Android Security Permissions - Can we trust them?

Clemens Orthacker; Peter Teufl; Stefan Kraxberger; Günther Lackner; Michael Gissing; Alexander Marsalek; Johannes Leibetseder; Oliver Prevenhueber

doi:10.1007/978-3-642-30244-2_4

Android Security Permissions - Can we trust them?

Clemens Orthacker^*, Peter Teufl, Stefan Kraxberger, Günther Lackner, Michael Gissing, Alexander Marsalek, Johannes Leibetseder, Oliver Prevenhueber

^*Corresponding author for this work

Research output: Chapter in Book/Report/Conference proceeding › Conference paper › peer-review

Abstract

The popularity of the Android System in combination with the lax market approval process may attract the injection of malicious applications (apps) into the market. Android features a permission system allowing a user to review the permissions an app requests and grant or deny access to resources prior to installation. This system conveys a level of trust due to the fact that an app only has access to resources granted by the stated permissions. Thereby, not only the meaning of single permissions, but especially their combination plays an important role for understanding the possible implications. In this paper we present a method that circumvents the permission system by spreading permissions over two or more apps that communicate with each other via arbitrary communication channels. We discuss relevant details of the Android system, describe the permission spreading process, possible implications and countermeasures. Furthermore, we present three apps that demonstrate the problem and a possible detection method.

Original language	English
Title of host publication	Security and Privacy in Mobile Information and Communication Systems - Third International ICST Conference, MobiSec 2011, Revised Selected Papers
Pages	40-51
Number of pages	12
DOIs	https://doi.org/10.1007/978-3-642-30244-2_4
Publication status	Published - 9 Jul 2012
Event	3rd ICST Conference on Security and Privacy for Mobile Information and Communication Systems, MobiSec 2011 - Aalborg, Denmark Duration: 17 May 2011 → 19 May 2011

Publication series

Name	Lecture Notes of the Institute for Computer Sciences, Social-Informatics and Telecommunications Engineering
Volume	94 LNICST
ISSN (Print)	1867-8211

Conference

Conference	3rd ICST Conference on Security and Privacy for Mobile Information and Communication Systems, MobiSec 2011
Country/Territory	Denmark
City	Aalborg
Period	17/05/11 → 19/05/11

Keywords

Android Malware
Android Market
Android Services
Backdoors
Permission Context
Security Permissions
Side Channels

ASJC Scopus subject areas

Computer Networks and Communications

Access to Document

10.1007/978-3-642-30244-2_4

Cite this

Orthacker, C., Teufl, P., Kraxberger, S., Lackner, G., Gissing, M., Marsalek, A., Leibetseder, J., & Prevenhueber, O. (2012). Android Security Permissions - Can we trust them? In Security and Privacy in Mobile Information and Communication Systems - Third International ICST Conference, MobiSec 2011, Revised Selected Papers (pp. 40-51). (Lecture Notes of the Institute for Computer Sciences, Social-Informatics and Telecommunications Engineering; Vol. 94 LNICST). https://doi.org/10.1007/978-3-642-30244-2_4

Android Security Permissions - Can we trust them? / Orthacker, Clemens; Teufl, Peter; Kraxberger, Stefan et al.
Security and Privacy in Mobile Information and Communication Systems - Third International ICST Conference, MobiSec 2011, Revised Selected Papers. 2012. p. 40-51 (Lecture Notes of the Institute for Computer Sciences, Social-Informatics and Telecommunications Engineering; Vol. 94 LNICST).

Research output: Chapter in Book/Report/Conference proceeding › Conference paper › peer-review

Orthacker, C, Teufl, P, Kraxberger, S, Lackner, G, Gissing, M, Marsalek, A, Leibetseder, J & Prevenhueber, O 2012, Android Security Permissions - Can we trust them? in Security and Privacy in Mobile Information and Communication Systems - Third International ICST Conference, MobiSec 2011, Revised Selected Papers. Lecture Notes of the Institute for Computer Sciences, Social-Informatics and Telecommunications Engineering, vol. 94 LNICST, pp. 40-51, 3rd ICST Conference on Security and Privacy for Mobile Information and Communication Systems, MobiSec 2011, Aalborg, Denmark, 17/05/11. https://doi.org/10.1007/978-3-642-30244-2_4

Orthacker C, Teufl P, Kraxberger S, Lackner G, Gissing M, Marsalek A et al. Android Security Permissions - Can we trust them? In Security and Privacy in Mobile Information and Communication Systems - Third International ICST Conference, MobiSec 2011, Revised Selected Papers. 2012. p. 40-51. (Lecture Notes of the Institute for Computer Sciences, Social-Informatics and Telecommunications Engineering). doi: 10.1007/978-3-642-30244-2_4

Orthacker, Clemens ; Teufl, Peter ; Kraxberger, Stefan et al. / Android Security Permissions - Can we trust them?. Security and Privacy in Mobile Information and Communication Systems - Third International ICST Conference, MobiSec 2011, Revised Selected Papers. 2012. pp. 40-51 (Lecture Notes of the Institute for Computer Sciences, Social-Informatics and Telecommunications Engineering).

@inproceedings{644fa66fb1c64251ae1dd64e0f59c8f3,

title = "Android Security Permissions - Can we trust them?",

abstract = "The popularity of the Android System in combination with the lax market approval process may attract the injection of malicious applications (apps) into the market. Android features a permission system allowing a user to review the permissions an app requests and grant or deny access to resources prior to installation. This system conveys a level of trust due to the fact that an app only has access to resources granted by the stated permissions. Thereby, not only the meaning of single permissions, but especially their combination plays an important role for understanding the possible implications. In this paper we present a method that circumvents the permission system by spreading permissions over two or more apps that communicate with each other via arbitrary communication channels. We discuss relevant details of the Android system, describe the permission spreading process, possible implications and countermeasures. Furthermore, we present three apps that demonstrate the problem and a possible detection method.",

keywords = "Android Malware, Android Market, Android Services, Backdoors, Permission Context, Security Permissions, Side Channels",

author = "Clemens Orthacker and Peter Teufl and Stefan Kraxberger and G{\"u}nther Lackner and Michael Gissing and Alexander Marsalek and Johannes Leibetseder and Oliver Prevenhueber",

year = "2012",

month = jul,

day = "9",

doi = "10.1007/978-3-642-30244-2_4",

language = "English",

isbn = "9783642302435",

series = "Lecture Notes of the Institute for Computer Sciences, Social-Informatics and Telecommunications Engineering",

pages = "40--51",

booktitle = "Security and Privacy in Mobile Information and Communication Systems - Third International ICST Conference, MobiSec 2011, Revised Selected Papers",

note = "3rd ICST Conference on Security and Privacy for Mobile Information and Communication Systems, MobiSec 2011 ; Conference date: 17-05-2011 Through 19-05-2011",