Overprivileged Permission Detection for Android Applications

@article{Wu2019OverprivilegedPD,
  title={Overprivileged Permission Detection for Android Applications},
  author={Sha Wu and Jiajia Liu},
  journal={ICC 2019 - 2019 IEEE International Conference on Communications (ICC)},
  year={2019},
  pages={1-6}
}
  • Sha Wu, Jiajia Liu
  • Published 1 May 2019
  • Computer Science
  • ICC 2019 - 2019 IEEE International Conference on Communications (ICC)
Android applications (Apps) have penetrated almost every aspect of our lives, bring users great convenience as well as security concerns. Even though Android system adopts permission mechanism to restrict Apps from accessing important resources of a smartphone, such as telephony, camera and GPS location, users face still significant risk of privacy leakage due to the overprivileged permissions. The overprivileged permission means the extra permission declared by the App but has nothing to do… 

Figures and Tables from this paper

Taxonomy of Security Weaknesses in Java and Kotlin Android Apps
Towards a certified reference monitor of the Android 10 permission system
TLDR
This paper presents an enhanced version of the model for the permission model of version 6 of Android in the proof assistant Coq, including the most relevant changes concerning the permission system introduced in versions Nougat, Oreo, Pie and 10.
Administrative Models for Role Based Access Control in Android
TLDR
Three new models for administration of RBAC in Android are introduced, based on an in-depth analysis of applications in Android, and support the principle of least privilege to reduce unwanted permission exposure.
A Study of Application Sandbox Policies in Linux
TLDR
This paper provides the first analysis of sandbox policies defined for Flatpak and Snap applications, covering 283 applications contained in both platforms, finding that 90.1% of Snaps and 58.3% of Flatpak applications studied are contained by tamperproof sandboxes.
Privacy-Risk Detection in Microservices Composition Using Distributed Tracing
TLDR
A distributed tracing Privacy Risk Detection (dtPRD) framework for identifying potential privacy and security risks associated with the dissemination of data through the path a service request undergoes is introduced.

References

SHOWING 1-10 OF 13 REFERENCES
Android permissions demystified
TLDR
Stowaway, a tool that detects overprivilege in compiled Android applications, is built and finds that about one-third of applications are overprivileged.
Android Security: A Survey of Issues, Malware Penetration, and Defenses
TLDR
This review gives an insight into the strengths and shortcomings of the known research methodologies and provides a platform, to the researchers and practitioners, toward proposing the next-generation Android security, analysis, and malware detection techniques.
M-Perm: A Lightweight Detector for Android Permission Gaps
TLDR
A new detection tool, M-Perm, is created, which combines static and dynamic analysis in a computationally efficient manner compared to existing tools to assist with the discovery of misused permissions.
PScout: analyzing the Android permission specification
TLDR
An analysis of the permission system of the Android smartphone OS is performed and it is found that a trade-off exists between enabling least-privilege security with fine-grained permissions and maintaining stability of the permissions specification as the Android OS evolves.
Static Analysis for Extracting Permission Checks of a Large Scale Framework: The Challenges and Solutions for Analyzing Android
TLDR
This paper shows that naive static analysis fails miserably when applied with off-the-shelf components on the Android framework, and presents an advanced class-hierarchy and field-sensitive set of analyses to extract a precise mapping between API methods of the framework and the permissions they require.
Android Malware of Static Analysis Technology Based on Data Mining
TLDR
With the proliferation of malicious Android applications, an Android malicious code detection system is proposed based on the similarity between cognate malicious software in terms of permission application and behavior and is made available on the Internet to provide free analysis and detection service.
Short paper: a look at smartphone permission models
TLDR
The problem of permission overdeclaration is discussed and a set of goals that security researchers should aim for are devised, as well as proposed directions through which the research community can attain those goals.
Analysis of Android Applications' Permissions
TLDR
An architecture that automatically searches for and downloads Android applications from the Android Market and performs an analysis to determine if they have the appropriate set of permissions based on the static analysis of the APK bytecode of each application indicates that the majority of mobile software developers are not using the correct permission set.
On the Understanding of Interdependency of Mobile App Usage
TLDR
The frequent pattern mining algorithm is employed to a large-scale real-world dataset, which includes more than 1.7 million users and 5 billion app usage logs, and finds out frequent app-sets and association rules with interesting insights, which are usefulness in app marketing for service providers and in understanding different mobile users for app designers.
A Formal Model to Analyze the Permission Authorization and Enforcement in the Android Framework
TLDR
This paper proposes a formal model of the Android permission scheme, and provides a state-based model which includes the behavior specification of permission authorization and the interactions between application components, and shows how it can logically confirm the security of the specified system.
...
...