Sleeping android: the danger of dormant permissions

Authors:
James Sellwood;Jason Crampton
Affiliations:
Royal Holloway, University of London, Egham, United Kingdom;Royal Holloway, University of London, Egham, United Kingdom
Venue:
Proceedings of the Third ACM workshop on Security and privacy in smartphones & mobile devices
Year:
2013

Citing 9
Cited 0

A methodology for empirical analysis of permission-based security models and its application to android

Proceedings of the 17th ACM conference on Computer and communications security
A Small But Non-negligible Flaw in the Android Permission Scheme

POLICY '10 Proceedings of the 2010 IEEE International Symposium on Policies for Distributed Systems and Networks
Short paper: a look at smartphone permission models

Proceedings of the 1st ACM workshop on Security and privacy in smartphones and mobile devices
Android permissions demystified

Proceedings of the 18th ACM conference on Computer and communications security
Is this app safe?: a large scale study on application permissions and risk signals

Proceedings of the 21st international conference on World Wide Web
Android permissions: user attention, comprehension, and behavior

Proceedings of the Eighth Symposium on Usable Privacy and Security
How to ask for permission

HotSec'12 Proceedings of the 7th USENIX conference on Hot Topics in Security
PScout: analyzing the Android permission specification

Proceedings of the 2012 ACM conference on Computer and communications security
A conundrum of permissions: installing applications on an android smartphone

FC'12 Proceedings of the 16th international conference on Financial Cryptography and Data Security

Quantified Score

Hi-index	0.00

Visualization

Abstract

An Android app must be authorized for permissions, defined by the Android platform, in order to access certain capabilities of an Android device. An app developer specifies which permissions an app will require and these permissions must be authorized by the user of the device when the app is installed. Permissions, and the tools that are used to manage them, form the basis of the Android permission architecture, which is an essential part of the access control services provided by the Android platform. We have analyzed the evolution of the Android permission architecture across six versions of the Android platform, identifying various changes which have occurred during that period and a considerable amount of information about the permission architecture which is not included in the Android documentation. Using this information, we have identified a weakness in the way that the Android platform handles app permissions during platform upgrades. We explain how this weakness may be exploited by a developer to produce malicious software which the average user is unlikely to detect. We conclude with a discussion of potential mitigation techniques for this weakness, highlighting concerns drawn from other research in this area.