TY - GEN
T1 - Android Security Permissions - Can we trust them?
AU - Orthacker, Clemens
AU - Teufl, Peter
AU - Kraxberger, Stefan
AU - Lackner, Günther
AU - Gissing, Michael
AU - Marsalek, Alexander
AU - Leibetseder, Johannes
AU - Prevenhueber, Oliver
PY - 2012/7/9
Y1 - 2012/7/9
N2 - The popularity of the Android System in combination with the lax market approval process may attract the injection of malicious applications (apps) into the market. Android features a permission system allowing a user to review the permissions an app requests and grant or deny access to resources prior to installation. This system conveys a level of trust due to the fact that an app only has access to resources granted by the stated permissions. Thereby, not only the meaning of single permissions, but especially their combination plays an important role for understanding the possible implications. In this paper we present a method that circumvents the permission system by spreading permissions over two or more apps that communicate with each other via arbitrary communication channels. We discuss relevant details of the Android system, describe the permission spreading process, possible implications and countermeasures. Furthermore, we present three apps that demonstrate the problem and a possible detection method.
AB - The popularity of the Android System in combination with the lax market approval process may attract the injection of malicious applications (apps) into the market. Android features a permission system allowing a user to review the permissions an app requests and grant or deny access to resources prior to installation. This system conveys a level of trust due to the fact that an app only has access to resources granted by the stated permissions. Thereby, not only the meaning of single permissions, but especially their combination plays an important role for understanding the possible implications. In this paper we present a method that circumvents the permission system by spreading permissions over two or more apps that communicate with each other via arbitrary communication channels. We discuss relevant details of the Android system, describe the permission spreading process, possible implications and countermeasures. Furthermore, we present three apps that demonstrate the problem and a possible detection method.
KW - Android Malware
KW - Android Market
KW - Android Services
KW - Backdoors
KW - Permission Context
KW - Security Permissions
KW - Side Channels
UR - http://www.scopus.com/inward/record.url?scp=84869594449&partnerID=8YFLogxK
U2 - 10.1007/978-3-642-30244-2_4
DO - 10.1007/978-3-642-30244-2_4
M3 - Conference paper
AN - SCOPUS:84869594449
SN - 9783642302435
T3 - Lecture Notes of the Institute for Computer Sciences, Social-Informatics and Telecommunications Engineering
SP - 40
EP - 51
BT - Security and Privacy in Mobile Information and Communication Systems - Third International ICST Conference, MobiSec 2011, Revised Selected Papers
T2 - 3rd ICST Conference on Security and Privacy for Mobile Information and Communication Systems, MobiSec 2011
Y2 - 17 May 2011 through 19 May 2011
ER -