Crowdroid: behavior-based malware detection system for Android
Proceedings of the 1st ACM workshop on Security and privacy in smartphones and mobile devices
Rooting android --- extending the ADB by an auto-connecting wifi-accessible service
NordSec'11 Proceedings of the 16th Nordic conference on Information Security Technology for Applications
MeadDroid: detecting monetary theft attacks in android by DVM monitoring
ICISC'12 Proceedings of the 15th international conference on Information Security and Cryptology
Sleeping android: the danger of dormant permissions
Proceedings of the Third ACM workshop on Security and privacy in smartphones & mobile devices
Hi-index | 0.00 |
This paper presents a flaw in the permission scheme of Android. The Android framework enforces a permission-based security policy where an application can access the other parts of the system only when the application is explicitly permitted. The security of the framework depends to a large extent on the owner of a device since the authorization decisions are mainly made by the user. As a result, the permission scheme imposes much of the administrative burden on the user instead of keeping it simple. Moreover, the framework does not impose enough controls nor support dynamic adjustment in the following respects: No naming rule or constraint is applied for a new permission declaration; once an application acquires a permission, the permission is never revoked during the lifetime of the application, two different permissions can be in use having the same name. These features of the framework can result in a security flaw. We explain how we found the flaw, demonstrate an exploit example, and discuss the solution.