Hey Doc, Is This Normal?: Exploring Android Permissions in the Post Marshmallow Era

Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10662)

Abstract

Billions of hand-held devices are used globally in daily basis. The main reasons for their wide adoption can be considered the introduction of various sensors that have completely reshaped user interaction standards as well as the development of myriads of applications that provide various services to the users. Due to the daily usage of these applications and the wide information that can be deduced from the sensors, a lot of private and sensitive information can be leaked unless access control is applied to the installed applications. In Android, this control was applied upon installation of each application, when the user would be asked to grant the requested permissions. However, this policy has changed in the last versions, allowing users to revoke permissions and grant “dangerous” permissions on demand. In this work we illustrate several flaws in the new permission architecture that can be exploited to gain more access to sensitive user data than what the user considers to have granted.

Keywords

Android Security Permissions Privacy 

Notes

Acknowledgments

This work was supported by the European Commission under the Horizon 2020 Programme (H2020), as part of the OPERANDO project (Grant Agreement no. 653704). The authors would like to thank ElevenPaths for their valuable feedback and granting them access to Tacyt.

References

  1. 1.
    Achara, J.P., Cunche, M., Roca, V., Francillon, A.: WifiLeaks: underestimated privacy implications of the access_wifi_state Android permission. In: Proceedings of the 2014 ACM Conference on Security and Privacy in Wireless and Mobile Networks, pp. 231–236. ACM (2014)Google Scholar
  2. 2.
    Alepis, E., Patsakis, C.: Monkey says, monkey does: security and privacy on voice assistants. IEEE Access 5, 17841–17851 (2017)CrossRefGoogle Scholar
  3. 3.
    Alepis, E., Patsakis, C.: Theres wally! location tracking in Android without permissions. In: Proceedings of the 3rd International Conference on Information Systems Security and Privacy, ICISSP, vol. 1, pp. 278–284. INSTICC, ScitePress (2017)Google Scholar
  4. 4.
    Alepis, E., Patsakis, C.: Trapped by the UI: the Android case. In: Dacier, M., Bailey, M., Polychronakis, M., Antonakakis, M. (eds.) RAID 2017. LNCS, vol. 10453, pp. 334–354. Springer, Cham (2017).  https://doi.org/10.1007/978-3-319-66332-6_15 CrossRefGoogle Scholar
  5. 5.
    Android Developer: Manifest.permission - System_Alert_Window. https://developer.android.com/reference/android/Manifest.permission.html#SYSTEM_ALERT_WINDOW. Accessed 28 Mar 2017
  6. 6.
    Android Source Code: platform_frameworks_base/core/res/AndroidManifest.xml (2017). https://github.com/Android/platform_frameworks_base/blob/master/core/res/AndroidManifest.xml
  7. 7.
    Balebako, R., Jung, J., Lu, W., Cranor, L.F., Nguyen, C.: Little brothers watching you: raising awareness of data leaks on smartphones. In: Proceedings of the Ninth Symposium on Usable Privacy and Security, p. 12. ACM (2013)Google Scholar
  8. 8.
    Barrera, D., Kayacik, H.G., van Oorschot, P.C., Somayaji, A.: A methodology for empirical analysis of permission-based security models and its application to Android. In: Proceedings of the 17th ACM Conference on Computer and Communications Security, pp. 73–84. ACM (2010)Google Scholar
  9. 9.
    Bartel, A., Klein, J., Le Traon, Y., Monperrus, M.: Automatically securing permission-based software by reducing the attack surface: an application to Android. In: Proceedings of the 27th IEEE/ACM International Conference on Automated Software Engineering, pp. 274–277. ACM (2012)Google Scholar
  10. 10.
    Blasco, J., Chen, T.M.: Automated generation of colluding apps for experimental research. J. Comput. Virol. Hacking Tech. 1–12 (2017).  https://doi.org/10.1007/s11416-017-0296-4
  11. 11.
    Book, T., Pridgen, A., Wallach, D.S.: Longitudinal analysis of Android ad library permissions. arXiv preprint arXiv:1303.0857 (2013)
  12. 12.
    Book, T., Wallach, D.S.: A case of collusion: a study of the interface between ad libraries and their apps. In: Proceedings of the Third ACM Workshop on Security and Privacy in Smartphones and Mobile Devices, pp. 79–86. ACM (2013)Google Scholar
  13. 13.
    Davi, L., Dmitrienko, A., Sadeghi, A.-R., Winandy, M.: Privilege escalation attacks on Android. In: Burmester, M., Tsudik, G., Magliveras, S., Ilić, I. (eds.) ISC 2010. LNCS, vol. 6531, pp. 346–360. Springer, Heidelberg (2011).  https://doi.org/10.1007/978-3-642-18178-8_30 CrossRefGoogle Scholar
  14. 14.
    Diao, W., Liu, X., Zhou, Z., Zhang, K.: Your voice assistant is mine: how to abuse speakers to steal information and control your phone. In: Proceedings of the 4th ACM Workshop on Security and Privacy in Smartphones and Mobile Devices, pp. 63–74. ACM (2014)Google Scholar
  15. 15.
    Dimitriadis, A., Efraimidis, P.S., Katos, V.: Malevolent app pairs: an Android permission overpassing scheme. In: Proceedings of the ACM International Conference on Computing Frontiers, pp. 431–436. ACM (2016)Google Scholar
  16. 16.
    Durumeric, Z., Kasten, J., Adrian, D., Halderman, J.A., Bailey, M., Li, F., Weaver, N., Amann, J., Beekman, J., Payer, M., et al.: The matter of heartbleed. In: Proceedings of the 2014 Conference on Internet Measurement Conference, pp. 475–488. ACM (2014)Google Scholar
  17. 17.
    Enck, W., Gilbert, P., Han, S., Tendulkar, V., Chun, B.G., Cox, L.P., Jung, J., McDaniel, P., Sheth, A.N.: TaintDroid: an information-flow tracking system for realtime privacy monitoring on smartphones. ACM Trans. Comput. Syst. (TOCS) 32(2), 5 (2014)CrossRefGoogle Scholar
  18. 18.
    Fahl, S., Harbach, M., Oltrogge, M., Muders, T., Smith, M.: Hey, you, get off of my clipboard. In: Sadeghi, A.-R. (ed.) FC 2013. LNCS, vol. 7859, pp. 144–161. Springer, Heidelberg (2013).  https://doi.org/10.1007/978-3-642-39884-1_12 CrossRefGoogle Scholar
  19. 19.
    Faruki, P., Bharmal, A., Laxmi, V., Ganmoor, V., Gaur, M.S., Conti, M., Rajarajan, M.: Android security: a survey of issues, malware penetration, and defenses. IEEE Commun. Surv. Tutor. 17(2), 998–1022 (2015)CrossRefGoogle Scholar
  20. 20.
    Felt, A.P., Chin, E., Hanna, S., Song, D., Wagner, D.: Android permissions demystified. In: Proceedings of the 18th ACM Conference on Computer and Communications Security, pp. 627–638. ACM (2011)Google Scholar
  21. 21.
    Felt, A.P., Greenwood, K., Wagner, D.: The effectiveness of application permissions. In: Proceedings of the 2nd USENIX Conference on Web Application Development, p. 7 (2011)Google Scholar
  22. 22.
    Felt, A.P., Ha, E., Egelman, S., Haney, A., Chin, E., Wagner, D.: Android permissions: user attention, comprehension, and behavior. In: Proceedings of the Eighth Symposium on Usable Privacy and Security, p. 3. ACM (2012)Google Scholar
  23. 23.
    Fratantonio, Y., Qian, C., Chung, S., Lee, W.: Cloak and Dagger: from two permissions to complete control of the UI feedback loop. In: Proceedings of the IEEE Symposium on Security and Privacy (Oakland), San Jose, CA, May 2017Google Scholar
  24. 24.
    Goodin, D.: Beware of ads that use inaudible sound to link your phone, TV, Tablet, and PC (2015). http://arstechnica.com/tech-policy/2015/11/beware-of-ads-that-use-inaudible-sound-to-link-your-phone-tv-tablet-and-pc/
  25. 25.
    Grace, M.C., Zhou, Y., Wang, Z., Jiang, X.: Systematic detection of capability leaks in stock Android smartphones. In: NDSS (2012)Google Scholar
  26. 26.
    Jeon, J., Micinski, K.K., Vaughan, J.A., Fogel, A., Reddy, N., Foster, J.S., Millstein, T.: Dr. Android and Mr. Hide: fine-grained permissions in Android applications. In: Proceedings of the Second ACM Workshop on Security and Privacy in Smartphones and Mobile Devices, pp. 3–14. ACM (2012)Google Scholar
  27. 27.
    Kelley, P.G., Consolvo, S., Cranor, L.F., Jung, J., Sadeh, N., Wetherall, D.: A conundrum of permissions: installing applications on an Android smartphone. In: Blyth, J., Dietrich, S., Camp, L.J. (eds.) FC 2012. LNCS, vol. 7398, pp. 68–79. Springer, Heidelberg (2012).  https://doi.org/10.1007/978-3-642-34638-5_6 CrossRefGoogle Scholar
  28. 28.
    Kywe, S.M., Li, Y., Petal, K., Grace, M.: Attacking Android smartphone systems without permissions. In: 2016 14th Annual Conference on Privacy, Security and Trust (PST), pp. 147–156. IEEE (2016)Google Scholar
  29. 29.
    Orthacker, C., Teufl, P., Kraxberger, S., Lackner, G., Gissing, M., Marsalek, A., Leibetseder, J., Prevenhueber, O.: Android security permissions – can we trust them? In: Prasad, R., Farkas, K., Schmidt, A.U., Lioy, A., Russello, G., Luccio, F.L. (eds.) MobiSec 2011. LNICSSITE, vol. 94, pp. 40–51. Springer, Heidelberg (2012).  https://doi.org/10.1007/978-3-642-30244-2_4 CrossRefGoogle Scholar
  30. 30.
    Peles, O., Hay, R.: One class to rule them all: 0-day deserialization vulnerabilities in Android. In: 9th USENIX Workshop on Offensive Technologies (WOOT 2015) (2015)Google Scholar
  31. 31.
    Poeplau, S., Fratantonio, Y., Bianchi, A., Kruegel, C., Vigna, G.: Execute this! analyzing unsafe and malicious dynamic code loading in Android applications. In: 21st Annual Network and Distributed System Security Symposium, NDSS 2014, San Diego, California, USA, 23–26 February 2014. The Internet Society (2014)Google Scholar
  32. 32.
    SnoopWall: Flashlight apps threat assessment report (2014). http://www.snoopwall.com/wp-content/uploads/2015/02/Flashlight-Spyware-Report-2014.pdf
  33. 33.
    Tsiakos, V., Patsakis, C.: AndroPatchApp: taming rogue ads in Android. In: Boumerdassi, S., Renault, É., Bouzefrane, S. (eds.) MSPN 2016. LNCS, vol. 10026, pp. 183–196. Springer, Cham (2016).  https://doi.org/10.1007/978-3-319-50463-6_15 CrossRefGoogle Scholar
  34. 34.
    Wei, X., Gomez, L., Neamtiu, I., Faloutsos, M.: Permission evolution in the Android ecosystem. In: Proceedings of the 28th Annual Computer Security Applications Conference, pp. 31–40. ACM (2012)Google Scholar
  35. 35.
    Yang, L., Boushehrinejadmoradi, N., Roy, P., Ganapathy, V., Iftode, L.: Short paper: enhancing users’ comprehension of Android permissions. In: Proceedings of the Second ACM Workshop on Security and Privacy in Smartphones and Mobile Devices, pp. 21–26. ACM (2012)Google Scholar
  36. 36.
    Zhang, X., Du, W.: Attacks on Android clipboard. In: Dietrich, S. (ed.) DIMVA 2014. LNCS, vol. 8550, pp. 72–91. Springer, Cham (2014).  https://doi.org/10.1007/978-3-319-08509-8_5 Google Scholar

Copyright information

© Springer International Publishing AG 2017

Authors and Affiliations

  1. 1.Department of InformaticsUniversity of PiraeusPiraeusGreece

Personalised recommendations