Presenting Risks Introduced by Android Application Permissions in a User-Friendly Way

Varga, Juraj; Muska, Peter

doi:10.2478/tmmp-2014-0026

Abstract

The emergence of Android as a leading Operating System in terms of market coverage induced the rapid emergence of many mobile applications. A lot of these applications are prone to misuse because of their design. This paper deals with a new method of informing user whether applications installed on his device are potentially harmful or not. The introductory part provides some insight into security mechanisms used in Android. The main part deals with research we based our work on, proposal of our own methodology based on permission model and its implementation in application for real-time offline analysis of installed applications on device running Android. The last part of this paper deals with the evaluation of achievements reached by our methodology implemented in standalone application

References

[1] Android and iOS continue to dominate the worldwide smartphone market with Android shipments just shy of 800 million in 2013, According to IDC, http://www.idc.com/getdoc.jsp?containerId=prUS24676414
Search in Google Scholar
[2] JOKAY, M.: The design of a steganographic system based on the internal MP4 file structures, Internat. J. Comput. Commun. 5 (2012), 207-214.
Search in Google Scholar
[3] JÓKAY, M.-KOˇSDY, M.: Steganographic file system based on JPEG files, Tatra Mt. Math. Publ. 57 (2013), 65-83.
Search in Google Scholar
[4] Android security overview, http://source.android.com/tech/security/index.html
Search in Google Scholar
[5] SHABTAI, A.-FLEDEL, Y.-KANONOV, U.-ELOVICI, Y.-DOLEV, S.: Google Android: A comprehensive security assessment, Security & Privacy, IEEE 8 (2010), 35-44.
Search in Google Scholar
[6] Android permissions overview, http://developer.android.com/reference/android/Manifest.permission.html
Search in Google Scholar
[7] FELT, A. P.-HA, E.-EGELMAN, S.-HANEY, A.-CHIN, E.-WAGNER, D.: Android permissions: user attention, comprehension, and behavior, in: Symposium on Usable Privacy and Security-SOUPS ’12, ACM, New York, NY, USA, pp. 1-14.
Search in Google Scholar
[8] ANTAL, E.-BARANEC, F.: Techniques of obtaining sensitive data from Apple iOS devices, in: 43. Konference EurOpen.CZ, Vranov, Czech Republik, 2013, Plzeˇn, EurOpen.CZ, 2013, pp. 21-32. (In Slovak)
Search in Google Scholar
[9] ZHOU, Y.-JIANG, X.: Dissecting Android malware: characterization and evolution, in: Proc. of the 33rd IEEE Symp. on Security and Privacy, San Francisco, CA, 2012, IEEE Computer Society, Washington, DC, USA, 2012, pp. 95-109.10.1109/SP.2012.16
Search in Google Scholar
[10] ENCK, W.: Defending users against smartphone apps: techniques and future directions, in: Proc. of the 7th Internat. Conf. on Information Systems Security-ICISS ’11 (S. Jajodia, C. Mazumdar, eds.), Kolkata, India, 2011, Lecture Notes in Comput. Sci., Vol. 7093, Springer-Verlag, Berlin, pp. 49-70.
Search in Google Scholar
[11] FUCHS, A. P.-CHAUDHURI, A.-FOSTER, J. S.: SCanDroid: automated security certification of Android applications, Technical Reports of the Computer Science Department, 2009, 15 pp.
Search in Google Scholar
[12] GRACE, M. C.-ZHOU, W.-JIANG, X.-SADEGHI, A.-R.: Unsafe exposure analysis of mobile in-app advertisements, in: Proc. of the 5th ACM Conf. on Security and Privacy in Wireless and Mobile Networks-WISEC ’12, Tucson, AZ, USA, ACM, New York, NY, USA, 2012, pp. 101-112.10.1145/2185448.2185464
Search in Google Scholar
[13] FELT, A. P.-SONG, D.-WAGNER, D.-HANNA, S.: Android permissions demystified, in: Proc. of the 18th ACM Conf. on Comput. and Commun. Security-CCS ’11, Chicago, IL, USA, 2011, ACM New York, NY, USA, pp. 627-638.10.1145/2046707.2046779
Search in Google Scholar
[14] FELT, A. P.-FINIFTER, M.-CHIN, E.-WAGNER, D.: A survey of mobile malware in the wild, in: Proc. of the 1st ACM Workshop on Security and Privacy in Smartphones and Mobile Devices-SPSM ’11, Chicago, IL, USA, ACM, New York, NY, USA, 2011, pp. 3-14.10.1145/2046614.2046618
Search in Google Scholar
[15] NAUMAN, M.-KHAN, S.-ZHANG, X.: Apex: Extending Android permission model and enforcement with user-defined runtime constraints, in: 5th ACM Symposium on Information, Comput. and Commun. Security-ASIACCS ’10, Beijing, China, 2010, ACM, New York, NY, USA, 2010, pp. 328-332.10.1145/1755688.1755732
Search in Google Scholar
[16] ENCK, W.-ONGTANG, M.-MCDANIEL. P.: On lightweight mobile phone application certification, in: Proc. of the 16th ACM Conf. on Comput. and Commun. Security- -CCS ’09, Chicago, IL, USA, 2009, ACM, New York, NY, USA, 2009, pp. 235-24510.1145/1653662.1653691
Search in Google Scholar
[17] ZARNI, A.-WIN, Z.: Permission-based Android malware detection, Internat. J. of Sci. and Technology Research (IJSTR) 2 (2013), 228-234.
Search in Google Scholar
[18] DAVI, L.-DIMITRENKO, A.-SADEGHI, A.-R.-WINANDY, M.: Privilege escalation attacks on Android, in: Proc. of the 13th Internat. Conf. on Inform. Security-ISC ’10 (M. Burmester et al., eds.), Boca Raton, FL, USA, 2010 Lecture Notes in Comput. Sci., Vol. 6531, Springer-Verlag, Berlin, 2011, pp. 346-360.
Search in Google Scholar
[19] BUGIEL, S.-DAVI, L.-DMITRIENKO, A.-FISCHER, T.-SADEGHI, A.-R.: XManDroid: A New Android Evolution to Mitigate Privilege Escalation Attacks, Technical Report TR-2011-04, 2011, 18 pp.
Search in Google Scholar
[20] BUGIEL, S.-DAVI, L.-DMITRIENKO, A.-FISCHER, T.-SADEGHI, A.-R.- -SHASTRY, B.: Towards taming privilege-escalation attacks on Android, in: Proc. of the 19th Annual Network & Distributed System Security Symp.-NDSS ’12, San Diego, California, 2012, pp. 1-18.
Search in Google Scholar
[21] KENNEDY, K.-GUSTAFSON, E.-CHEN, H.: Quantifying the effects of removing permissions from Android applications, in: IEEE Mobile Security Technologies-MoST ’13, San Francisco, CA, 2013, pp. 11.
Search in Google Scholar
[22] HOLAVANALLI, S.-MANUEL, D.-NANJUNDASWAMY, V.-ROSENBERG, B.- -SHEN, F.-KO, S.Y.-ZIAREK, L.: Flow Permissions for Android, in: IEEE/ACM28th Internat. Conf. on Automated Software Engineering-ASE ’13 (E.Denney et al., eds.), Palo Alto, USA, 2013, IEEE, Piscataway, NJ, 2013, pp. 652-658.10.1109/ASE.2013.6693128
Search in Google Scholar
[23] F-Secure App Permissions, https://play.google.com/store/apps/details?id=com.fsecure.app.permissions.privacy
Search in Google Scholar
[24] S2 Permission Checker, https://play.google.com/store/apps/details?id=com.byte256.permissionchecker
Search in Google Scholar
[25] Permission Friendly Apps, https://play.google.com/store/apps/details?id=org.androidsoft.app.permission&hl=sk
Search in Google Scholar
[26] Adv Permission Manager, https://play.google.com/store/apps/details?id=com.gmail.heagoo.pmaster.pro
Search in Google Scholar
[27] ENCK, W.-GILBERT, P.-CHUN, B.-G.-COX, L. P.-JUNG, J.-MC-DANIEL, P.- -SHETH, A. N.: TaintDroid: An information-flow tracking system for realtime privacy monitoring on smartphones, in: 9th USENIX Symposium on Operating Systems Design and Implementation-OSDI ’10, Vancouver, BC, Canada, 2010, USENIX Association Berkeley, CA, USA, pp. 393-409.
Search in Google Scholar

Presenting Risks Introduced by Android Application Permissions in a User-Friendly Way

Abstract

Paradigm

My account