Automated Identification of Over-Privileged SmartThings Apps

Abstract

The permission system in the SmartThings platform governs how apps access devices. The system was designed to protect devices from third-party apps, by forcing apps to access devices through their capabilities. Design flaws in the system result in apps being over-privileged with unauthorized capabilities. This vulnerability represents serious security challenges to this platform and its users. In this paper, we present an automated tool that can identify over-privilege vulnerability in SmartThings apps. We have identified common patterns, and we have used this knowledge to design our automated over-privilege detection tool. We have evaluated the effectiveness of our tool on 222 official and third-party apps, and we have found that approximately 5.5% of defined devices were misused with 76 identified instances of over-privilege.