Sleeping android: the danger of dormant permissions

Security and Privacy in Smartphones and Mobile Devices Pub Date : 2013-11-08 DOI:10.1145/2516760.2516774

J. Sellwood, J. Crampton

{"title":"Sleeping android: the danger of dormant permissions","authors":"J. Sellwood, J. Crampton","doi":"10.1145/2516760.2516774","DOIUrl":null,"url":null,"abstract":"An Android app must be authorized for permissions, defined by the Android platform, in order to access certain capabilities of an Android device. An app developer specifies which permissions an app will require and these permissions must be authorized by the user of the device when the app is installed. Permissions, and the tools that are used to manage them, form the basis of the Android permission architecture, which is an essential part of the access control services provided by the Android platform.\n We have analyzed the evolution of the Android permission architecture across six versions of the Android platform, identifying various changes which have occurred during that period and a considerable amount of information about the permission architecture which is not included in the Android documentation. Using this information, we have identified a weakness in the way that the Android platform handles app permissions during platform upgrades. We explain how this weakness may be exploited by a developer to produce malicious software which the average user is unlikely to detect. We conclude with a discussion of potential mitigation techniques for this weakness, highlighting concerns drawn from other research in this area.","PeriodicalId":213305,"journal":{"name":"Security and Privacy in Smartphones and Mobile Devices","volume":"20 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2013-11-08","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"23","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Security and Privacy in Smartphones and Mobile Devices","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1145/2516760.2516774","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 23

Abstract

An Android app must be authorized for permissions, defined by the Android platform, in order to access certain capabilities of an Android device. An app developer specifies which permissions an app will require and these permissions must be authorized by the user of the device when the app is installed. Permissions, and the tools that are used to manage them, form the basis of the Android permission architecture, which is an essential part of the access control services provided by the Android platform. We have analyzed the evolution of the Android permission architecture across six versions of the Android platform, identifying various changes which have occurred during that period and a considerable amount of information about the permission architecture which is not included in the Android documentation. Using this information, we have identified a weakness in the way that the Android platform handles app permissions during platform upgrades. We explain how this weakness may be exploited by a developer to produce malicious software which the average user is unlikely to detect. We conclude with a discussion of potential mitigation techniques for this weakness, highlighting concerns drawn from other research in this area.

查看原文本刊更多论文

休眠android:休眠权限的危险

Android应用程序必须获得Android平台定义的权限授权，才能访问Android设备的某些功能。应用程序开发人员指定应用程序需要哪些权限，这些权限必须在安装应用程序时由设备用户授权。权限和用于管理权限的工具构成了Android权限体系结构的基础，这是Android平台提供的访问控制服务的重要组成部分。我们分析了Android权限架构在六个版本的Android平台上的演变，确定了在此期间发生的各种变化，以及大量关于权限架构的信息，这些信息没有包含在Android文档中。利用这些信息，我们发现了Android平台在平台升级期间处理应用程序权限的方式中的一个弱点。我们解释了这个弱点是如何被开发人员利用来制作普通用户不太可能检测到的恶意软件的。最后，我们讨论了针对这一弱点的潜在缓解技术，强调了该领域其他研究得出的关注。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

Security and Privacy in Smartphones and Mobile Devices

自引率

0.00%

发文量