Formal Aspects of Computing

, Volume 30, Issue 5, pp 525–544 | Cite as

A formal approach for detection of security flaws in the android permission system

  • Hamid BagheriEmail author
  • Eunsuk Kang
  • Sam Malek
  • Daniel Jackson
Original Article


The ever increasing expansion of mobile applications into nearly every aspect of modern life, from banking to healthcare systems, is making their security more important than ever. Modern smartphone operating systems (OS) rely substantially on the permission-based security model to enforce restrictions on the operations that each application can perform. In this paper, we perform an analysis of the permission protocol implemented in Android, a popular OS for smartphones. We propose a formal model of the Android permission protocol in Alloy, and describe a fully automatic analysis that identifies potential flaws in the protocol. A study of real-world Android applications corroborates our finding that the flaws in the Android permission protocol can have severe security implications, in some cases allowing the attacker to bypass the permission checks entirely.


Android Permission protocol Alloy Verification 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. ACM12.
    Armando A, Costa G, Merlo A (2012) Formal modeling and reasoning about the android security framework. In: Palamidessi C, Ryan MD (eds) Trustworthy global computing, number 8191 in Lecture Notes in Computer Science. Springer, Berlin, pp 64–81.
  2. ADKM.
    Andoni A, Daniliuc D, Khurshid S, Marinov D. Evaluating the small scope hypothesis.
  3. ARB+14.
    Arzt S, Rasthofer S, Bodden E, Bartel A, Klein J, Le Traon Y, Octeau D, McDaniel P (2014) Flowdroid: precise context, flow, field, object-sensitive and lifecycle-aware taint analysis for android apps. In: Proceedings of the 35th annual ACM SIGPLAN conference on programming language design and implementation (PLDI 2014)Google Scholar
  4. BCS13.
    Bugliesi M, Calzavara S, Spanò A (2013) Lintent: towards security type-checking of android applications. In: Beyer D, Boreale M (ed) Formal techniques for distributed systems, number 7892 in Lecture Notes in Computer Science. Springer, Berlin, pp 289–304.
  5. BGS+16.
    Bagheri H, Garcia J, Sadeghi A, Malek S, Medvidovic N (2016) Software architectural principles in contemporary mobile software: from conception to practice. J Syst Softw 119: 31–44CrossRefGoogle Scholar
  6. BKMJ15.
    Bagheri H, Kang E, Malek S, Jackson D (2015) Detection of design flaws in the android permission protocol through bounded verification. In: Proceedings of the 2015 international symposium on formal methods (FM), volume 9109 of Lecture Notes in Computer Science. Springer, Berlin, pp 73–89Google Scholar
  7. BSGM15.
    Bagheri H, Sadeghi A, Garcia J, Malek S (2015) Covert: compositional analysis of android inter-app permission leakage. IEEE Trans Softw Eng 41(9): 866–886CrossRefGoogle Scholar
  8. BSJM16.
    Bagheri H, Sadeghi A, Jabbarvand R, Malek S (2016) Practical, formal synthesis and automatic enforcement of security policies for android. In: Proceedings of the 46th IEEE/IFIP international conference on dependable systems and networks (DSN), pp 514–525Google Scholar
  9. CFGW11.
    Chin E, Felt AP, Greenwood K, Wagner D (2011) Analyzing inter-application communication in android. In: Proceedings of the 9th international conference on mobile systems, applications, and services, MobiSys ’11, New York, NY, USA. ACM, pp 239–252Google Scholar
  10. Cha09.
    Chaudhuri A (2009) Language-based security on android. In: Proceedings of programming languages and analysis for security (PLAS’09), pp 1–7Google Scholar
  11. CJD+13.
    Chen KZ, Johnson NM, D’Silva V, Dai S, MacNamara K, Magrino TR, Wu EX, Rinard M, Song DX (2013) Contextual policy enforcement in android applications with permission event graphs. In: NDSS, San Diego, CAGoogle Scholar
  12. DDSW10.
    Davi L, Dmitrienko A, Sadeghi A-R, Winandy M (2010) Privilege escalation attacks on android. In: Proceedings of the 13th international conference on Information security (ISC).Google Scholar
  13. EGC+11.
    Enck W, Gilbert P, gon Chun B, Cox LP, Jung J, McDaniel P, Sheth AN (2011) Taintdroid: an information-flow tracking system for realtime privacy monitoring on smartphones. In: Proceedings of USENIX OSDIGoogle Scholar
  14. EOM09.
    Enck W, Ongtang W, McDaniel P (2009) On lightweight mobile phone application certification. In: Proceedings of the 16th ACM conference on Computer and communications security, Chicago, IL. ACM, pp 235–245Google Scholar
  15. EOMC11a.
    Enck W, Octeau D, McDaniel P, Chaudhuri S (2011) A study of android application security. In: Proceedings of USENIX.Google Scholar
  16. EOMC11b.
    Enck W, Octeau D, McDaniel P, Chaudhuri S (2011) A study of android application security. In: Proceedings of the 20th USENIX conference on security, SEC’11, San Francisco, CA. USENIX Association, pp 21–21Google Scholar
  17. FBJS12.
    Fragkaki E, Bauer L, Jia L, Swasey D (2012) Modeling and enhancing android’s permission system. In: 17th European symposium on research in computer security (ESORICS), pp 1–18Google Scholar
  18. FCF09.
    Fuchs AP, Chaudhuri A, Foster JS (2009) Scandroid: Automated security certification of android applicationsGoogle Scholar
  19. FCH+11.
    Felt AP, Chin E, Hanna S, Song D, Wagner D (2011) Android permissions demystified. In: 18th ACM conference on computer and communications security (CCS), pp 627–638Google Scholar
  20. FWM+11.
    Felt AP, Wang HJ, Moshchuk A, Hanna S, Chin E (2011) Permission re-delegation: attacks and defenses. In: 20th USENIX security symposiumGoogle Scholar
  21. Goo.
  22. GZJS12.
    Grace MC, Zhou W, Jiang X, Sadeghi AR (2012) Unsafe exposure analysis of mobile in-app advertisements. In: Proceedings of the fifth ACM conference on security and privacy in wireless and mobile networks, WISEC ’12, Tucson, AZ. ACM, pp 101–112Google Scholar
  23. GZWJ12a.
    Grace M, Zhou Y, Wang Z, Jiang X (2012) Systematic detection of capability leaks in stock android smartphones. In: Proceedings of the 19th annual symposium on network and distributed system securityGoogle Scholar
  24. GZWJ12b.
    Grace MC, Zhou Y, Wang Z, Jiang X (2012) Systematic detection of capability leaks in stock android smartphones. In: NDSS, San Diego, CAGoogle Scholar
  25. HBM17.
    Hammad M, Bagheri H, Malek S (2017) Determination and enforcement of least-privilege architecture in android. In: 2017 IEEE international conference on software architecture (ICSA), pp 59–68Google Scholar
  26. Jac12.
    Jackson D (2012) Software abstractions: logic, language, and analysis, 2nd edn. MIT Press, CambridgeGoogle Scholar
  27. LBKT14.
    Li L, Bartel A, Klein J, Traon YL (2014) Automatically exploiting potential component leaks in android applications. In: Proceedings of the 13th international conference on trust, security and privacy in computing and communications, Beijing, China, pp 388–397Google Scholar
  28. LLW+12.
    Lu L, Li Z, Wu Z, Lee W, Jiang G (2012) Chex: statically vetting android apps for component hijacking vulnerabilities. In: Proceedings of the ACM conference on computer and communications security (CCS)Google Scholar
  29. Mar14.
    Murphy M (2014) Vulnerabilities with custom permissions.
  30. OMJ+13.
    Octeau D, McDaniel P, Jha S, Bartel A, Bodden E, Klein J, Traon YL (2013) Effective inter-component communication mapping in android with epicc: an essential step towards holistic security analysis. In: Proceedings of the 22nd USENIX security symposium, Washington, DCGoogle Scholar
  31. PFNW12.
    Pearce P, Felt AP, Nunez G, Wagner D (2012) AdDroid: privilege separation for applications and advertisers in android. In: Proceedings of the 7th ACM symposium on information, computer and communications security, ASIACCS ’12, Seoul, Republic of Korea. ACM, pp 71–72Google Scholar
  32. PXY+13.
    Pandita R, Xiao X, Yang W, Enck W, Xie T (2013) Whyper: towards automating risk assessment of mobile applications. In: Proceedings of the 22nd USENIX conference on security, SEC’13, Berkeley, CA, USA. USENIX Association, pp 527–542Google Scholar
  33. RCE13.
    Rastogi V, Chen Y, Enck W (2013) AppsPlayground: automatic security analysis of smartphone applications. In: Proceedings of the 3rd ACM conference on data and application security and privacy, CODASPY ’13, San Antonio, TX. ACM, pp 209–220Google Scholar
  34. RCT+14.
    Ravitch T, Creswick ER, Tomb A, Foltzer A, Elliott T, Casburn L (2014) Multi-app security analysis with FUSE: statically detecting android app collusion. In: Proceedings of the 4th program protection and reverse engineering workshop, PPREW-4, New Orleans, LA. ACM, pp 4:1–4:10Google Scholar
  35. SBGM17.
    Sadeghi A, Bagheri H, Garcia J, Malek S (2017) A taxonomy and qualitative comparison of program analysis techniques for security assessment of android software.. IEEE Trans Softw Eng 43(6): 492–530CrossRefGoogle Scholar
  36. SC15.
    Smith E, Coglio A (2015) Android platform modeling and android app verification in the acl2 theorem prover. In: Proceedings of the 7th international conference on verified software: theories, tools, and experiments, VSTTE’15, pp 183–201Google Scholar
  37. SGS+16.
    Schmerl B, Gennari J, Sadeghi A, Bagheri H, Malek S, Camara J, Garlan D (2016) Architecture modeling and analysis of security in android systems. In: Software architecture. Springer, Cham, pp 274–290Google Scholar
  38. SKFT10.
    Shin W, Kiyomoto S, Fukushima K, Tanaka T (2010) A formal model to analyze the permission authorization and enforcement in the android framework. In: IEEE International conference on privacy, security, risk and trust, pp 944–951Google Scholar
  39. SZZ+11.
    Schlegel R, Zhang K, Zhou X, Intwala M, Kapadia A, Wang X (2011) Soundcomber: a stealthy and context-aware sound trojan for smartphones. In: Proceedings of 18th annual network and distributed system security symposium (NDSS)Google Scholar
  40. TCJ08.
    Torlak E, Chang FS-H, Jackson D (2008) Finding minimal unsatisfiable cores of declarative specifications. In: FM 2008: formal methods, 15th international symposium on formal methods, Turku, Finland, May 26–30, 2008, proceedings, pp 326–341Google Scholar
  41. TJ07.
    Torlak E, Jackson D (2007) Kodkod: a relational model finder. In: Tools and algorithms for the construction and analysis of systems, 13th international conference, TACAS 2007, Held as Part of the Joint European Conferences on Theory and Practice of Software, ETAPS 2007 Braga, Portugal, March 24–April 1, 2007, Proceedings, pp 632–647Google Scholar
  42. WD96.
    Woodcock J, Davies J (1996) Using Z. Specification, refinement, and proof. Prentice Hall, Upper Saddle RiverGoogle Scholar
  43. WGZ+13.
    Wu L, Grace M, Zhou Y, Wu C, Jiang X (2013) The impact of vendor customizations on android security. In: Proceedings of the 2013 ACM SIGSAC conference on computer and communications security , CCS ’13, Berlin, Germany. ACM, pp 623–634Google Scholar
  44. WLBF09.
    Woodcock J, Larsen PG, Bicarregui J, Fitzgerald J (2009) Formal methods: practice and experience. ACM Comput Surv 41(4):19:1–19:36Google Scholar

Copyright information

© British Computer Society 2017

Authors and Affiliations

  • Hamid Bagheri
    • 1
    Email author
  • Eunsuk Kang
    • 2
  • Sam Malek
    • 3
  • Daniel Jackson
    • 2
  1. 1.Department of Computer Science and EngineeringUniversity of NebraskaLincolnUSA
  2. 2.Computer Science and Artificial Intelligence LaboratoryMassachusetts Institute of TechnologyCambridgeUSA
  3. 3.School of Information and Computer SciencesUniversity of California, IrvineIrvineUSA

Personalised recommendations