Security and Privacy in Mobile Information and Communication Systems. Third International ICST Conference, MobiSec 2011, Aalborg, Denmark, May 17-19, 2011, Revised Selected Papers

Research Article

Android Security Permissions – Can We Trust Them?

Download137 downloads
  • @INPROCEEDINGS{10.1007/978-3-642-30244-2_4,
        author={Clemens Orthacker and Peter Teufl and Stefan Kraxberger and G\'{y}nther Lackner and Michael Gissing and Alexander Marsalek and Johannes Leibetseder and Oliver Prevenhueber},
        title={Android Security Permissions -- Can We Trust Them?},
        proceedings={Security and Privacy in Mobile Information and Communication Systems. Third International ICST Conference, MobiSec 2011, Aalborg, Denmark, May 17-19, 2011, Revised Selected Papers},
        proceedings_a={MOBISEC},
        year={2012},
        month={10},
        keywords={Android Market Security Permissions Android Malware Android Services Backdoors Permission Context Side Channels},
        doi={10.1007/978-3-642-30244-2_4}
    }
    
  • Clemens Orthacker
    Peter Teufl
    Stefan Kraxberger
    Günther Lackner
    Michael Gissing
    Alexander Marsalek
    Johannes Leibetseder
    Oliver Prevenhueber
    Year: 2012
    Android Security Permissions – Can We Trust Them?
    MOBISEC
    Springer
    DOI: 10.1007/978-3-642-30244-2_4
Clemens Orthacker1,*, Peter Teufl1,*, Stefan Kraxberger1,*, Günther Lackner1,*, Michael Gissing1, Alexander Marsalek1, Johannes Leibetseder1, Oliver Prevenhueber1
  • 1: University of Technology Graz
*Contact email: clemens.orthacker@iaik.tugraz.at, peter.teufl@iaik.tugraz.at, stefan.kraxberger@iaik.tugraz.at, guenther.lackner@iaik.tugraz.at

Abstract

The popularity of the Android System in combination with the lax market approval process may attract the injection of malicious applications (apps) into the market. Android features a permission system allowing a user to review the permissions an app requests and grant or deny access to resources prior to installation. This system conveys a level of trust due to the fact that an app only has access to resources granted by the stated permissions. Thereby, not only the meaning of single permissions, but especially their combination plays an important role for understanding the possible implications. In this paper we present a method that circumvents the permission system by spreading permissions over two or more apps that communicate with each other via arbitrary communication channels. We discuss relevant details of the Android system, describe the permission spreading process, possible implications and countermeasures. Furthermore, we present three apps that demonstrate the problem and a possible detection method.