Android Security Permissions - Can we trust them?

Clemens Orthacker, Peter Teufl, Stefan Kraxberger, Günther Lackner, Michael Gissing, Alexander Marsalek, Johannes Leibetseder, Oliver Prevenhueber

Publikation: Beitrag in Buch/Bericht/KonferenzbandBeitrag in einem KonferenzbandForschungBegutachtung

Abstract

The popularity of the Android System in combination with the lax market approval process may attract the injection of malicious applications (apps) into the market. Android features a permission system allowing a user to review the permissions an app requests and grant or deny access to resources prior to installation. This system conveys a level of trust due to the fact that an app only has access to resources granted by the stated permissions. Thereby, not only the meaning of single permissions, but especially their combination plays an important role for understanding the possible implications. In this paper we present a method that circumvents the permission system by spreading permissions over two or more apps that communicate with each other via arbitrary communication channels. We discuss relevant details of the Android system, describe the permission spreading process, possible implications and countermeasures. Furthermore, we present three apps that demonstrate the problem and a possible detection method.

Originalspracheenglisch
TitelSecurity and Privacy in Mobile Information and Communication Systems - Third International ICST Conference, MobiSec 2011, Revised Selected Papers
Seiten40-51
Seitenumfang12
DOIs
PublikationsstatusVeröffentlicht - 9 Jul 2012
Veranstaltung3rd ICST Conference on Security and Privacy for Mobile Information and Communication Systems, MobiSec 2011 - Aalborg, Dänemark
Dauer: 17 Mai 201119 Mai 2011

Publikationsreihe

NameLecture Notes of the Institute for Computer Sciences, Social-Informatics and Telecommunications Engineering
Band94 LNICST
ISSN (Print)1867-8211

Konferenz

Konferenz3rd ICST Conference on Security and Privacy for Mobile Information and Communication Systems, MobiSec 2011
LandDänemark
OrtAalborg
Zeitraum17/05/1119/05/11

Schlagwörter

    ASJC Scopus subject areas

    • !!Computer Networks and Communications

    Dies zitieren

    Orthacker, C., Teufl, P., Kraxberger, S., Lackner, G., Gissing, M., Marsalek, A., ... Prevenhueber, O. (2012). Android Security Permissions - Can we trust them? in Security and Privacy in Mobile Information and Communication Systems - Third International ICST Conference, MobiSec 2011, Revised Selected Papers (S. 40-51). (Lecture Notes of the Institute for Computer Sciences, Social-Informatics and Telecommunications Engineering; Band 94 LNICST). https://doi.org/10.1007/978-3-642-30244-2_4

    Android Security Permissions - Can we trust them? / Orthacker, Clemens; Teufl, Peter; Kraxberger, Stefan; Lackner, Günther; Gissing, Michael; Marsalek, Alexander; Leibetseder, Johannes; Prevenhueber, Oliver.

    Security and Privacy in Mobile Information and Communication Systems - Third International ICST Conference, MobiSec 2011, Revised Selected Papers. 2012. S. 40-51 (Lecture Notes of the Institute for Computer Sciences, Social-Informatics and Telecommunications Engineering; Band 94 LNICST).

    Publikation: Beitrag in Buch/Bericht/KonferenzbandBeitrag in einem KonferenzbandForschungBegutachtung

    Orthacker, C, Teufl, P, Kraxberger, S, Lackner, G, Gissing, M, Marsalek, A, Leibetseder, J & Prevenhueber, O 2012, Android Security Permissions - Can we trust them? in Security and Privacy in Mobile Information and Communication Systems - Third International ICST Conference, MobiSec 2011, Revised Selected Papers. Lecture Notes of the Institute for Computer Sciences, Social-Informatics and Telecommunications Engineering, Bd. 94 LNICST, S. 40-51, Aalborg, Dänemark, 17/05/11. https://doi.org/10.1007/978-3-642-30244-2_4
    Orthacker C, Teufl P, Kraxberger S, Lackner G, Gissing M, Marsalek A et al. Android Security Permissions - Can we trust them? in Security and Privacy in Mobile Information and Communication Systems - Third International ICST Conference, MobiSec 2011, Revised Selected Papers. 2012. S. 40-51. (Lecture Notes of the Institute for Computer Sciences, Social-Informatics and Telecommunications Engineering). https://doi.org/10.1007/978-3-642-30244-2_4
    Orthacker, Clemens ; Teufl, Peter ; Kraxberger, Stefan ; Lackner, Günther ; Gissing, Michael ; Marsalek, Alexander ; Leibetseder, Johannes ; Prevenhueber, Oliver. / Android Security Permissions - Can we trust them?. Security and Privacy in Mobile Information and Communication Systems - Third International ICST Conference, MobiSec 2011, Revised Selected Papers. 2012. S. 40-51 (Lecture Notes of the Institute for Computer Sciences, Social-Informatics and Telecommunications Engineering).
    @inproceedings{644fa66fb1c64251ae1dd64e0f59c8f3,
    title = "Android Security Permissions - Can we trust them?",
    abstract = "The popularity of the Android System in combination with the lax market approval process may attract the injection of malicious applications (apps) into the market. Android features a permission system allowing a user to review the permissions an app requests and grant or deny access to resources prior to installation. This system conveys a level of trust due to the fact that an app only has access to resources granted by the stated permissions. Thereby, not only the meaning of single permissions, but especially their combination plays an important role for understanding the possible implications. In this paper we present a method that circumvents the permission system by spreading permissions over two or more apps that communicate with each other via arbitrary communication channels. We discuss relevant details of the Android system, describe the permission spreading process, possible implications and countermeasures. Furthermore, we present three apps that demonstrate the problem and a possible detection method.",
    keywords = "Android Malware, Android Market, Android Services, Backdoors, Permission Context, Security Permissions, Side Channels",
    author = "Clemens Orthacker and Peter Teufl and Stefan Kraxberger and G{\"u}nther Lackner and Michael Gissing and Alexander Marsalek and Johannes Leibetseder and Oliver Prevenhueber",
    year = "2012",
    month = "7",
    day = "9",
    doi = "10.1007/978-3-642-30244-2_4",
    language = "English",
    isbn = "9783642302435",
    series = "Lecture Notes of the Institute for Computer Sciences, Social-Informatics and Telecommunications Engineering",
    pages = "40--51",
    booktitle = "Security and Privacy in Mobile Information and Communication Systems - Third International ICST Conference, MobiSec 2011, Revised Selected Papers",

    }

    TY - GEN

    T1 - Android Security Permissions - Can we trust them?

    AU - Orthacker, Clemens

    AU - Teufl, Peter

    AU - Kraxberger, Stefan

    AU - Lackner, Günther

    AU - Gissing, Michael

    AU - Marsalek, Alexander

    AU - Leibetseder, Johannes

    AU - Prevenhueber, Oliver

    PY - 2012/7/9

    Y1 - 2012/7/9

    N2 - The popularity of the Android System in combination with the lax market approval process may attract the injection of malicious applications (apps) into the market. Android features a permission system allowing a user to review the permissions an app requests and grant or deny access to resources prior to installation. This system conveys a level of trust due to the fact that an app only has access to resources granted by the stated permissions. Thereby, not only the meaning of single permissions, but especially their combination plays an important role for understanding the possible implications. In this paper we present a method that circumvents the permission system by spreading permissions over two or more apps that communicate with each other via arbitrary communication channels. We discuss relevant details of the Android system, describe the permission spreading process, possible implications and countermeasures. Furthermore, we present three apps that demonstrate the problem and a possible detection method.

    AB - The popularity of the Android System in combination with the lax market approval process may attract the injection of malicious applications (apps) into the market. Android features a permission system allowing a user to review the permissions an app requests and grant or deny access to resources prior to installation. This system conveys a level of trust due to the fact that an app only has access to resources granted by the stated permissions. Thereby, not only the meaning of single permissions, but especially their combination plays an important role for understanding the possible implications. In this paper we present a method that circumvents the permission system by spreading permissions over two or more apps that communicate with each other via arbitrary communication channels. We discuss relevant details of the Android system, describe the permission spreading process, possible implications and countermeasures. Furthermore, we present three apps that demonstrate the problem and a possible detection method.

    KW - Android Malware

    KW - Android Market

    KW - Android Services

    KW - Backdoors

    KW - Permission Context

    KW - Security Permissions

    KW - Side Channels

    UR - http://www.scopus.com/inward/record.url?scp=84869594449&partnerID=8YFLogxK

    U2 - 10.1007/978-3-642-30244-2_4

    DO - 10.1007/978-3-642-30244-2_4

    M3 - Conference contribution

    SN - 9783642302435

    T3 - Lecture Notes of the Institute for Computer Sciences, Social-Informatics and Telecommunications Engineering

    SP - 40

    EP - 51

    BT - Security and Privacy in Mobile Information and Communication Systems - Third International ICST Conference, MobiSec 2011, Revised Selected Papers

    ER -