Abstract
The ever increasing expansion of mobile applications into nearly every aspect of modern life, from banking to healthcare systems, is making their security more important than ever. Modern smartphone operating systems (OS) rely substantially on the permission-based security model to enforce restrictions on the operations that each application can perform. In this paper, we perform an analysis of the permission protocol implemented in Android, a popular OS for smartphones. We propose a formal model of the Android permission protocol in Alloy, and describe a fully automatic analysis that identifies potential flaws in the protocol. A study of real-world Android applications corroborates our finding that the flaws in the Android permission protocol can have severe security implications, in some cases allowing the attacker to bypass the permission checks entirely.
Similar content being viewed by others
References
Armando A, Costa G, Merlo A (2012) Formal modeling and reasoning about the android security framework. In: Palamidessi C, Ryan MD (eds) Trustworthy global computing, number 8191 in Lecture Notes in Computer Science. Springer, Berlin, pp 64–81. https://doi.org/10.1007/978-3-642-41157-1_5
Andoni A, Daniliuc D, Khurshid S, Marinov D. Evaluating the small scope hypothesis. http://sdg.csail.mit.edu/pubs/2002/SSH.pdf
Arzt S, Rasthofer S, Bodden E, Bartel A, Klein J, Le Traon Y, Octeau D, McDaniel P (2014) Flowdroid: precise context, flow, field, object-sensitive and lifecycle-aware taint analysis for android apps. In: Proceedings of the 35th annual ACM SIGPLAN conference on programming language design and implementation (PLDI 2014)
Bugliesi M, Calzavara S, Spanò A (2013) Lintent: towards security type-checking of android applications. In: Beyer D, Boreale M (ed) Formal techniques for distributed systems, number 7892 in Lecture Notes in Computer Science. Springer, Berlin, pp 289–304. https://doi.org/10.1007/978-3-642-38592-6_20
Bagheri H, Garcia J, Sadeghi A, Malek S, Medvidovic N (2016) Software architectural principles in contemporary mobile software: from conception to practice. J Syst Softw 119: 31–44
Bagheri H, Kang E, Malek S, Jackson D (2015) Detection of design flaws in the android permission protocol through bounded verification. In: Proceedings of the 2015 international symposium on formal methods (FM), volume 9109 of Lecture Notes in Computer Science. Springer, Berlin, pp 73–89
Bagheri H, Sadeghi A, Garcia J, Malek S (2015) Covert: compositional analysis of android inter-app permission leakage. IEEE Trans Softw Eng 41(9): 866–886
Bagheri H, Sadeghi A, Jabbarvand R, Malek S (2016) Practical, formal synthesis and automatic enforcement of security policies for android. In: Proceedings of the 46th IEEE/IFIP international conference on dependable systems and networks (DSN), pp 514–525
Chin E, Felt AP, Greenwood K, Wagner D (2011) Analyzing inter-application communication in android. In: Proceedings of the 9th international conference on mobile systems, applications, and services, MobiSys ’11, New York, NY, USA. ACM, pp 239–252
Chaudhuri A (2009) Language-based security on android. In: Proceedings of programming languages and analysis for security (PLAS’09), pp 1–7
Chen KZ, Johnson NM, D’Silva V, Dai S, MacNamara K, Magrino TR, Wu EX, Rinard M, Song DX (2013) Contextual policy enforcement in android applications with permission event graphs. In: NDSS, San Diego, CA
Davi L, Dmitrienko A, Sadeghi A-R, Winandy M (2010) Privilege escalation attacks on android. In: Proceedings of the 13th international conference on Information security (ISC).
Enck W, Gilbert P, gon Chun B, Cox LP, Jung J, McDaniel P, Sheth AN (2011) Taintdroid: an information-flow tracking system for realtime privacy monitoring on smartphones. In: Proceedings of USENIX OSDI
Enck W, Ongtang W, McDaniel P (2009) On lightweight mobile phone application certification. In: Proceedings of the 16th ACM conference on Computer and communications security, Chicago, IL. ACM, pp 235–245
Enck W, Octeau D, McDaniel P, Chaudhuri S (2011) A study of android application security. In: Proceedings of USENIX.
Enck W, Octeau D, McDaniel P, Chaudhuri S (2011) A study of android application security. In: Proceedings of the 20th USENIX conference on security, SEC’11, San Francisco, CA. USENIX Association, pp 21–21
Fragkaki E, Bauer L, Jia L, Swasey D (2012) Modeling and enhancing android’s permission system. In: 17th European symposium on research in computer security (ESORICS), pp 1–18
Fuchs AP, Chaudhuri A, Foster JS (2009) Scandroid: Automated security certification of android applications
Felt AP, Chin E, Hanna S, Song D, Wagner D (2011) Android permissions demystified. In: 18th ACM conference on computer and communications security (CCS), pp 627–638
Felt AP, Wang HJ, Moshchuk A, Hanna S, Chin E (2011) Permission re-delegation: attacks and defenses. In: 20th USENIX security symposium
Google. Android system permissions. http://developer.android.com/guide/topics/security/permissions.html
Grace MC, Zhou W, Jiang X, Sadeghi AR (2012) Unsafe exposure analysis of mobile in-app advertisements. In: Proceedings of the fifth ACM conference on security and privacy in wireless and mobile networks, WISEC ’12, Tucson, AZ. ACM, pp 101–112
Grace M, Zhou Y, Wang Z, Jiang X (2012) Systematic detection of capability leaks in stock android smartphones. In: Proceedings of the 19th annual symposium on network and distributed system security
Grace MC, Zhou Y, Wang Z, Jiang X (2012) Systematic detection of capability leaks in stock android smartphones. In: NDSS, San Diego, CA
Hammad M, Bagheri H, Malek S (2017) Determination and enforcement of least-privilege architecture in android. In: 2017 IEEE international conference on software architecture (ICSA), pp 59–68
Jackson D (2012) Software abstractions: logic, language, and analysis, 2nd edn. MIT Press, Cambridge
Li L, Bartel A, Klein J, Traon YL (2014) Automatically exploiting potential component leaks in android applications. In: Proceedings of the 13th international conference on trust, security and privacy in computing and communications, Beijing, China, pp 388–397
Lu L, Li Z, Wu Z, Lee W, Jiang G (2012) Chex: statically vetting android apps for component hijacking vulnerabilities. In: Proceedings of the ACM conference on computer and communications security (CCS)
Murphy M (2014) Vulnerabilities with custom permissions. http://commonsware.com/blog/2014/02/12/vulnerabilities-custom-permissions.html
Octeau D, McDaniel P, Jha S, Bartel A, Bodden E, Klein J, Traon YL (2013) Effective inter-component communication mapping in android with epicc: an essential step towards holistic security analysis. In: Proceedings of the 22nd USENIX security symposium, Washington, DC
Pearce P, Felt AP, Nunez G, Wagner D (2012) AdDroid: privilege separation for applications and advertisers in android. In: Proceedings of the 7th ACM symposium on information, computer and communications security, ASIACCS ’12, Seoul, Republic of Korea. ACM, pp 71–72
Pandita R, Xiao X, Yang W, Enck W, Xie T (2013) Whyper: towards automating risk assessment of mobile applications. In: Proceedings of the 22nd USENIX conference on security, SEC’13, Berkeley, CA, USA. USENIX Association, pp 527–542
Rastogi V, Chen Y, Enck W (2013) AppsPlayground: automatic security analysis of smartphone applications. In: Proceedings of the 3rd ACM conference on data and application security and privacy, CODASPY ’13, San Antonio, TX. ACM, pp 209–220
Ravitch T, Creswick ER, Tomb A, Foltzer A, Elliott T, Casburn L (2014) Multi-app security analysis with FUSE: statically detecting android app collusion. In: Proceedings of the 4th program protection and reverse engineering workshop, PPREW-4, New Orleans, LA. ACM, pp 4:1–4:10
Sadeghi A, Bagheri H, Garcia J, Malek S (2017) A taxonomy and qualitative comparison of program analysis techniques for security assessment of android software.. IEEE Trans Softw Eng 43(6): 492–530
Smith E, Coglio A (2015) Android platform modeling and android app verification in the acl2 theorem prover. In: Proceedings of the 7th international conference on verified software: theories, tools, and experiments, VSTTE’15, pp 183–201
Schmerl B, Gennari J, Sadeghi A, Bagheri H, Malek S, Camara J, Garlan D (2016) Architecture modeling and analysis of security in android systems. In: Software architecture. Springer, Cham, pp 274–290
Shin W, Kiyomoto S, Fukushima K, Tanaka T (2010) A formal model to analyze the permission authorization and enforcement in the android framework. In: IEEE International conference on privacy, security, risk and trust, pp 944–951
Schlegel R, Zhang K, Zhou X, Intwala M, Kapadia A, Wang X (2011) Soundcomber: a stealthy and context-aware sound trojan for smartphones. In: Proceedings of 18th annual network and distributed system security symposium (NDSS)
Torlak E, Chang FS-H, Jackson D (2008) Finding minimal unsatisfiable cores of declarative specifications. In: FM 2008: formal methods, 15th international symposium on formal methods, Turku, Finland, May 26–30, 2008, proceedings, pp 326–341
Torlak E, Jackson D (2007) Kodkod: a relational model finder. In: Tools and algorithms for the construction and analysis of systems, 13th international conference, TACAS 2007, Held as Part of the Joint European Conferences on Theory and Practice of Software, ETAPS 2007 Braga, Portugal, March 24–April 1, 2007, Proceedings, pp 632–647
Woodcock J, Davies J (1996) Using Z. Specification, refinement, and proof. Prentice Hall, Upper Saddle River
Wu L, Grace M, Zhou Y, Wu C, Jiang X (2013) The impact of vendor customizations on android security. In: Proceedings of the 2013 ACM SIGSAC conference on computer and communications security , CCS ’13, Berlin, Germany. ACM, pp 623–634
Woodcock J, Larsen PG, Bicarregui J, Fitzgerald J (2009) Formal methods: practice and experience. ACM Comput Surv 41(4):19:1–19:36
Author information
Authors and Affiliations
Corresponding author
Additional information
Frank de Boer, Nikolaj Bjorner, and Andrew Butterfield
Rights and permissions
About this article
Cite this article
Bagheri, H., Kang, E., Malek, S. et al. A formal approach for detection of security flaws in the android permission system. Form Asp Comp 30, 525–544 (2018). https://doi.org/10.1007/s00165-017-0445-z
Received:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s00165-017-0445-z