Design patterns: elements of reusable object-oriented software
Design patterns: elements of reusable object-oriented software
A new family of authentication protocols
ACM SIGOPS Operating Systems Review
Practical Threshold RSA Signatures without a Trusted Dealer
EUROCRYPT '01 Proceedings of the International Conference on the Theory and Application of Cryptographic Techniques: Advances in Cryptology
Concrete Security for Entity Recognition: The Jane Doe Protocol
INDOCRYPT '08 Proceedings of the 9th International Conference on Cryptology in India: Progress in Cryptology
Understanding Android Security
IEEE Security and Privacy
On lightweight mobile phone application certification
Proceedings of the 16th ACM conference on Computer and communications security
Semantically Rich Application-Centric Security in Android
ACSAC '09 Proceedings of the 2009 Annual Computer Security Applications Conference
Practical threshold signatures
EUROCRYPT'00 Proceedings of the 19th international conference on Theory and application of cryptographic techniques
Split-and-delegate: threshold cryptography for the masses
FC'02 Proceedings of the 6th international conference on Financial cryptography
Survivable key compromise in software update systems
Proceedings of the 17th ACM conference on Computer and communications security
Proceedings of the 17th ACM conference on Computer and communications security
TaintDroid: an information-flow tracking system for realtime privacy monitoring on smartphones
OSDI'10 Proceedings of the 9th USENIX conference on Operating systems design and implementation
On message recognition protocols: recoverability and explicit confirmation
International Journal of Applied Cryptography
Secure Software Installation on Smartphones
IEEE Security and Privacy
Mobile Security Catching Up? Revealing the Nuts and Bolts of the Security of Mobile Devices
SP '11 Proceedings of the 2011 IEEE Symposium on Security and Privacy
A study of android application security
SEC'11 Proceedings of the 20th USENIX conference on Security
Permission re-delegation: attacks and defenses
SEC'11 Proceedings of the 20th USENIX conference on Security
Quire: lightweight provenance for smart phone operating systems
SEC'11 Proceedings of the 20th USENIX conference on Security
A survey of mobile malware in the wild
Proceedings of the 1st ACM workshop on Security and privacy in smartphones and mobile devices
Android permissions demystified
Proceedings of the 18th ACM conference on Computer and communications security
Proceedings of the 18th ACM conference on Computer and communications security
Reducing Unauthorized Modification of Digital Objects
IEEE Transactions on Software Engineering
Defending users against smartphone apps: techniques and future directions
ICISS'11 Proceedings of the 7th international conference on Information Systems Security
Is this app safe?: a large scale study on application permissions and risk signals
Proceedings of the 21st international conference on World Wide Web
Privacy as part of the app decision-making process
Proceedings of the SIGCHI Conference on Human Factors in Computing Systems
The company you keep: mobile malware infection rates and inexpensive risk indicators
Proceedings of the 23rd international conference on World wide web
Hi-index | 0.00 |
We provide a detailed analysis of two largely unexplored aspects of the security decisions made by the Android operating system during the app installation process: update integrity and UID assignment. To inform our analysis, we collect a dataset of Android application metadata and extract features from these binaries to gain a better understanding of how developers interact with the security mechanisms invoked during installation. Using the dataset, we find empirical evidence that Android's current signing architecture does not encourage best security practices. We also find that limitations of Android's UID sharing method force developers to write custom code rather than rely on OS-level mechanisms for secure data transfer between apps. As a result of our analysis, we recommend incrementally deployable improvements, including a novel UID sharing mechanism with applicability to signature-level permissions. We additionally discuss mitigation options for a security bug in Google's Play store, which allows apps to transparently obtain more privileges than those requested in the manifest.