Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Permission in Android Security: Threats and solution

2,410 views

Published on

Possible threats found and mitigation

  • Hey guys! Who wants to chat with me? More photos with me here 👉 http://www.bit.ly/katekoxx
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here

Permission in Android Security: Threats and solution

  1. 1. Tandhy Simanjuntak
  2. 2. Permissions in Android Security: Threats and Solutions Permissions Threats Solutions Conclusion and Future Work
  3. 3. Permissions Allow apps to access resources Limited access to resources Installation time User approval
  4. 4. System Permissions URI Permissions Self-declare Permissions Permissions Type
  5. 5. System Permissions URI Permissions Self-declare Permissions Permissions Type Owned by system Allow access to system resources <manifest xmlns:android="http://schemas.android.com/apk/res/android" package="com.android.app.myapp" > <uses-permission android:name="android.permission.RECEIVE_SMS" /> <uses-permission android:name="android.permission.INTERNET" /> </manifest>
  6. 6. System Permissions URI Permissions Self-declare Permissions Permissions Type version name Version number API Level Total Permissions KitKat 4.4 19 145 Jelly Bean 4.3 18 134 4.2 17 130 4.1 16 130 Ice Cream Sandwich 4.0.3 15 124 4.0 14 122 Honeycomb 3.2 13 117 3.1 12 116 3.0 11 116 Gingerbread 2.3.4 10 115 2.3.3 9 115 Froyo 2.2 8 112
  7. 7. System Permissions URI Permissions Self-declare Permissions Permissions Type Owned by system Allow access to data without grant permission to access content provider Email app and document/pdf reader app
  8. 8. System Permissions URI Permissions Self-declare Permissions Permissions Type Owned by apps Allow processes to access apps resources <manifest xmlns:android="http://schemas.android.com/apk/res/android" package="com.me.app.myapp" > <permission android:name="com.me.app.myapp.permission.CHANGE_ROOT_PASSWD" android:label="@string/label_changeRootPasswd" android:description="@string/description_changeRootPasswd" android:permissionGroup="android.permission-group.PERSONAL_INFO" android:protectionLevel="dangerous" /> </manifest>
  9. 9. Normal Dangerous Signature Signature or System Permissions Protection Level
  10. 10. Permissions Request Flow 1. Install an app 2. System check permissions in AndroidManifest.xml 3. System ask user for approval User Approve ? System grants all permissions System cancel the installation System continue to installation process and App is installed System denies all permissions No Yes
  11. 11. Permissions Threats Permission Re-delegation Over-privilege Permission inheritance
  12. 12. Permissions Threats A: an App No INTERNET permission B: another App INTERNET permission A: Malicious App No INTERNET permission Android System Services INTERNET Rejected B: Vulnerable App INTERNET permission INTERNET INTERNET Accepted AcceptedPermission Re-delegation Over-privilege Permission inheritance
  13. 13. Permissions Threats Flashlight App Permission list: FLASHLIGHT INTERNET ACCESS_FINE_LOCATION READ_CONTACT B: Social Media App Permission list: INTERNET ACCESS_FINE_LOCATION READ_CONTACT READ_PROFILE CAMERA Over Privilege App Permission Re-delegation Over-privilege Permission inheritance
  14. 14. Flashlight App Permission list: FLASHLIGHT Social Media App Permission list: INTERNET ACCESS_FINE_LOCATION READ_CONTACT READ_PROFILE CAMERA UID: 0123-4567-8910 UID: 0123-4567-8910 Permissions Threats Flashlight App Permission list: FLASHLIGHT INTERNET ACCESS_FINE_LOCATION READ_CONTACT READ_PROFILE CAMERA UID: 0123-4567-8910 Social Media App Permission list: INTERNET ACCESS_FINE_LOCATION READ_CONTACT READ_PROFILE CAMERA FLASHLIGHT UID: 0123-4567-8910 Permission Re-delegation Over-privilege Permission inheritance
  15. 15. Solutions Permission Re-delegation Over-privilege Permission inheritance
  16. 16. Solutions Type of solution • System modification / Hook modification and services • Android services • Non-android application Implementation level • System/Kernel • Application • Separate system Run-time mode • Static • Dynamic
  17. 17. Permission Re-delegation Over-privilege Permission inheritance Solutions Name Type of Solution Implementation Running mode IPC Inspection System modification System Dynamic Quire System modification System Dynamic
  18. 18. Solutions Name Type of Solution Implementation Running mode Webifest Manifest file Application Static Stowaway Non-android apps Separate system Static Pscout Non-android apps Separate system Static RefineDroid Non-android apps Separate system Static Mr. Hide Android service Application Dynamic Dr. Android Non-android apps Separate system Static Apex System modification System Static SAINT System modification System Static and Dynamic Analysis Tool Non-android apps Separate system Static Permission Re-delegation Over-privilege Permission inheritance
  19. 19. Solutions Sign with different keys • Android apps • Application • Static Permission Re-delegation Over-privilege Permission inheritance
  20. 20. Solutions - Complete Matrix Threats Proposed Solution Type of Solution Implementation Level Solution Running mode Ref Permission Re- delegation IPC Inspection System modification System level Dynamic [9] Quire System modification System level Dynamic [18] Over Privilege Webifest website manifest file Application level Static [11] Stowaway Non-android application Separate system Static [12] PScout Non-android application Separate system Static [13] RefineDroid Non-android application Separate system Static [14] Mr. Hide Android service Application level Dynamic [14] Dr. Android Non-android application Separate system Static [14] Apex System modification System level Static [20] SAINT System modification System level Static and Dynamic [17] Static analysis tool Non-android application Separate system Static [23] Permission inheritance Sign apps with different keys android apps Application level Static [16]
  21. 21. Conclusio n 3 threats found Numbers of solutions Different implementation level
  22. 22. Future Work Combination of solutions Are solutions implemented? Cost matrix of solutions: performance, speed, power consumption, complexity

×