research-article

revDroid: Code Analysis of the Side Effects after Dynamic Permission Revocation of Android Apps

Authors:

Xiaoyang Sean Wang,

Hao ChenAuthors Info & Claims

ASIA CCS '16: Proceedings of the 11th ACM on Asia Conference on Computer and Communications Security

Pages 747 - 758

https://doi.org/10.1145/2897845.2897914

Published: 30 May 2016 Publication History

Abstract

Dynamic revocation of permissions of installed Android applications has been gaining popularity, because of the increasing concern of security and privacy in the Android platform. However, applications often crash or misbehave when their permissions are revoked, rendering applications completely unusable. Even though Google has officially introduced the new permission mechanism in Android 6.0 to explicitly support dynamic permission revocation, the issue still exists. In this paper, we conduct an empirical study to understand the latest application practice post Android 6.0. Specifically, we design a practical tool, referred to as revDroid, to help us to empirically analyze how often the undesirable side effects, especially application crash, can occur in off-the-shelf Android applications. From the analysis of 248 popular applications from Google Play Store, revDroid finds out that 70% applications and 46% permission-relevant calls do not appropriately catch exceptions caused by permission revocation, while third-party libraries pay much more attention to permission revocation. We also use revDroid to analyze 132 recent malware samples. The result shows that only 27% malwares and 36% permission-relevant API calls of malwares fail to consider the permission revocation. In fact, many of them perform specialized handling of permission revocation to keep the core malicious logic running. Finally, revDroid can be used to help developers uncover the unhandled permission revocations during development time and greatly improve the application quality.

References

[1]

Android. Android lint checks. http://tools.android.com/tips/lint-checks. Accessed: 2015--11--25.

[2]

Android. Camera api guides. http://developer.android.com/guide/topics/media/camera.html. Accessed: 2015--11--24.

[3]

Android. logcat. https://developer.android.com/tools/help/logcat.html. Accessed: 2015-05-04.

[4]

Android. Permissions. http://developer.android.com/preview/features/runtime-permissions.html. Accessed: 2015-08--11.

[5]

Android. System permissions. http://developer.android.com/guide/topics/security/permissions.html. Accessed: 2014--12-08.

[6]

apktool. Android-apktool - a tool for reverse engineering android apk files. https://code.google.com/p/android-apktool/. Accessed: 2015-02-04.

[7]

S. Arzt, S. Rasthofer, C. Fritz, E. Bodden, A. Bartel, J. Klein, Y. Le Traon, D. Octeau, and P. McDaniel. Flowdroid: Precise context, flow, field, object-sensitive and lifecycle-aware taint analysis for android apps. In ACM SIGPLAN Notices, volume 49, pages 259--269. ACM, 2014.

Digital Library

[8]

K. W. Y. Au, Y. F. Zhou, Z. Huang, and D. Lie. Pscout: analyzing the android permission specification. In Proceedings of the 2012 ACM conference on Computer and communications security, pages 217--228. ACM, 2012.

Digital Library

[9]

D. Barrera, H. G. Kayacik, P. C. van Oorschot, and A. Somayaji. A methodology for empirical analysis of permission-based security models and its application to android. In Proceedings of the 17th ACM conference on Computer and communications security, pages 73--84. ACM, 2010.

Digital Library

[10]

L. Batyuk, M. Herpich, S. A. Camtepe, K. Raddatz, A.-D. Schmidt, and S. Albayrak. Using static analysis for automatic assessment and mitigation of unwanted and malicious activities within android applications. In Malicious and Unwanted Software (MALWARE), 2011 6th International Conference on, pages 66--72. IEEE, 2011.

Digital Library

[11]

A. R. Beresford, A. Rice, N. Skehin, and R. Sohan. Mockdroid: trading privacy for application functionality on smartphones. In Proceedings of the 12th Workshop on Mobile Computing Systems and Applications, pages 49--54. ACM, 2011.

Digital Library

[12]

E. Bodden. Easily instrumenting android applications for security purposes. In Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security, pages 1499--1502. ACM, 2013.

Digital Library

[13]

T. Book, A. Pridgen, and D. S. Wallach. Longitudinal analysis of android ad library permissions. arXiv preprint arXiv:1303.0857, 2013.

[14]

CNET. Android 4.3 hidden feature lets you tap into app permissions. http://www.cnet.com/news/android-4--3-hidden-feature-lets-you-tap-into-app-permissions/, 2013. Accessed: 2015-02-04.

[15]

K. D. Cooper, T. J. Harvey, and K. Kennedy. A simple, fast dominance algorithm. Software Practice & Experience, 4:1--10, 2001.

[16]

J. Crussell, C. Gibler, and H. Chen. Attack of the clones: Detecting cloned applications on android markets. In Computer Security--ESORICS 2012, pages 37--54. Springer, 2012.

[17]

J. Crussell, C. Gibler, and H. Chen. Andarwin: Scalable detection of semantically similar android applications. In Computer Security--ESORICS 2013, pages 182--199. Springer, 2013.

[18]

M. Damshenas, A. Dehghantanha, K.-K. R. Choo, and R. Mahmud. M0droid: An android behavioral-based malware detection model. Journal of Information Privacy and Security, 11(3):141--157, 2015.

[19]

W. Enck, M. Ongtang, P. D. McDaniel, et al. Understanding android security. IEEE security & privacy, 7(1):50--57, 2009.

Digital Library

[20]

Z. Fang, W. Han, and Y. Li. Permission based android security: Issues and countermeasures. Computers & Security, 43:205--218, 2014.

[21]

A. P. Felt, E. Chin, S. Hanna, D. Song, and D. Wagner. Android permissions demystified. In Proceedings of the 18th ACM conference on Computer and communications security, pages 627--638. ACM, 2011.

Digital Library

[22]

A. P. Felt, K. Greenwood, and D. Wagner. The effectiveness of application permissions. In Proceedings of the 2nd USENIX conference on Web application development, pages 7--7. USENIX Association, 2011.

Digital Library

[23]

A. P. Felt, E. Ha, S. Egelman, A. Haney, E. Chin, and D. Wagner. Android permissions: User attention, comprehension, and behavior. In Proceedings of the Eighth Symposium on Usable Privacy and Security, page 3. ACM, 2012.

Digital Library

[24]

Google. Android m developer preview & tools. http://android-developers.blogspot.com/2015/05/android-m-developer-preview-tools.html. Accessed: 2015--11--23.

[25]

Google. Official android blog: Get ready for the sweet taste of android 6.0 marshmallow. http://officialandroid.blogspot.com/2015/10/get-ready-for-sweet-taste-of-android-60.html. Accessed: 2015--11--10.

[26]

Google. Android and security. http://googlemobile.blogspot.com/2012/02/android-and-security.html, 2012. Accessed: 2014--12-08.

[27]

W. Han, Z. Fang, L. T. Yang, G. Pan, and Z. Wu. Collaborative policy administration. IEEE Transactions on Parallel and Distributed Systems, 25(2):498--507, 2014.

Digital Library

[28]

P. Hornyack, S. Han, J. Jung, S. Schechter, and D. Wetherall. These aren't the droids you're looking for: retrofitting android to protect data from imperious applications. In Proceedings of the 18th ACM conference on Computer and communications security, pages 639--652. ACM, 2011.

Digital Library

[29]

K. Kennedy, E. Gustafson, and H. Chen. Quantifying the effects of removing permissions from android applications. In Workshop on Mobile Security Technologies (MoST), 2013.

[30]

K. Mueller and K. Butler. Poster: Flex-p: flexible android permissions. In Proc. of IEEE S&P, 2011.

[31]

M. Nauman, S. Khan, and X. Zhang. Apex: extending android permission model and enforcement with user-defined runtime constraints. In Proceedings of the 5th ACM Symposium on Information, Computer and Communications Security, pages 328--332. ACM, 2010.

Digital Library

[32]

J. H. Saltzer. Protection and the control of information sharing in multics. Communications of the ACM, 17(7):388--402, 1974.

Digital Library

[33]

B. P. Sarma, N. Li, C. Gates, R. Potharaju, C. Nita-Rotaru, and I. Molloy. Android permissions: a perspective combining risks and benefits. In Proceedings of the 17th ACM symposium on Access Control Models and Technologies, pages 13--22. ACM, 2012.

Digital Library

[34]

R. Vallée-Rai, P. Co, E. Gagnon, L. Hendren, P. Lam, and V. Sundaresan. Soot-a java bytecode optimization framework. In Proceedings of the 1999 conference of the Centre for Advanced Studies on Collaborative research, page 13. IBM Press, 1999.

Digital Library

[35]

R. Wang, L. Xing, X. Wang, and S. Chen. Unauthorized origin crossing on mobile platforms: Threats and mitigation. In Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security, pages 635--646. ACM, 2013.

Digital Library

[36]

X. Wei, L. Gomez, I. Neamtiu, and M. Faloutsos. Permission evolution in the android ecosystem. In Proceedings of the 28th Annual Computer Security Applications Conference, pages 31--40. ACM, 2012.

Digital Library

[37]

X. Wei, L. Gomez, I. Neamtiu, and M. Faloutsos. Profiledroid: multi-layer profiling of android applications. In Proceedings of the 18th annual international conference on Mobile computing and networking, pages 137--148. ACM, 2012.

Digital Library

[38]

R. Xu, H. Saıdi, and R. Anderson. Aurasium: Practical policy enforcement for android applications. In USENIX Security Symposium, pages 539--552, 2012.

Digital Library

[39]

Y. Zhou, X. Zhang, X. Jiang, and V. W. Freeh. Taming information-stealing smartphone applications (on android). In Trust and Trustworthy Computing, pages 93--107. Springer, 2011.

Digital Library

Cited By

Sun JSu TLiu KPeng CZhang ZPu GXie TSu Z(2023)Characterizing and Finding System Setting-Related Defects in Android AppsIEEE Transactions on Software Engineering10.1109/TSE.2023.323644949:4(2941-2963)Online publication date: 1-Apr-2023
https://doi.org/10.1109/TSE.2023.3236449
Wang YWang YWang SLiu YXu CCheung SYu HZhu Z(2023)Runtime Permission Issues in Android Apps: Taxonomy, Practices, and Ways ForwardIEEE Transactions on Software Engineering10.1109/TSE.2022.314825849:1(185-210)Online publication date: 1-Jan-2023
https://doi.org/10.1109/TSE.2022.3148258
Wang SWang YZhan XWang YLiu YLuo XCheung SDwyer MDamian DZeller A(2022)AperProceedings of the 44th International Conference on Software Engineering10.1145/3510003.3510074(125-137)Online publication date: 21-May-2022
https://dl.acm.org/doi/10.1145/3510003.3510074
Show More Cited By

Index Terms

revDroid: Code Analysis of the Side Effects after Dynamic Permission Revocation of Android Apps
1. Security and privacy
  1. Security services
    1. Access control
  2. Software and application security
    1. Software security engineering

Recommendations

Vetting undesirable behaviors in android apps with permission use analysis
CCS '13: Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security

Android platform adopts permissions to protect sensitive resources from untrusted apps. However, after permissions are granted by users at install time, apps could use these permissions (sensitive resources) with no further restrictions. Thus, recent ...
Detecting Android malicious apps and categorizing benign apps with ensemble of classifiers

Android platform has dominated the markets of smart mobile devices in recent years. The number of Android applications (apps) has seen a massive surge. Unsurprisingly, Android platform has also become the primary target of attackers. The management of ...
Template-based Android inter process communication fuzzing
ARES '20: Proceedings of the 15th International Conference on Availability, Reliability and Security

Fuzzing is a test method in vulnerability assessments that calls the interfaces of a program in order to find bugs in its input processing. Automatically generated inputs, based on a set of templates and randomness, are sent to a program at a high rate, ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

ASIA CCS '16: Proceedings of the 11th ACM on Asia Conference on Computer and Communications Security

May 2016

958 pages

ISBN:9781450342339

DOI:10.1145/2897845

General Chair:
Xiaofeng Chen
Xidian University, China
,
Program Chairs:
XiaoFeng Wang
Indiana University at Bloomington, USA
,
Xinyi Huang
Fujian Normal University, China

Copyright © 2016 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 30 May 2016

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

National Natural Science Foundation of China

Conference

ASIA CCS '16

Sponsor:

SIGSAC

ASIA CCS '16: ACM Asia Conference on Computer and Communications Security

May 30 - June 3, 2016

Xi'an, China

Acceptance Rates

ASIA CCS '16 Paper Acceptance Rate 73 of 350 submissions, 21%;

Overall Acceptance Rate 418 of 2,322 submissions, 18%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

17
Total Citations
View Citations
363
Total Downloads

Downloads (Last 12 months)15
Downloads (Last 6 weeks)0

Reflects downloads up to 07 Mar 2025

Other Metrics

View Author Metrics

Citations

Cited By

Sun JSu TLiu KPeng CZhang ZPu GXie TSu Z(2023)Characterizing and Finding System Setting-Related Defects in Android AppsIEEE Transactions on Software Engineering10.1109/TSE.2023.323644949:4(2941-2963)Online publication date: 1-Apr-2023
https://doi.org/10.1109/TSE.2023.3236449
Wang YWang YWang SLiu YXu CCheung SYu HZhu Z(2023)Runtime Permission Issues in Android Apps: Taxonomy, Practices, and Ways ForwardIEEE Transactions on Software Engineering10.1109/TSE.2022.314825849:1(185-210)Online publication date: 1-Jan-2023
https://doi.org/10.1109/TSE.2022.3148258
Wang SWang YZhan XWang YLiu YLuo XCheung SDwyer MDamian DZeller A(2022)AperProceedings of the 44th International Conference on Software Engineering10.1145/3510003.3510074(125-137)Online publication date: 21-May-2022
https://dl.acm.org/doi/10.1145/3510003.3510074
Li RDiao WLi ZYang SLi SGuo S(2022)Android Custom Permissions Demystified: A Comprehensive Security EvaluationIEEE Transactions on Software Engineering10.1109/TSE.2021.311998048:11(4465-4484)Online publication date: 1-Nov-2022
https://doi.org/10.1109/TSE.2021.3119980
Namara MAnaraky RWisniewski PPage XKnijnenburg B(2021)Examining Power Use and the Privacy Paradox between Intention vs. Actual Use of Mobile ApplicationsProceedings of the 2021 European Symposium on Usable Security10.1145/3481357.3481513(223-235)Online publication date: 11-Oct-2021
https://dl.acm.org/doi/10.1145/3481357.3481513
Scoccia GMalavolta IAutili MDi Salle AInverardi P(2021)Enhancing Trustability of Android Applications via User-Centric Flexible PermissionsIEEE Transactions on Software Engineering10.1109/TSE.2019.294193647:10(2032-2051)Online publication date: 1-Oct-2021
https://doi.org/10.1109/TSE.2019.2941936
Zhang JTian CDuan ZZhao L(2021)RTPDroid: Detecting Implicitly Malicious Behaviors Under Runtime Permission ModelIEEE Transactions on Reliability10.1109/TR.2021.307862870:3(1295-1308)Online publication date: Sep-2021
https://doi.org/10.1109/TR.2021.3078628
Li RDiao WLi ZDu JGuo S(2021)Android Custom Permissions Demystified: From Privilege Escalation to Design Shortcomings2021 IEEE Symposium on Security and Privacy (SP)10.1109/SP40001.2021.00070(70-86)Online publication date: May-2021
https://doi.org/10.1109/SP40001.2021.00070
Ali AAl-Perumal S(2021)Source Code Analysis for Mobile Applications for Privacy Leaks2021 IEEE Madras Section Conference (MASCON)10.1109/MASCON51689.2021.9563443(1-6)Online publication date: 27-Aug-2021
https://doi.org/10.1109/MASCON51689.2021.9563443
Liu CLiu CLi H(2021)Detecting Permission Crashes of Android Apps using Crawling and Revoke Operation Injections2021 28th Asia-Pacific Software Engineering Conference Workshops (APSEC Workshops)10.1109/APSECW53869.2021.00019(47-51)Online publication date: Dec-2021
https://doi.org/10.1109/APSECW53869.2021.00019
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Figures

Tables

Media

View Table of Conten