Skip to main content
SpringerLink
Log in

Understanding the implemented access control policy of Android system services with slicing and extended static checking

  • Regular Contribution
  • Published:
International Journal of Information Security Aims and scope Submit manuscript

Abstract

Android is one of the major smartphone platforms today. One reason for this success is that many interesting applications are made available through Google Play. The increasing functionality, however, entails new risks. To defend against attacks, Android provides a sophisticated security architecture based on permissions which must be granted to applications at installation time. Since the Android source code is publicly available, the security community has the chance to assess the security mechanisms of Android. Due to its large code body, a completely manual code review is tedious, and hence, tool support for this task is desirable. As a first step in this direction, we propose to extract the implemented access control policy from the code for Android system services with the help of program slicing. After this abstraction phase, we analyze the extracted policy against the documentation. For this purpose, we use the Java Modeling Language in conjunction with extended static checking. We applied this approach to core system services of Android 4.0.3 and identified some inconsistencies between the documentation and the implementation.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5

Similar content being viewed by others

Notes

  1. Certainly, in other cases, the dynamic approach works better than a static one, e.g., it considers the INTERNET permission, which is enforced by Unix groups rather than service hooks.

  2. At the time of this writing, the map is not online anymore, but we still have the text file.

  3. Although not a system service, Fortify SCA also erroneously reports a missing permission for the method openInputStream() of class ContentResolver.

  4. http://pscout.csl.toronto.edu/.

References

  1. Anderson, P., Zarins, M.: The CodeSurfer software understanding platform. In: Proceedings of the 13th International Workshop on Program Comprehension, pp. 147–148 (2005)

  2. Au, K.W.Y., Zhou, Y.F., Huang, Z., Lie, D.: PScout: analyzing the android permission specification. In: Proceedings of the 2012 ACM Conference on Computer and Communications Security, pp. 217–228. CCS ’12, ACM, New York, NY, USA (2012)

  3. Bartel, A., Klein, J., Le Traon, Y., Monperrus, M.: Automatically securing permission-based software by reducing the attack surface: an application to android. In: Proceedings of the 27th IEEE/ACM International Conference on Automated Software Engineering, pp. 274–277. ASE 2012, ACM, New York, NY, USA (2012). doi:10.1145/2351676.2351722

  4. Bugiel, S., Davi, L., Dmitrienko, A., Heuser, S., Sadeghi, A.R., Shastry, B.: Practical and lightweight domain isolation on android. In: Proceedings of the 1st ACM Workshop on Security and Privacy in Smartphones and Mobile Devices, pp. 51–62. SPSM ’11, ACM (2011)

  5. Burdy, L., Cheon, Y., Cok, D.R., Ernst, M.D., Kiniry, J.R., Leavens, G.T., Leino, K.R.M., Poll, E.: An overview of JML tools and applications. Int. J. Softw. Tools Technol. Transf. 7(3), 212–232 (2005)

    Article  Google Scholar 

  6. Cataño, N., Huisman, M.: Formal specification of Gemplus’s electronic purse case study. In: FME 2002. vol. LNCS 2391, pp. 272–289. Springer, Berlin (2002)

  7. Chaudhuri, A.: Language-based security on android. In: Proceedings of the 4th ACM SIGPLAN Workshop on Programming Languages and Analysis for Security (PLAS’09), pp. 1–7. ACM (2009)

  8. Chen, H., Wagner, D., Dean, D.: Setuid demystified. In: Proceedings of the 11th USENIX Security Symposium, pp. 171–190 (2002)

  9. Chess, B., West, J.: Secure Programming with Static Analysis. Addison-Wesley, Reading, MA (2007)

    Google Scholar 

  10. Chess, B.: Improving computer security using extended static checking. In: IEEE Symposium on Security and Privacy, pp. 160–173. IEEE Computer Society (2002)

  11. Chin, E., Porter Felt, A., Greenwood, K., Wagner, D.: Analyzing inter-application communication in Android. In: Proceedings of the 9th International Conference on Mobile Systems, Applications, and Services (MobiSys 2011), Bethesda, USA, pp. 239–252. ACM (2011)

  12. Dietz, M., Shekhar, S., Pisetsky, Y., Shu, A., Wallach, D.S.: Quire: lightweight provenance for smart phone operating systems. In: Proceedings of the 14th USENIX Security Symposium (2011)

  13. Dolby, J., Sridharan, M.: Static and Dynamic Program Analysis Using WALA, PLDI Tutorial (2010). http://wala.sourceforge.net/files/PLDI_WALA_Tutorial.pdf

  14. Enck, W., Octeau, D., McDaniel, P., Chaudhuri, S.: A study of android application security. In: Proceedings of the 14th USENIX Security Symposium (2011)

  15. Enck, W., Gilbert, P., Chun, B.G, Cox, L.P., Jung, J., McDaniel, P., Sheth, A.N.: TaintDroid: an information-flow tracking system for realtime privacy monitoring on smartphones. In: 9th USENIX Symposium on Operating Systems Design and Implementation (2010)

  16. Enck, W., Ongtang, M., McDaniel, P.: Understanding android security. IEEE Secur. Priv. 7, 50–57 (2009)

    Article  Google Scholar 

  17. Enck, W., Ongtang, M., McDaniel, P.D.: On lightweight mobile phone application certification. In: Proceedings of the 2009 ACM Conference on Computer and Communications Security, CCS 2009, Chicago, Illinois, USA, November 9–13, 2009, pp. 235–245. ACM (2009)

  18. Ernst, M.D., Perkins, J.H., Guo, P.J., McCamant, S., Pacheco, C., Tschantz, M.S., Xiao, C.: The Daikon system for dynamic detection of likely invariants. Sci. Comput. Program. 69, 35–45 (2007)

    Article  MathSciNet  Google Scholar 

  19. Felmetsger, V., Cavedon, L., Kruegel, C., Vigna, G.: Toward automated detection of logic vulnerabilities in web applications. In: USENIX Security Symposium, pp. 143–160 (2010)

  20. Flanagan, C., Leino, K.R.M., Lillibridge, M., Nelson, G., Saxe, J.B., Stata, R.: Extended static checking for Java. In: Proceedings of the ACM SIGPLAN Conference on Programming language Design and Implementation, pp. 234–245. PLDI ’02 (2002)

  21. Fortify Software: Fortify Source Code Analyser (2012) http://www.fortify.com/products

  22. Fragkaki, E., Bauer, L., Jia, L., Swasey, D.: Modeling and enhancing Android’s permission system. In: 17th European Symposium on Research in Computer Security. LNCS, vol. 7459, pp. 1–18 (2012)

  23. Gibler, C., Crussell, J., Erickson, J., Chen, H.: AndroidLeaks: automatically detecting potential privacy leaks in android applications on a large scale. In: Trust and Trustworthy Computing, LNCS, vol. 7344, pp. 291–307. Springer, Berlin (2012)

  24. Google Inc.: Bluetooth (2012). http://developer.android.com/guide/topics/wireless/bluetooth.html

  25. Google Inc.: Permissions (2012). http://developer.android.com/guide/topics/security/permissions.html

  26. Grace, M., Zhou, Y., Wang, Z., Jiang, X.: Systematic detection of capability leaks in stock android smartphones. In: Proceedings of the 19th Network and Distributed System Security Symposium (NDSS 2012). USENIX Association (2012)

  27. Hatcliff, J., Leavens, G.T., Leino, K.R.M., Müller, P., Parkinson, M.: Behavioral interface specification languages. ACM Comput. Surv. 44(3), 16:1–16:58 (2012)

  28. Horwitz, S., Reps, T., Binkley, D.: Interprocedural slicing using dependence graphs. ACM Trans. Program. Lang. Syst. 12(1), 26–60 (1990)

    Article  Google Scholar 

  29. Jaeger, T., Edwards, A., Zhang, X.: Consistency analysis of authorization hook placement in the Linux security modules framework. ACM Trans. Inf. Syst. Secur. 7(2), 175–205 (2004)

    Article  Google Scholar 

  30. Krinke, J.: Advanced Slicing of Sequential and Concurrent Programs. Ph.D. Thesis, Universität Passau (2003)

  31. Leavens, G.T., Baker, A.L., Ruby, C.: JML: A notation for detailed design. In: Behavioral Specifications of Businesses and Systems, pp. 175–188. Kluwer, Dordrecht (1999)

  32. Leino, K.R.M.: Applications of extended static checking. In: Proceedings of the 8th International Symposium on Static Analysis SAS. LNCS, vol. 2126, pp. 185–193. Springer, Berlin (2001)

  33. Lloyd, J., Jürjens, J.: Security analysis of a biometric authentication system using UMLsec and JML. In: MoDELS. Lecture Notes in Computer Science, vol. 5795, pp. 77–91. Springer, Berlin (2009)

  34. Lu, L., Li, Z., Wu, Z., Lee, W., Jiang, G.: CHEX: statically vetting Android apps for component hijacking vulnerabilities. In: Proceedings of the 2012 ACM Conference on Computer and Communications Security, pp. 229–240. CCS ’12 (2012)

  35. Meyer, B.: From structured programming to object-oriented design: the road to Eiffel. Struct. Program. 10(1), 19–39 (1989)

    Google Scholar 

  36. Ongtang, M., McLaughlin, S., Enck, W., McDaniel, P.: Semantically rich application-centric security in Android. In: Proceedings of the 25th Annual Computer Security Applications Conference, pp. 340–349 (2009)

  37. Oracle Inc.: Compiler Tree API (2012). http://docs.oracle.com/javase/6/docs/jdk/api/javac/tree/com/sun/source/util/package-summary.html

  38. Pivotal Inc: Spring security 3.1.2 (2013). http://static.springsource.org/spring-security/site/index.html

  39. Felt, A.P., Chin, E., Hanna, S., Song, D., Wagner, D.: Android permissions demystified. In: Proceedings of the 18th ACM Conference on Computer and Communications Security, Chicago, USA, pp. 627–638. ACM (2011)

  40. Felt, A.P., Chin, E., Hanna, S., Song, D., Wagner, D.: STOWAWAY (2011). http://www.android-permissions.org/permissionmap.html

  41. Spark, D.: Enable camera permission check (2009), bug ID = 1869264

  42. Sridharan, M., Fink, S.J., Bodik, R.: Thin slicing. In: Proceedings of the 2007 ACM SIGPLAN Conference on Programming Language Design and Implementation, pp. 112–122. PLDI ’07 (2007)

  43. Warnier, M.: Language Based Security for Java and JML. Ph.D. Thesis, Radboud University, Nijmegen, Netherlands (2006)

  44. Weiser, M.: Program slicing. In: Proceedings of the International Conference on Software Engineering, pp. 439–449. IEEE Press, Piscataway, NJ, USA (1981)

Download references

Acknowledgments

We would like to thank the anonymous reviewers for their comments, which greatly helped improve this manuscript. This work was supported by the German Federal Ministry of Education and Research (BMBF) under the grant 16KIS0074 (ZertApps project).

Author information

Authors and Affiliations

  1. Universität Bremen, Bremen, Germany

    Tanveer Mustafa & Karsten Sohr

Authors
  1. Tanveer Mustafa
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Karsten Sohr
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Karsten Sohr.

Appendix

Appendix

Subsequently, we give the sliced and annotated version of the DevicePolicyManagerService as an example. Due to the fact that generics are used, which currently are not supported by ESC/Java2, we had to replace the reference to the \(\mathtt{HashMap<ComponentName },\,\, \mathtt{ActiveAdmin> }\) class. Some methods, which are free of side effects, had also to be declared pure to assist ESC/Java2 in proving the verification conditions.

figure a
figure b

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Mustafa, T., Sohr, K. Understanding the implemented access control policy of Android system services with slicing and extended static checking. Int. J. Inf. Secur. 14, 347–366 (2015). https://doi.org/10.1007/s10207-014-0260-y

Download citation

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s10207-014-0260-y

Keywords

Search

Navigation