Inferring Required Permissions for Statically Composed Programs

  • Tero Hasu
  • Anya Helene Bagge
  • Magne Haveraaen
Part of the Lecture Notes in Computer Science book series (LNCS, volume 8208)


Permission-based security models are common in smartphone operating systems. Such models implement access control for sensitive APIs, introducing an additional concern for application developers. It is important for the correct set of permissions to be declared for an application, as too small a set is likely to result in runtime errors, whereas too large a set may needlessly worry users. Unfortunately, not all platform vendors provide tools support to assist in determining the set of permissions that an application requires.

We present a language-based solution for permission management. It entails the specification of permission information within a collection of source code, and allows for the inference of permission requirements for a chosen program composition. Our implementation is based on Magnolia, a programming language demonstrating characteristics that are favorable for this use case. A language with a suitable component system supports permission management also in a cross-platform codebase, allowing abstraction over different platform-specific implementations and concrete permission requirements. When the language also requires any “wiring” of components to be known at compile time, and otherwise makes design tradeoffs that favor ease of static analysis, then accurate inference of permission requirements becomes possible.


language-based security platform security architectures security management software engineering 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Android Open Source Project: Android Developers, (retrieved May 2013)
  2. 2.
    Au, K.W.Y., Zhou, Y.F., Huang, Z., Gill, P., Lie, D.: Short paper: A look at smartphone permission models. In: Proceedings of the 1st ACM Workshop on Security and Privacy in Smartphones and Mobile Devices, SPSM 2011, pp. 63–68 (2011)Google Scholar
  3. 3.
    Au, K.W.Y., Zhou, Y.F., Huang, Z., Lie, D.: PScout: analyzing the Android permission specification. In: Proceedings of the 2012 ACM Conference on Computer and Communications Security, CCS 2012, pp. 217–228 (2012)Google Scholar
  4. 4.
    Bagge, A.H.: Separating exceptional concerns. In: Proceedings of the 5th International Workshop on Exception Handling (WEH 2012), pp. 49–51. IEEE (June 2012)Google Scholar
  5. 5.
    Bagge, A.H., David, V., Haveraaen, M., Kalleberg, K.T.: Stayin’ alert: Moulding failure and exceptions to your needs. In: Proceedings of the 5th International Conference on Generative Programming and Component Engineering (GPCE 2006). ACM Press, Portland (2006)Google Scholar
  6. 6.
    Bagge, A.H., Haveraaen, M.: Interfacing concepts: Why declaration style shouldn’t matter. In: Ekman, T., Vinju, J.J. (eds.) Proceedings of the Ninth Workshop on Language Descriptions, Tools and Applications (LDTA 2009). Electronic Notes in Theoretical Computer Science, vol. 253, pp. 37–50. Elsevier, New York (2010)Google Scholar
  7. 7.
    Bagge, A.H., Haveraaen, M.: The Magnolia programming language (2013), (retrieved May 2013)
  8. 8.
    Bagge, A.H., Haveraaen, M.: Programming by concept (2013) (unpublished manuscript)Google Scholar
  9. 9.
    Batory, D., Sarvela, J., Rauschmayer, A.: Scaling step-wise refinement. IEEE Transactions on Software Engineering 30(6), 355–371 (2004)CrossRefGoogle Scholar
  10. 10.
    Benavides, D., Segura, S., Ruiz-Cort’es, A.: Automated analysis of feature models 20 years later: A literature review. Information Systems 35(6), 615–636 (2010)CrossRefGoogle Scholar
  11. 11.
    Bergen Language Design Laboratory: Anyxporter,
  12. 12.
    BlackBerry: BlackBerry Developer, (retrieved May 2013)
  13. 13.
    BlackBerry: BlackBerry 10 Native SDK 10.0.9. Software distribution (December 2012)Google Scholar
  14. 14.
    Cohen, E., Dahlweid, M., Hillebrand, M., Leinenbach, D., Moskal, M., Santen, T., Schulte, W., Tobies, S.: VCC: A practical system for verifying concurrent C. In: Berghofer, S., Nipkow, T., Urban, C., Wenzel, M. (eds.) TPHOLs 2009. LNCS, vol. 5674, pp. 23–42. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  15. 15.
    Felt, A.P., Chin, E., Hanna, S., Song, D., Wagner, D.: Android permissions demystified. In: Proceedings of the 18th ACM Conference on Computer and Communications Security, CCS 2011, pp. 627–638 (2011)Google Scholar
  16. 16.
    Felt, A.P., Ha, E., Egelman, S., Haney, A., Chin, E., Wagner, D.: Android permissions: User attention, comprehension, and behavior. In: Proceedings of the Eighth Symposium on Usable Privacy and Security, SOUPS 2012, pp. 3:1–3:14 (2012)Google Scholar
  17. 17.
    Gay, D., Levis, P., von Behren, R., Welsh, M., Brewer, E., Culler, D.: The nesC language: A holistic approach to networked embedded systems. SIGPLAN Not. 38(5), 1–11 (2003)CrossRefGoogle Scholar
  18. 18.
    Hasu, T.: ContextLogger2—a tool for smartphone data gathering. Tech. Rep. 2010-1, Helsinki Institute for Information Technology HIIT, Aalto University (August 2010)Google Scholar
  19. 19.
    Heath, C.: Symbian OS Platform Security: Software Development Using the Symbian OS Security Architecture. Wiley (February 2006)Google Scholar
  20. 20.
    Hernie, D.: Windows Phone 8 security deep dive. Slide set (October 2012)Google Scholar
  21. 21.
    Kostiainen, K., Reshetova, E., Ekberg, J.E., Asokan, N.: Old, new, borrowed, blue – a perspective on the evolution of mobile platform security architectures. In: Proceedings of the First ACM Conference on Data and Application Security and Privacy, CODASPY 2011, pp. 13–24 (2011)Google Scholar
  22. 22.
    Microsoft: Microsoft Developer Network, (retrieved July 2013)
  23. 23.
    mssf-team: Mobile simplified security framework (May 2012),
  24. 24.
    Nokia Corporation: Nokia Developer, (retrieved May 2013)
  25. 25.
    Nokia Corporation: Qt Mobility 1.2: Qt Mobility project reference documentation (2011),
  26. 26.
    Samsung: bada Developers, (retrieved March 2013)
  27. 27.
    Samsung: bada SDK 2.0.0. Software distribution (August 2011)Google Scholar
  28. 28.
    Tizen Project: Tizen Developers dev guide, (retrieved May 2013)
  29. 29.
    Tizen Project: Tizen SDK 2.0. Software distribution (February 2013)Google Scholar
  30. 30.
    Vidas, T., Christin, N., Cranor, L.: Curbing Android permission creep. In: Proceedings of the Web 2.0 Security and Privacy 2011 Workshop (W2SP 2011), Oakland, CA (May 2011)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2013

Authors and Affiliations

  • Tero Hasu
    • 1
  • Anya Helene Bagge
    • 1
  • Magne Haveraaen
    • 1
  1. 1.Bergen Language Design Laboratory, Department of InformaticsUniversity of BergenNorway

Personalised recommendations