Jiaojiao Fu,Yangfan Zhou,Huan Liu,Yu Kang,Xin Wang

DOI: https://doi.org/10.1109/ISSRE.2017.38

2017-01-01

Abstract:Third-party libraries (3PLs) are widely introduced into Android apps and they typically request permissions for their own functionalities. Current Android systems manage permissions in process (app) granularity. Hence, the host app and the 3PLs share the same permission set. 3PL-apps may therefore introduce security risks. Separating the permission sets of the 3PLs and those of the host app are critical to alleviate such security risks. In this paper, we provide Perman, a tool that allows users to manage permissions of different modules (i.e., a 3PL or the host app) of an app at runtime. Perman relies on dynamic code instrumentation to intercept permission requests, and accordingly provide a policy-based permission control. Unlike existing tools that generally require to redesign 3PL-apps, it can thus be applied to the existing apps in market. We evaluate Perman on real-world apps. The experiment results verify its effectiveness in fine-grained permission management.

Lingfeng Bao,David Lo,Xin Xia,Shanping Li

DOI: https://doi.org/10.1109/sate.2016.13

2016-01-01

Abstract:As Android is one of the most popular open source mobile platforms, ensuring security and privacy of Android applications is very important. Android provides a permission mechanism which requires developers to declare sensitive resources their applications need, and users need to agree with this request when they install (for Android API level 22 or lower) or run (for Android API level 23) these applications. Although Android provides very good official documents to explain how to properly use permissions, unfortunately misuses even for the most popular permissions have been reported. Recently, Karim et al. propose an association rule mining based approach to better infer permissions that an API needs. In this work, to improve the effectiveness of the prior work, we propose an approach which is based on collaborative filtering technique, one of popular techniques used to build recommendation systems. Our approach is designed based on the intuition that apps that have similar features - inferred from the APIs that they use - usually share similar permissions. We evaluate the proposed approaches on 936 Android apps from F-Droid, which is a repository of free and open source Android applications. The experimental results show that our proposed approaches achieve significant improvement in terms of the precision, recall, F1-score and MAP of the top-k results over Karim et al.'s approach.

Yang Luo,Qixun Zhang,Qingni Shen,Hongzhi Liu,Zhonghai Wu

DOI: https://doi.org/10.48550/arXiv.1712.02217

2017-12-06

Abstract:With the expansion of the market share occupied by the Android platform, security issues (especially application security) have become attention focus of researchers. In fact, the existing methods lack the capabilities to manage application permissions without root privilege. This study proposes a dynamic management mechanism of Android application permissions based on security policies. The paper first describes the permissions by security policies, then implementes permission checking code and request evaluation algorithm in Android framework layer. Experimental results indicate that the presented approach succeeds in permission management of Android applications, and its system overhead is low, which makes it an effective method for Android permission management.

Cryptography and Security

Rui Chang,Liehui Jiang,Wenzhi Chen,Hongqi He,Shuiqiao Yang

DOI: https://doi.org/10.1109/cit.2016.14

2016-01-01

Abstract:As the number of smart devices continues to grow dramatically, programmes and data handled by such smart devices have become the primary targets of hackers and malwares. ARM-Android is the most widespread platform for smart devices. Access to privacy-and security-relevant parts of the API is controlled by the corresponding permission in a manifest. However, while requesting access to permissions, these applications may offer opportunities to malicious codes to gain access to other inaccessible resources which will cause a series of security issues. Recently, many researchers focus on the permission-based mechanism which restricts accesses of users and applications to critical resources on an ARM-Android device. Few works among permission analysis, however, pay attention to the prevention of permission leakage on both hardware and software frameworks. In this paper we tackle the challenge of providing our permission-based security architecture on ARM-Android platform. We propose an usage and access control model and an effective method of preventing permission leakage based on ARM TrustZone security extension. In contrast to previous work, the proposed security architecture provides a flexible mandatory access control on Android middleware, Linux kernel, and hardware layers. The evaluation results demonstrate the effectiveness in mitigating permission leakage vulnerabilities.

Jun Qiu,Xuewu Yang,Huamao Wu,Yajin Zhou,Jinku Li,Jianfeng Ma

DOI: https://doi.org/10.1109/tdsc.2021.3075817

2022-01-01

IEEE Transactions on Dependable and Secure Computing

Abstract:Android application (or app) developers increasingly integrate third-party libraries to enrich the functionality of their apps. However, current permission model on Android cannot constrain the behaviors of in-app third-party libraries for allowing them to operate with the same permissions as their host app. This brings serious security and privacy concerns to users. In this article, we propose LibCapsule, a user-level solution to confine third-party libraries from potential permission abuses. Compared to previous systems, LibCapsule is able to provide complete confinement of third-party libraries in Android apps, including the static Java code, dynamically loaded code and native code of third-party libraries. We have developed a prototype of LibCapsule, and collected 204 popular third-party libraries as well as 2,021 apps to evaluate it. The evaluation results indicate that LibCapsule is capable of enforcing complete and fine-grained regulation on third-party libraries according to customized security policies with a low performance overhead. To engage the whole community, we will release the dataset of third-party libraries and apps in our evaluation.

Rui Chang,Liehui Jiang,Wenzhi Chen,Hong-qi He,Shuiqiao Yang,Hang Jiang,Wei Liu,Yong Liu

DOI: https://doi.org/10.1002/cpe.4180

2018-01-01

Abstract:This paper discusses security issues on the user equipment, which is the last mile of social networks. One of the main Achilles' heel of social networks is not the organization of networks themselves, but the user devices, typically Android ones. The existing system of privileges makes it easy to infiltrate the network via applications installed on users' devices. Conventional signature-based and static analysis methods are vulnerable. Access to privacy- and security-relevant parts of the application programming interface is controlled by the corresponding permission in a manifest file. While requesting access to permissions, it may offer opportunities to malicious codes, which will cause security issues. Few works among permission analysis, however, pay attention to the prevention of permission leakage on both hardware and software frameworks. In this paper we tackle the challenge of providing our multilayered permission-based security extension scheme on Android platforms. We propose a usage and access control model and an effective method of preventing permission leakage based on ARM TrustZone security extension mechanism. In contrast to previous work, the proposed security architecture provides a permission-based mandatory access control on Android middleware, Linux kernel, and hardware layers. The evaluation results demonstrate the effectiveness of the proposed scheme in mitigating permission leakage vulnerabilities.

Mike Grace,Yajin Zhou,Zhi Wang,Xuxian Jiang

2011-01-01

Abstract:Recent years have witnessed increased popularity and adoption of smartphones partially due to the functionalities and convenience offered to their users (e.g., the ability to run third-party applications). To manage the amount of access given to smartphone applications, Android provides a permission-based security model, which requires each application to explicitly request permissions before it can be installed to run. In this paper, we systematically analyze eight flagship Android smartphones from leading manufacturers, including HTC, Motorola, and Samsung and found out that the stock phone images do not properly enforce the permission model. Several privileged permissions that protect the access to sensitive user data and dangerous features on the phones are unsafely exposed to other applications which do not need to request them for the actual use, a security violation termed capability leak in this paper. To facilitate identifying these capability leaks, we take a static analysis approach and have accordingly developed a system called Woodpecker. Our results with eight phone images show that among 13 privileged permissions examined so far, 11 were leaked, with individual phones leaking up to eight permissions. By exploiting these leaked capabilities, an untrusted application can manage to wipe out the user data, send out SMS messages (e.g., to premium numbers), record user conversation, or obtain user geo-locations on the affected phones – all without the need of asking for any permission.

Yiting Qu,Suguo Du,Shaofeng Li,Yan Meng,Le Zhang,Haojin Zhu

DOI: https://doi.org/10.1109/jiot.2020.3039472

IF: 10.6

2021-05-01

IEEE Internet of Things Journal

Abstract:Mobile applications play a crucial role in the IoT system, which is experiencing unprecedented growth. However, users possessing little knowledge of permission configurations often accept app permission requests without reading them, which opens a backdoor for the potential adversaries to launch the future attacks. Proposing an automatic permission management scheme is an attractive solution to solve this issue, but since users have varying attitudes toward privacy, such a scheme would be neither straightforward nor user friendly. In this study, an automatic permission optimization framework, Permizer, is proposed to recommend different app permission configurations to users with different privacy preferences. Permizer estimates the permission risks and builds the permission-functionality mapping to each app, then regulates the relationship between permission and app functionality. Permizer is the first module to achieve a balance between privacy protection and app functionality under the personal privacy preference condition. Finally, we develop Permizer as a one-button service on the real-world Android OS with 58 apps. Case studies conducted on TikTok and Amazon Alexa also demonstrate its practicability and effectiveness.

computer science, information systems,telecommunications,engineering, electrical & electronic

Jinseong Jeon,Kristopher Micinski,Jeffrey A. Vaughan,Nikhilesh Reddy,Yixin Zhu,Jeffrey S. Foster,Todd Millstein

2011-01-01

Abstract:Google’s Android platform includes a permission model that protects access to sensitive capabilities, such as Internet access, GPS use, and telephony. We have found that Android’s current permissions are often overly broad, providing apps with more access than they truly require. This deviation from least privilege increases the threat from vulnerabilities and malware. To address this issue, we present a novel system that can replace existing platform permissions with finer-grained ones. A key property of our approach is that it runs today, on stock Android devices, requiring no platform modifications. Our solution is composed of two parts: Mr. Hide, which runs in a separate process on a device and provides access to sensitive data as a service; and Dr. Android (Dalvik Rewriter for Android), a tool that transforms existing Android apps to access sensitive resources via Mr. Hide rather than directly through the system. Together, Dr. Android and Mr. Hide can completely remove several of an app’s existing permissions and replace them with finergrained ones, leveraging the platform to provide complete mediation for protected resources. We evaluated our ideas on several popular, free Android apps. We found that we can replace many commonly used “dangerous” permissions with finer-grained permissions. Moreover, apps transformed to use these finer-grained permissions run largely as expected, with reasonable performance overhead.

Michael C. Grace,Yajin Zhou,Zhi Wang,Xuxian Jiang

2012-01-01

Abstract:Recent years have witnessed a meteoric increase in the adoption of smartphones. To manage information and features on such phones, Android provides a permission-based security model that requires each application to explicitly request permissions before it can be installed to run. In this paper, we analyze eight popular Android smartphones and discover that the stock phone images do not properly enforce the permission model. Several privileged permissions are unsafely exposed to other applications which do not need to request them for the actual use. To identify these leaked permissions or capabilities, we have developed a tool called Woodpecker. Our results with eight phone images show that among 13 privileged permissions examined so far, 11 were leaked, with individual phones leaking up to eight permissions. By exploiting them, an untrusted application can manage to wipe out the user data, send out SMS messages, or record user conversation on the affected phones – all without asking for any permission.

Zeqing Guo,Weili Han,Liangxing Liu,Wenyuan Xu,Ruiqi Bu,Minyue Ni

DOI: https://doi.org/10.1145/2752952.2752974

2015-01-01

Abstract:More and more powerful personal smart devices take users, especially the elder, into a disaster of policy administration where users are forced to set personal management policies in these devices. Considering a real case of this issue in the Android security, it is hard for users, even some programmers, to generally identify malicious permission requests when they install a third-party application. Motivated by the popularity of mutual assistance among friends (including family members) in the real world, we propose a novel framework for policy administration, referring to Socialized Policy Administration (SPA for short), to help users manage the policies in widely deployed personal devices. SPA leverages a basic idea that a user may invite his or her friends to help set the applications. Especially, when the size of invited friends increases, the setting result can be more resilient to a few malicious or unprofessional friends. We define the security properties of SPA, and propose an enforcement framework where users' friends can help users set applications without the leakage of friends' preferences with the supports of a privacy preserving mechanism. In our prototype, we only leverage partially homomorphic encryption cryptosystems to implement our framework, because the fully homomorphic encryption is not acceptable to be deployed in a practical service at the moment. Based on our prototype and performance evaluation, SPA is promising to support major types of policies in current popular applications with acceptable performance.

Yutian Tang,Xian Zhan,Hao Zhou,Xiapu Luo,Zhou Xu,Yajin Zhou,Qiben Yan

DOI: https://doi.org/10.1109/ase.2019.00069

2019-01-01

Abstract:Since the performance issues of apps can influence users' experience, developers leverage application performance management (APM) tools to locate the potential performance bottleneck of their apps. Unfortunately, most developers do not understand how APMs monitor their apps during the runtime and whether these APMs have any limitations. In this paper, we demystify APMs by inspecting 25 widely-used APMs that target on Android apps. We first report how these APMs implement 8 key functions as well as their limitations. Then, we conduct a large-scale empirical study on 500,000 Android apps from Google Play to explore the usage of APMs. This study has some interesting observations about existing APMs for Android, including 1) some APMs still use deprecated permissions and approaches so that they may not always work properly; 2) some app developers use APMs to collect users' privacy information.

Haoyu Wang,Yao Guo,Zihao Tang,Guangdong Bai,Xiangqun Chen

DOI: https://doi.org/10.1109/GLOCOM.2015.7417621

2015-01-01

Abstract:Recent studies on the Android permission system have found that there exists a permission gap between the requested permissions and permissions actually used in an Android app. However, current approaches face some challenges when detecting such permission gaps in Android apps due to the limitation of static analysis techniques. This paper proposes a novel approach to detect permission gaps in Android apps and determine the precise set of permissions that an app needs to run correctly. Our approach includes a static analysis technique to extract permission usage information from API invocations, and a dynamic testing technique to test and monitor the runtime permission usage behaviors of apps. By combining static analysis and dynamic testing, our approach can detect significantly more permission usage information compared to static analysis, indicating that our approach could improve the detection accuracy and reduce the false positives in permission gap detection. We have implemented a prototype to study more than 1,000 popular apps from Google Play. The results show that our approach could detect on average 30% more permissions that are used in apps, while more than 8% of the overprivileged apps detected by previous approaches are false positives.

LU Wenxiong,WANG Haoyu

DOI: https://doi.org/10.11959/j.issn.2096-0271.2020003

IF: 3.3

2020-01-01

Big Data Research

Abstract:Mobile systems,such as Android,use permission-based access control mechanism,which is at the granularity of each application.Apart from the code from developers themselves,applications also contain code from third-party libraries,which has led to serious overuse of application permissions.A novel origin-based (similar to browsers) and fine-grained control mechanism was introduced,which broke the boundary between applications in terms of access control and finegrained the granularity to the level of code source.The mechanism was implemented onto Android framework,and a set of tools to modify applications were also offered.Experiment results suggest that system can allow (or limit) certain developers to execute certain sensitive behaviors.

Yajin Zhou,Xinwen Zhang,Xuxian Jiang,Vincent W. Freeh

DOI: https://doi.org/10.1007/978-3-642-21599-5_7

2011-01-01

Abstract:Smartphones have been becoming ubiquitous and mobile users are increasingly relying on them to store and handle personal information. However, recent studies also reveal the disturbing fact that users' personal information is put at risk by (rogue) smartphone applications. Existing solutions exhibit limitations in their capabilities in taming these privacy-violating smartphone applications. In this paper, we argue for the need of a new privacy mode in smartphones. The privacy mode can empower users to flexibly control in a fine-grained manner what kinds of personal information will be accessible to an application. Also, the granted access can be dynamically adjusted at runtime in a fine-grained manner to better suit a user's needs in various scenarios (e.g., in a different time or location). We have developed a system called TISSA that implements such a privacy mode on Android. The evaluation with more than a dozen of information-leaking Android applications demonstrates its effectiveness and practicality. Furthermore, our evaluation shows that TISSA introduces negligible performance overhead.

Zheran Fang,Weili Han,Yingjiu Li

DOI: https://doi.org/10.1016/j.cose.2014.02.007

IF: 5.105

2014-01-01

Computers & Security

Abstract:Android security has been a hot spot recently in both academic research and public concerns due to numerous instances of security attacks and privacy leakage on Android platform. Android security has been built upon a permission based mechanism which restricts accesses of third-party Android applications to critical resources on an Android device. Such permission based mechanism is widely criticized for its coarse-grained control of application permissions and difficult management of permissions by developers, marketers, and end-users. In this paper, we investigate the arising issues in Android security, including coarse granularity of permissions, incompetent permission administration, insufficient permission documentation, over-claim of permissions, permission escalation attack, and TOCTOU (Time of Check to Time of Use) attack. We illustrate the relationships among these issues, and investigate the existing countermeasures to address these issues. In particular, we provide a systematic review on the development of these countermeasures, and compare them according to their technical features. Finally, we propose several methods to further mitigate the risk in Android security.

Rui Li,Wenrui Diao,Zhou Li,Shishuai Yang,Shuang Li,Shanqing Guo,Rui Li,Wenrui Diao,Zhou Li,Shishuai Yang,Shuang Li,Shanqing Guo

DOI: https://doi.org/10.1109/tse.2021.3119980

IF: 7.4

2021-01-01

IEEE Transactions on Software Engineering

Abstract:Permission is the fundamental security mechanism for protecting user data and privacy on Android. Given its importance, security researchers have studied the design and usage of permissions from various aspects. However, most of the previous research focused on the security issues of system permissions. Overlooked by many researchers, an app can use custom permissions to share its resources and capabilities with other apps. However, the security implications of using custom permissions have not been fully understood. In this paper, we systematically evaluate the design and implementation of Android custom permissions. Notably, we built an automatic fuzzing tool, called CuPerFuzzer+, to detect custom permission related vulnerabilities existing in the Android OS. CuPerFuzzer+ treats the operations of the permission mechanism as a black-box and executes massive targeted test cases to trigger privilege escalation. In the experiments, CuPerFuzzer+ discovered 5,932 effective cases with 47 critical paths successfully. Through investigating these vulnerable cases and analyzing the source code of Android OS, we further identified a series of severe design shortcomings lying in the Android permission framework, including dangling custom permission, inconsistent permission-group mapping, custom permission elevating, inconsistent permission definition, dormant permission group, and inconsistent permission type. Exploiting these shortcomings, a malicious app can access unauthorized platform resources. On top of these observations, we propose three general design guidelines to secure custom permissions. Our findings have been acknowledged by the Android security team and assigned CVE-2020-0418, CVE-2021-0306, CVE-2021-030-, and CVE-2021-0317.

engineering, electrical & electronic,computer science, software engineering

Yuan Zhang,Min Yang,Guofei Gu,Hao Chen

DOI: https://doi.org/10.1007/978-3-319-28865-9_1

2015-01-01

Abstract:To protect sensitive resources from unauthorized use, modern mobile systems, such as Android and iOS, design a permission-based access control model. However, current model could not enforce fine-grained control over the dynamic permission use contexts, causing two severe security problems. First, any code package in an application could use the granted permissions, inducing attackers to embed malicious payloads into benign apps. Second, the permissions granted to a benign application may be utilized by an attacker through vulnerable application interactions. Although ad hoc solutions have been proposed, none could systematically solve these two issues within a unified framework.

Yang Xu,Guojun Wang,Ju Ren,Yaoxue Zhang

DOI: https://doi.org/10.1016/j.future.2018.09.042

IF: 7.307

2018-01-01

Future Generation Computer Systems

Abstract:Android is a successful mobile platform with a thriving application ecosystem. However, despite its security precautions like permission mechanism, it is still vulnerable to privilege escalation threats and particularly confused deputy attacks that exploit the permission leak vulnerabilities of Android applications. Worse, most existing detection and protection techniques have become costly and unresponsive in current Android dynamic permission environments. In this paper, we propose a configurable Android security framework to prevent the exploitation of permission leak vulnerabilities of third-party applications via confused deputy attacks. Our framework collects the runtime states of applications and enforces policy and capability-based access control to restrain riskful inter-application communications, so as to provide more responsive, adaptive, and flexible application protection. Besides, our framework provides users with a flexible runtime policy configuration together with a complementary security mechanism to mitigate risks induced by inappropriate policies. Additionally, we present a sophisticated access decision cache system with a proactive maintenance method that ensures the efficiency and dependability of decision services. Theoretical analysis and experimental evaluation demonstrate that our approach provides configurable and effective protections for third-party applications against permission leak vulnerabilities at small performance and usability costs.

Yang Xu,Ju Ren,Yaoxue Zhang,Guojun Wang

DOI: https://doi.org/10.1109/ispa/iucc.2017.00116

2017-01-01

Abstract:Android is the world's most popular mobile platform. Nevertheless, in spite of continuous efforts on its permission system, it is still incapable of resisting privilege escalation attacks, specially, the confused deputy attacks on numerous poor-designed applications. Worse yet, most existing security solutions become costly or rigid in recent Android dynamic permission environment. In this paper, we proposed a flexible and efficient security extension to Android middleware for protecting the vulnerable privileged applications from being abused by malwares in the dynamic permission scenario. Our framework maintains fresh permission states of applications at runtime and enforces access control on inter-component communications conservatively by checking the capability differences between applications, so as to provide more precise and temperate protection for applications. Moreover, we also introduced an efficient cache mechanism together with an optimized proactive updating method for decisions, which contributes significantly to improving the inspection efficiency. Finally, experimental results reveal that our framework is effective and adaptable in defending against confused deputy attacks on applications with negligible overhead and limited impact on application usability.