Skip to main content

A Certified Reference Validation Mechanism for the Permission Model of Android

Part of the Lecture Notes in Computer Science book series (LNTCS,volume 10855)


Android embodies security mechanisms at both OS and application level. In this platform application security is built primarily upon a system of permissions which specify restrictions on the operations a particular process can perform. The critical role of these security mechanisms makes them a prime target for (formal) verification. We present an idealized model of a reference monitor of the novel mechanisms of Android 6 (and further), where it is possible to grant permissions at run time. Using the programming language of the proof-assistant Coq we have developed a functional implementation of the reference validation mechanism and certified its correctness with respect to the specified reference monitor. Several properties concerning the permission model of Android 6 and its security mechanisms have been formally formulated and proved. Applying the program extraction mechanism provided by Coq we have also derived a certified Haskell prototype of the reference validation mechanism.

Partially funded by project ANII-FCE_1_2014_1_103803: Mecanismos autónomos de seguridad certificados para sistemas computacionales móviles, Uruguay, and by the EU H2020 project Elastest under num. 731535.

This is a preview of subscription content, access via your institution.

Buying options

USD   29.95
Price excludes VAT (USA)
  • DOI: 10.1007/978-3-319-94460-9_16
  • Chapter length: 18 pages
  • Instant PDF download
  • Readable on all devices
  • Own it forever
  • Exclusive offer for individuals only
  • Tax calculation will be finalised during checkout
USD   59.99
Price excludes VAT (USA)
  • ISBN: 978-3-319-94460-9
  • Instant PDF download
  • Readable on all devices
  • Own it forever
  • Exclusive offer for individuals only
  • Tax calculation will be finalised during checkout
Softcover Book
USD   79.99
Price excludes VAT (USA)
Fig. 1.
Fig. 2.


  1. 1.

    A permanent delegated permission represents that an app has delegated permission to perform an operation on the resource identified by an URI. A temporary delegated permission refers to a permission that has been delegated to a component instance.

  2. 2.

    Given a state s, an action a and an error code ec, \( ErrorMsg (s,a,ec)\) holds iff error ec is an acceptable response when the execution of a is requested on state s.

  3. 3.

    Mechanism to trigger actions, on a state, according to the type of event considered.

  4. 4.

    We omit here the formal definition of these functions due to space constraints.

  5. 5.

    We implement the sets in the model with lists of Coq.


  1. Anderson, J.P.: Computer Security technology planning study. Technical report, Deputy for Command and Management System, USA (1972)

    Google Scholar 

  2. Android Developers: Application Fundamentals. Accessed Feb 2018

  3. Android Developers: Requesting Permissions at Run Time. Accessed Feb 2018

  4. Android Developers: R.styleable. Accessed Feb 2018

  5. Armando, A., Carbone, R., Costa, G., Merlo, A.: Android permissions unleashed. In: Fournet, C., Hicks, M., Viganò, L. (eds.) IEEE 28th Computer Security Foundations Symposium, pp. 320–333. IEEE Computer Society (2015)

    Google Scholar 

  6. Balaa, A., Bertot, Y.: Fix-point equations for well-founded recursion in type theory. In: Aagaard, M., Harrison, J. (eds.) TPHOLs 2000. LNCS, vol. 1869, pp. 1–16. Springer, Heidelberg (2000).

    CrossRef  MATH  Google Scholar 

  7. Barthe, G., Forest, J., Pichardie, D., Rusu, V.: Defining and reasoning about recursive functions: a practical tool for the Coq proof assistant. In: Hagiya, M., Wadler, P. (eds.) FLOPS 2006. LNCS, vol. 3945, pp. 114–129. Springer, Heidelberg (2006).

    CrossRef  MATH  Google Scholar 

  8. Berghofer, S., Bulwahn, L., Haftmann, F.: Turning inductive into equational specifications. In: Berghofer, S., Nipkow, T., Urban, C., Wenzel, M. (eds.) TPHOLs 2009. LNCS, vol. 5674, pp. 131–146. Springer, Heidelberg (2009).

    CrossRef  Google Scholar 

  9. Betarte, G., Campo, J.D., Luna, C., Romano, A.: Verifying Android’s permission model. In: Leucker, M., Rueda, C., Valencia, F.D. (eds.) ICTAC 2015. LNCS, vol. 9399, pp. 485–504. Springer, Cham (2015).

    CrossRef  Google Scholar 

  10. Betarte, G., Campo, J.D., Luna, C., Romano, A.: Formal analysis of Android’s permission-based security model. Sci. Ann. Comp. Sci. 26(1), 27–68 (2016)

    MathSciNet  MATH  Google Scholar 

  11. Bugliesi, M., Calzavara, S., Spanò, A.: Lintent: towards security type-checking of Android applications. In: Beyer, D., Boreale, M. (eds.) FMOODS/FORTE 2013. LNCS, vol. 7892, pp. 289–304. Springer, Heidelberg (2013).

    CrossRef  Google Scholar 

  12. Conti, M., Nguyen, V.T.N., Crispo, B.: CRePE: context-related policy enforcement for Android. In: Burmester, M., Tsudik, G., Magliveras, S., Ilić, I. (eds.) ISC 2010. LNCS, vol. 6531, pp. 331–345. Springer, Heidelberg (2011).

    CrossRef  Google Scholar 

  13. De Angelis, E., Fioravanti, F., Pettorossi, A., Proietti, M.: Program verification via iterated specialization. Sci. Comput. Program. 95, 149–175 (2014)

    CrossRef  Google Scholar 

  14. Felt, A., Wang, H., Moshchuk, A., Hanna, S., Chin, E.: Permission re-delegation: attacks and defenses. In: USENIX Security Symposium. USENIX Association (2011)

    Google Scholar 

  15. Fragkaki, E., Bauer, L., Jia, L., Swasey, D.: Modeling and enhancing Android’s permission system. In: Foresti, S., Yung, M., Martinelli, F. (eds.) ESORICS 2012. LNCS, vol. 7459, pp. 1–18. Springer, Heidelberg (2012).

    CrossRef  Google Scholar 

  16. Gartner: Gartner says worldwide sales of smartphones grew 9 percent in first quarter of 2017. Technical report. Gartner Inc. (2017)

    Google Scholar 

  17. GSI: Formal verification of the security model of Android: Coq code. Accessed Feb 2018

  18. Letouzey, P.: Programmation fonctionnelle certifiée - L’extraction de programmes dans l’assistant Coq. Ph.D. thesis, Université Paris-Sud, July 2004

    Google Scholar 

  19. Letouzey, P.: A new extraction for Coq. In: Geuvers, H., Wiedijk, F. (eds.) TYPES 2002. LNCS, vol. 2646, pp. 200–219. Springer, Heidelberg (2003).

    CrossRef  MATH  Google Scholar 

  20. Nauman, M., Khan, S., Zhang, X.: Apex: extending android permission model and enforcement with user-defined runtime constraints. In: Proceedings of ASIACCS 2010 (2011)

    Google Scholar 

  21. Open Handset Alliance: Android project. Accessed Feb 2018

  22. Shin, W., Kiyomoto, S., Fukushima, K., Tanaka, T.: A formal model to analyze the permission authorization and enforcement in the android framework. In: SocialCom 2010, pp. 944–951. IEEE Computer Society, Washington, DC (2010)

    Google Scholar 

  23. Shin, W., Kiyomoto, S., Fukushima, K., Tanaka, T.: A first step towards automated permission-enforcement analysis of the android framework. In: SAM 2010, pp. 323–329. CSREA Press (2010)

    Google Scholar 

  24. The Coq Team: The Coq Proof Assistant Reference Manual - Version V8.6 (2016)

    Google Scholar 

  25. Tollitte, P.-N., Delahaye, D., Dubois, C.: Producing certified functional code from inductive specifications. In: Hawblitzel, C., Miller, D. (eds.) CPP 2012. LNCS, vol. 7679, pp. 76–91. Springer, Heidelberg (2012).

    CrossRef  MATH  Google Scholar 

  26. Utting, M., Legeard, B.: Practical Model-Based Testing: A Tools Approach. Morgan Kaufmann Publishers Inc., San Francisco (2006)

    Google Scholar 

Download references

Author information

Authors and Affiliations


Corresponding author

Correspondence to Carlos Luna .

Editor information

Editors and Affiliations

Rights and permissions

Reprints and Permissions

Copyright information

© 2018 Springer International Publishing AG, part of Springer Nature

About this paper

Verify currency and authenticity via CrossMark

Cite this paper

Betarte, G., Campo, J., Gorostiaga, F., Luna, C. (2018). A Certified Reference Validation Mechanism for the Permission Model of Android. In: Fioravanti, F., Gallagher, J. (eds) Logic-Based Program Synthesis and Transformation. LOPSTR 2017. Lecture Notes in Computer Science(), vol 10855. Springer, Cham.

Download citation

  • DOI:

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-94459-3

  • Online ISBN: 978-3-319-94460-9

  • eBook Packages: Computer ScienceComputer Science (R0)