Abstract
Third-party libraries are very prevalent in the development of Android Apps. However, the wide use of third-party libraries may cause potential violations on user’s privacy. In the original Android permission mechanism, host Apps share all permissions with their third-party libraries. Moreover, the details of most third-party libraries are not very clear to developers and malicious code may be contained. With privileges and malicious code, the attack may be conducted. In this paper, we present a novel privilege splitting mechanism for the third-party libraries in Android Apps. Different from other similar approaches, our system makes full use of the original permission mechanism to minimize the attack surface and the impact on Android system. Since the lightweight customization on Android, our system can be easily adapted to both Dalvik and ART (Android Runtime) virtual machines. We deployed a prototype on a real Android device and evaluated it’s compatibility, effectiveness and performance. The experiment results show that our system is compatible with existing Apps, splits the third-party libraries’ privileges effectively according to the given policies, and works well with negligible performance overhead.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
android-mapviewballoons. https://github.com/jgilfelt/android-mapviewballoons
jmonkeyengine. http://code.google.com/p/jmonkeyengine/
Grace, M., Zhou, W., Jiang, X., Sadeghi, A.-R.: Unsafe exposure analysis of mobile in-app. advertisements. In: Proceedings of the Fifth ACM Conference on Security and Privacy in Wireless and Mobile Networks (2012)
Opencv for android. http://billmccord.github.com/OpenCV-Android/
android-wheel. http://code.google.com/p/android-wheel/
Android permissions. https://developer.android.com/guide/topics/security/permissions.html
Shekhar, S., Dietz, M., Wallach, D.S.: Adsplit: separating smartphone advertising from applications. In: Presented as part of the 21st USENIX Security Symposium (2012)
Sun, M., Tan, G.: Nativeguard: protecting android applications from third-party native libraries. In: Proceedings of the 2014 ACM Conference on Security and Privacy in Wireless & Mobile Networks (2014)
Seo, J., Kim, D., Cho, D., Kim, T., Shin, I.: Flexdroid: enforcing in-app. privilege separation in android. In: Proceedings of Annual Network & Distributed System Security Symposium (NDSS) (2016)
Android platform versions, February 2017. https://developer.android.com/about/dashboards/index.html
Google play. https://play.google.com/store
Monkey. https://developer.android.com/studio/test/monkey.html
Wang, Y., Hariharan, S., Zhao, C., Liu, J., Du, W.: Compac: enforce component-level access control in android. In: Proceedings of the 4th ACM Conference on Data and Application Security and Privacy (2014)
Pearce, P., Felt, A.P., Nunez, G., Wagner, D.: Addroid: privilege separation for applications and advertisers in android. In: Proceedings of the 7th ACM Symposium on Information, Computer and Communications Security (2012)
Zhang, X., Ahlawat, A., Du, W.: Aframe: isolating advertisements from mobile applications in android. In: Proceedings of the 29th Annual Computer Security Applications Conference (2013)
Roesner, F., Kohno, T.: Securing embedded user interfaces: android and beyond. In: Presented as part of the 22nd USENIX Security Symposium (2013)
Nauman, M., Khan, S., Zhang, X.: Apex: extending android permission model and enforcement with user-defined runtime constraints. In: Proceedings of the 5th ACM Symposium on Information, Computer and Communications Security (2010)
Enck, W., Ongtang, M., McDaniel, P.: On lightweight mobile phone application certification. In: Proceedings of the 16th ACM Conference on Computer and Communications Security (CCS) (2009)
Ongtang, M., McLaughlin, S., Enck, W., McDaniel, P.: Semantically rich application-centric security in android. In: Proceedings of the 2009 Annual Computer Security Applications Conference (ACSA) (2009)
Roesner, F., Kohno, T., Moshchuk, A., Parno, B.: User-driven access control: Rethinking permission granting in modern operating systems. In: Proceedings of the 2012 IEEE Symposium on Security and Privacy (2012)
Conti, M., Nguyen, V.T.N., Crispo, B.: Crepe: context-related policy enforcement for android. In: Proceedings of the 13th International Conference on Information Security (2010)
Bugiel, S., Davi, L., Dmitrienko, A., Fischer, T., Sadeghi, A.R.: Xmandroid: a new android evolution to mitigate privilege escalation attacks (2011)
Bugiel, S., Davi, L., Dmitrienko, A., Fischer, T., Sadeghi, A.R., Shastry, B.: Towards taming privilege-escalation attacks on android. In: Proceedings of Annual Network & Distributed System Security Symposium, vol. 130(130), pp. 346–360 (2012)
Dietz, M., Shekhar, S., Pisetsky, Y., Shu, A., Wallach, D.S.: Quire: lightweight provenance for smart phone operating systems. Dissertations & Theses - Gradworks, p. 23 (2011)
Smalley, S., Craig, R.: Security enhanced (se) android: bringing flexible mac to android. In: Proceedings of 20th Annual Network & Distributed System Security Symposium ( NDSS) (2013)
Bugiel, S., Heuser, S., Sadeghi, A.R.: Towards a framework for android security modules: Extending se android type enforcement to android middleware. Technical report, Center for Advanced Security Research Darmstadt (2012)
Bugiel, S., Heuser, S., Sadeghi, A.R.: Flexible and fine-grained mandatory access control on android for diverse security and privacy policies. In: Usenix Conference on Security, pp. 131–146 (2013)
Bousquet, A., Briffaut, J., Clvy, L., Toinard, C., Venelle, B., Bousquet, A., Clvy, L., Venelle, B.: Mandatory access control for the android dalvik virtual machine. In: The Workshop on Usenix Federated Conferences (2013)
acl, linux man page. http://linux.die.net/man/5/acl
Acknowledgement
This research was supported by the National Key Research and Development Program of China (Grant No. 2016YFB0800102), and National Basic Research Program of China (973 Program No. 2013CB338001)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2017 Springer International Publishing AG
About this paper
Cite this paper
Zhan, J., Zhou, Q., Gu, X., Wang, Y., Niu, Y. (2017). Splitting Third-Party Libraries’ Privileges from Android Apps. In: Pieprzyk, J., Suriadi, S. (eds) Information Security and Privacy. ACISP 2017. Lecture Notes in Computer Science(), vol 10343. Springer, Cham. https://doi.org/10.1007/978-3-319-59870-3_5
Download citation
DOI: https://doi.org/10.1007/978-3-319-59870-3_5
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-59869-7
Online ISBN: 978-3-319-59870-3
eBook Packages: Computer ScienceComputer Science (R0)