Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

6

Share

Download to read offline

Permission in Android Security: Threats and solution

Download to read offline

Possible threats found and mitigation

Related Books

Free with a 30 day trial from Scribd

See all

Related Audiobooks

Free with a 30 day trial from Scribd

See all

Permission in Android Security: Threats and solution

  1. 1. Tandhy Simanjuntak
  2. 2. Permissions in Android Security: Threats and Solutions Permissions Threats Solutions Conclusion and Future Work
  3. 3. Permissions Allow apps to access resources Limited access to resources Installation time User approval
  4. 4. System Permissions URI Permissions Self-declare Permissions Permissions Type
  5. 5. System Permissions URI Permissions Self-declare Permissions Permissions Type Owned by system Allow access to system resources <manifest xmlns:android="http://schemas.android.com/apk/res/android" package="com.android.app.myapp" > <uses-permission android:name="android.permission.RECEIVE_SMS" /> <uses-permission android:name="android.permission.INTERNET" /> </manifest>
  6. 6. System Permissions URI Permissions Self-declare Permissions Permissions Type version name Version number API Level Total Permissions KitKat 4.4 19 145 Jelly Bean 4.3 18 134 4.2 17 130 4.1 16 130 Ice Cream Sandwich 4.0.3 15 124 4.0 14 122 Honeycomb 3.2 13 117 3.1 12 116 3.0 11 116 Gingerbread 2.3.4 10 115 2.3.3 9 115 Froyo 2.2 8 112
  7. 7. System Permissions URI Permissions Self-declare Permissions Permissions Type Owned by system Allow access to data without grant permission to access content provider Email app and document/pdf reader app
  8. 8. System Permissions URI Permissions Self-declare Permissions Permissions Type Owned by apps Allow processes to access apps resources <manifest xmlns:android="http://schemas.android.com/apk/res/android" package="com.me.app.myapp" > <permission android:name="com.me.app.myapp.permission.CHANGE_ROOT_PASSWD" android:label="@string/label_changeRootPasswd" android:description="@string/description_changeRootPasswd" android:permissionGroup="android.permission-group.PERSONAL_INFO" android:protectionLevel="dangerous" /> </manifest>
  9. 9. Normal Dangerous Signature Signature or System Permissions Protection Level
  10. 10. Permissions Request Flow 1. Install an app 2. System check permissions in AndroidManifest.xml 3. System ask user for approval User Approve ? System grants all permissions System cancel the installation System continue to installation process and App is installed System denies all permissions No Yes
  11. 11. Permissions Threats Permission Re-delegation Over-privilege Permission inheritance
  12. 12. Permissions Threats A: an App No INTERNET permission B: another App INTERNET permission A: Malicious App No INTERNET permission Android System Services INTERNET Rejected B: Vulnerable App INTERNET permission INTERNET INTERNET Accepted AcceptedPermission Re-delegation Over-privilege Permission inheritance
  13. 13. Permissions Threats Flashlight App Permission list: FLASHLIGHT INTERNET ACCESS_FINE_LOCATION READ_CONTACT B: Social Media App Permission list: INTERNET ACCESS_FINE_LOCATION READ_CONTACT READ_PROFILE CAMERA Over Privilege App Permission Re-delegation Over-privilege Permission inheritance
  14. 14. Flashlight App Permission list: FLASHLIGHT Social Media App Permission list: INTERNET ACCESS_FINE_LOCATION READ_CONTACT READ_PROFILE CAMERA UID: 0123-4567-8910 UID: 0123-4567-8910 Permissions Threats Flashlight App Permission list: FLASHLIGHT INTERNET ACCESS_FINE_LOCATION READ_CONTACT READ_PROFILE CAMERA UID: 0123-4567-8910 Social Media App Permission list: INTERNET ACCESS_FINE_LOCATION READ_CONTACT READ_PROFILE CAMERA FLASHLIGHT UID: 0123-4567-8910 Permission Re-delegation Over-privilege Permission inheritance
  15. 15. Solutions Permission Re-delegation Over-privilege Permission inheritance
  16. 16. Solutions Type of solution • System modification / Hook modification and services • Android services • Non-android application Implementation level • System/Kernel • Application • Separate system Run-time mode • Static • Dynamic
  17. 17. Permission Re-delegation Over-privilege Permission inheritance Solutions Name Type of Solution Implementation Running mode IPC Inspection System modification System Dynamic Quire System modification System Dynamic
  18. 18. Solutions Name Type of Solution Implementation Running mode Webifest Manifest file Application Static Stowaway Non-android apps Separate system Static Pscout Non-android apps Separate system Static RefineDroid Non-android apps Separate system Static Mr. Hide Android service Application Dynamic Dr. Android Non-android apps Separate system Static Apex System modification System Static SAINT System modification System Static and Dynamic Analysis Tool Non-android apps Separate system Static Permission Re-delegation Over-privilege Permission inheritance
  19. 19. Solutions Sign with different keys • Android apps • Application • Static Permission Re-delegation Over-privilege Permission inheritance
  20. 20. Solutions - Complete Matrix Threats Proposed Solution Type of Solution Implementation Level Solution Running mode Ref Permission Re- delegation IPC Inspection System modification System level Dynamic [9] Quire System modification System level Dynamic [18] Over Privilege Webifest website manifest file Application level Static [11] Stowaway Non-android application Separate system Static [12] PScout Non-android application Separate system Static [13] RefineDroid Non-android application Separate system Static [14] Mr. Hide Android service Application level Dynamic [14] Dr. Android Non-android application Separate system Static [14] Apex System modification System level Static [20] SAINT System modification System level Static and Dynamic [17] Static analysis tool Non-android application Separate system Static [23] Permission inheritance Sign apps with different keys android apps Application level Static [16]
  21. 21. Conclusio n 3 threats found Numbers of solutions Different implementation level
  22. 22. Future Work Combination of solutions Are solutions implemented? Cost matrix of solutions: performance, speed, power consumption, complexity
  • AlanRoy5

    Oct. 3, 2018
  • HamedDadpour

    Feb. 14, 2016
  • mostafasafavi

    Sep. 1, 2015
  • kazemsamiei

    Jun. 22, 2015
  • johnhoder

    Feb. 7, 2015
  • mailsunda

    Dec. 5, 2014

Possible threats found and mitigation

Views

Total views

2,991

On Slideshare

0

From embeds

0

Number of embeds

15

Actions

Downloads

170

Shares

0

Comments

0

Likes

6

×