short-paper

Short paper: a look at smartphone permission models

Authors:
Kathy Wain Yee Au

University of Toronto, Toronto, ON, Canada

University of Toronto, Toronto, ON, Canada
View Profile

,
Yi Fan Zhou

University of Toronto, Toronto, ON, Canada

University of Toronto, Toronto, ON, Canada
View Profile

,
Zhen Huang

University of Toronto, Toronto, ON, Canada

University of Toronto, Toronto, ON, Canada
View Profile

,
Phillipa Gill

University of Toronto, Toronto, ON, Canada

University of Toronto, Toronto, ON, Canada
View Profile

,
David Lie

University of Toronto, Toronto, ON, Canada

University of Toronto, Toronto, ON, Canada
View Profile

SPSM '11: Proceedings of the 1st ACM workshop on Security and privacy in smartphones and mobile devicesOctober 2011Pages 63–68https://doi.org/10.1145/2046614.2046626

Published:17 October 2011Publication History

SPSM '11: Proceedings of the 1st ACM workshop on Security and privacy in smartphones and mobile devices

Pages 63–68

ABSTRACT

Many smartphone operating systems implement strong sandboxing for 3rd party application software. As part of this sandboxing, they feature a permission system, which conveys to users what sensitive resources an application will access and allows users to grant or deny permission to access those resources. In this paper we survey the permission systems of several popular smartphone operating systems and taxonomize them by the amount of control they give users, the amount of information they convey to users and the level of interactivity they require from users. We discuss the problem of permission overdeclaration and devise a set of goals that security researchers should aim for, as well as propose directions through which we hope the research community can attain those goals.

References

D. Barrera, H. Kayacik, P. van Oorschot, and A. Somayaji. A methodology for empirical analysis of permission-based security models and its application to Android. In Proceedings of the 17th ACM Conference on Computer and Communications Security (CCS 2010), Oct. 2010. Google ScholarDigital Library
W. Enck, M. Ongtang, and P. McDaniel. On lightweight mobile phone application certification. In Proceedings of the 16th ACM Conference on Computer and Communications Security (CCS 2009), Nov. 2009. Google ScholarDigital Library
A. P. Felt, E. Chin, S. Hanna, D. Song, and D. Wagner. Android permissions demystified. In Proceedings of the 18th ACM Conference on Computer and Communications Security (CCS 2011), Oct. 2011. Google ScholarDigital Library
A. P. Felt, K. Greenwood, and D. Wagner. The effectiveness of application permissions. In Proceedings of the 2nd USENIX Conference on Web Application Development, June 2011. Google ScholarDigital Library
A. P. Felt, H. Wang, A. Moshchuk, S. Hanna, and E. Chin. Permission re-delegation: Attacks and defenses. In Proceedings of the 20th USENIX Security Symposium, Aug. 2011. Google ScholarDigital Library
P. Hornyack, S. Han, J. Jung, S. Schechter, and D. Wetherall. "These aren't the droids you're looking for": Retrofitting Android to protect data from imperious applications. In Proceedings of the 18th ACM Conference on Computer and Communications Security (CCS 2011), Oct. 2011. Google ScholarDigital Library
K. Noyes. Why Android app security is better than for the iPhone. PC World Magazine, 2011. http://www.pcworld.com/businesscenter/article/202758/why_android_app_security_is_better_than_for_the_iphone.html (accessed August 19, 2011).Google Scholar
M. Ongtang, S. McLaughlin, W. Enck, and P. McDaniel. Semantically rich application-centric security in Android. In Proceedings of the 25nd Annual Computer Security Applications Conference (ACSAC), Dec. 2009. Google ScholarDigital Library
senk9. How to control Android app permissions (Root/CM7). http://senk9.wordpress.com/2011/06/19/how-to-control-android-app-permis%sions-rootcm7/ (accessed August 19, 2011).Google Scholar
R. Vallée-Rai, P. Co, E. Gagnon, L. Hendren, P. Lam, and V. Sundaresan. Soot - a Java bytecode optimization framework. In Proceedings of the 1999 conference of the Centre for Advanced Studies on Collaborative research, CASCON '99, page 13. IBM Press, 1999. Google ScholarDigital Library
Y. Zhou, X. Zhang, X. Jiang, and V. W. Freeh. Taming information-stealing smartphone applications (on Android). In Proceedings of the 4th International Conference on Trust and Trustworthy Computing (TRUST 2011), June 2011. Google ScholarDigital Library

Index Terms

Short paper: a look at smartphone permission models
1. Security and privacy
  1. Security services
    1. Access control
  2. Systems security
    1. Information flow control
    2. Operating systems security

Recommendations

Android permissions demystified
CCS '11: Proceedings of the 18th ACM conference on Computer and communications security

Android provides third-party applications with an extensive API that includes access to phone hardware, settings, and user data. Access to privacy- and security-relevant parts of the API is controlled with an install-time application permission system. ...
Read More
PScout: analyzing the Android permission specification
CCS '12: Proceedings of the 2012 ACM conference on Computer and communications security

Modern smartphone operating systems (OSs) have been developed with a greater emphasis on security and protecting privacy. One of the mechanisms these systems use to protect users is a permission system, which requires developers to declare what ...
Read More
User-Driven Access Control: Rethinking Permission Granting in Modern Operating Systems
SP '12: Proceedings of the 2012 IEEE Symposium on Security and Privacy

Modern client platforms, such as iOS, Android, Windows Phone, Windows 8, and web browsers, run each application in an isolated environment with limited privileges. A pressing open problem in such systems is how to allow users to grant applications ...
Read More

Comments

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Published in
SPSM '11: Proceedings of the 1st ACM workshop on Security and privacy in smartphones and mobile devices
October 2011
96 pages
ISBN:9781450310000
DOI:10.1145/2046614
General Chair:
Xuxian Jiang
North Carolina State University
,
Program Chairs:
Amiya Bhattacharya
Arizona State University
,
Partha Dasgupta
Arizona State University
,
William Enck
North Carolina State University
Copyright © 2011 ACM
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]
Sponsors
In-Cooperation
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
- Published: 17 October 2011
Permissions
Request permissions about this article.
Request Permissions

Check for updates
Author Tags
permissions
smartphone
Qualifiers
- short-paper
Conference

Acceptance Rates
Overall Acceptance Rate46of139submissions,33%
Upcoming Conference
CCS '24

Sponsor:

sigsac

ACM SIGSAC Conference on Computer and Communications Security

October 14 - 18, 2024

Salt Lake City , UT , USA
Funding Sources
Other Metrics
View Article Metrics

Article Metrics
- 45
  Total Citations
  View Citations
- 1,057
  Total Downloads
- Downloads (Last 12 months)30
- Downloads (Last 6 weeks)4
Other Metrics
View Author Metrics
Cited By
View all

PDF Format

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Short paper: a look at smartphone permission models

SPSM '11: Proceedings of the 1st ACM workshop on Security and privacy in smartphones and mobile devices

ABSTRACT

References

Cited By

Index Terms

Recommendations

Android permissions demystified

PScout: analyzing the Android permission specification

User-Driven Access Control: Rethinking Permission Granting in Modern Operating Systems