z, Kasten J, Adrian D, Halderman JA, Bailey M, Li F, Weaver N, Amann J, Beekman J, Payer M et al (2014) The matter of heartbleed. In: Proceedings of the 2014 conference on internet measurement conference. ACM, pp 475–488

  21. Economist T (2017) The world’s most valuable resource is no longer oil, but data. https://www.economist.com/leaders/2017/05/06/the-worlds-most-valuable-resource-is-no-longer-oil-but-data/

  22. Enck W, Gilbert P, Han S, Tendulkar V, Chun BG, Cox LP, Jung J, McDaniel P, Sheth AN (2014) Taintdroid: an information-flow tracking system for realtime privacy monitoring on smartphones. ACM Transactions on Computer Systems (TOCS) 32(2):5

    Article  Google Scholar 

  23. EUGDPR (2018) The EU general data protection regulation. https://www.eugdpr.org/

  24. Fahl S, Harbach M, Oltrogge M, Muders T, Smith M (2013) Hey, you, get off of my clipboard. In: International conference on financial cryptography and data security. Springer, pp 144–161

  25. Faruki P, Bharmal A, Laxmi V, Ganmoor V, Gaur MS, Conti M, Rajarajan M (2015) Android security: a survey of issues, malware penetration, and defenses. IEEE Commun Surv Tutorials 17(2):998–1022

    Article  Google Scholar 

  26. Felt AP, Chin E, Hanna S, Song D, Wagner D (2011) Android permissions demystified. In: Proceedings of the 18th ACM conference on computer and communications security. ACM, pp 627–638

  27. Felt AP, Greenwood K, Wagner D (2011) The effectiveness of application permissions. In: Proceedings of the 2nd USENIX conference on web application development, pp 7–7

  28. Felt AP, Ha E, Egelman S, Haney A, Chin E, Wagner D (2012) Android permissions: user attention, comprehension, and behavior. In: Proceedings of the eighth symposium on usable privacy and security. ACM, p 3

  29. Fratantonio Y, Qian C, Chung S, Lee W (2017) Cloak and dagger: from two permissions to complete control of the UI feedback loop. In: Proceedings of the IEEE symposium on security and privacy (Oakland), San Jose, CA

  30. Goodin D (2015) Beware of ads that use inaudible sound to link your phone, tv, tablet, and pc http://arstechnica.com/tech-policy/2015/11/beware-of-ads-that-use-inaudible-sound-to-link-your-phone-tv-tablet-and-pc/

  31. Goodson S (2015) If you’re not paying for it, you become the product https://www.forbes.com/sites/marketshare/2012/03/05/if-youre-not-paying-for-it-you-become-the-product/#3398a05f5d6e

  32. Google: Aosp source code for filesystem_config. https://android.googlesource.com/platform/system/core/+/master/libcutils/include/private/android_filesystem_config.h

  33. Grace MC, Zhou Y, Wang Z, Jiang X (2012) Systematic detection of capability leaks in stock android smartphones. In: NDSS

  34. Jeon J, Micinski KK, Vaughan JA, Fogel A, Reddy N, Foster JS, Millstein T (2012) Dr. android and mr. hide: fine-grained permissions in android applications. In: Proceedings of the second ACM workshop on security and privacy in smartphones and mobile devices. ACM, pp 3–14

  35. Kelley PG, Consolvo S, Cranor LF, Jung J, Sadeh N, Wetherall D (2012) A conundrum of permissions: installing applications on an android smartphone. In: Financial cryptography and data security. Springer, pp 68–79

  36. Kywe SM, Li Y, Petal K, Grace M (2016) Attacking android smartphone systems without permissions. In: 2016 14th annual conference on privacy, security and trust (PST). IEEE, pp 147–156

  37. Orthacker C, Teufl P, Kraxberger S, Lackner G, Gissing M, Marsalek A, Leibetseder J, Prevenhueber O (2012) Android security permissions–can we trust them?. In: Security and privacy in mobile information and communication systems. Springer, pp 40–51

  38. Patsakis C, Alepis E (2018) Knock-knock: the unbearable lightness of android notifications. In: Proceedings of the 4th international conference on information systems security and privacy, ICISSP 2018, Funchal, Madeira - Portugal, January 22-24, 2018. pp 52–61

  39. Peles O, Hay R (2015) One class to rule them all: 0-day deserialization vulnerabilities in android. In: 9th USENIX workshop on offensive technologies (WOOT 15)

  40. Poeplau S, Fratantonio Y, Bianchi A, Kruegel C, Vigna G (2014) Execute this! analyzing unsafe and malicious dynamic code loading in android applications. In: 21st annual network and distributed system security symposium, NDSS 2014, San Diego, california, USA, February 23-26, 2014. The Internet Society

  41. SnoopWall (2014) Flashlight apps threat assessment report http://www.snoopwall.com/wp-content/uploads/2015/02/Flashlight-Spyware-Report-2014.pdf

  42. Taylor VF, Martinovic I (2017) To update or not to update: insights from a two-year study of android app evolution. In: Proceedings of the 2017 ACM on Asia conference on computer and communications security. ASIA CCS ’17. ACM, pp 45–57

  43. Tsiakos V, Patsakis C (2016) Andropatchapp: taming rogue ads in android. In: Mobile, secure, and programmable networking - first international conference, MSPN 2016

  44. Tuncay GS, Demetriou S, Ganju K, Gunter CA (2018) Resolving the predicament of android custom permissions. In: ISOC network and distributed systems security symposium (NDSS)

  45. Wei X, Gomez L, Neamtiu I, Faloutsos M (2012) Permission evolution in the android ecosystem. In: Proceedings of the 28th annual computer security applications conference. ACM, pp 31–40

  46. Wibson (2018) How much is your data worth? At least $240 per year. likely much more https://medium.com/wibson/how-much-is-your-data-worth-at-least-240-per-year-likely-much-more

  47. Yang L, Boushehrinejadmoradi N, Roy P, Ganapathy V, Iftode L (2012) Short paper: enhancing users’ comprehension of android permissions. In: Proceedings of the second ACM workshop on security and privacy in smartphones and mobile devices. ACM, pp 21–26

  48. Zhang X, Du W (2014) Attacks on android clipboard. In: International conference on detection of intrusions and malware, and vulnerability assessment. Springer, pp 72–91

Download references

Funding

This work was supported by the European Commission under the Horizon 2020 Programme (H2020), as part of the OPERANDO project (Grant Agreement no. 653704). The authors would like to thank ElevenPaths for their valuable feedback and granting them access to Tacyt.

Author information

Authors and Affiliations

  1. Department of Informatics, University of Piraeus, 80, Karaoli, Dimitriou, 18534, Piraeus, Greece

    Efthimios Alepis & Constantinos Patsakis

Authors
  1. Efthimios Alepis
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Constantinos Patsakis
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Constantinos Patsakis.

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Alepis, E., Patsakis, C. Unravelling Security Issues of Runtime Permissions in Android. J Hardw Syst Secur 3, 45–63 (2019). https://doi.org/10.1007/s41635-018-0053-2

Download citation

  • Received:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s41635-018-0053-2

Keywords

Search

Navigation