Android Security
Your SlideShare is downloading.
×
Check these out next
More Related Content
Slideshows for you (20)
Viewers also liked (16)
Similar to Permission in Android Security: Threats and solution (20)
Recently uploaded (20)
Permission in Android Security: Threats and solution
- 1. Tandhy Simanjuntak
- 2. Permissions in Android Security: Threats and Solutions Permissions Threats Solutions Conclusion and Future Work
- 3. Permissions Allow apps to access resources Limited access to resources Installation time User approval
- 4. System Permissions URI Permissions Self-declare Permissions Permissions Type
- 5. System Permissions URI Permissions Self-declare Permissions Permissions Type Owned by system Allow access to system resources <manifest xmlns:android="http://schemas.android.com/apk/res/android" package="com.android.app.myapp" > <uses-permission android:name="android.permission.RECEIVE_SMS" /> <uses-permission android:name="android.permission.INTERNET" /> </manifest>
- 6. System Permissions URI Permissions Self-declare Permissions Permissions Type version name Version number API Level Total Permissions KitKat 4.4 19 145 Jelly Bean 4.3 18 134 4.2 17 130 4.1 16 130 Ice Cream Sandwich 4.0.3 15 124 4.0 14 122 Honeycomb 3.2 13 117 3.1 12 116 3.0 11 116 Gingerbread 2.3.4 10 115 2.3.3 9 115 Froyo 2.2 8 112
- 7. System Permissions URI Permissions Self-declare Permissions Permissions Type Owned by system Allow access to data without grant permission to access content provider Email app and document/pdf reader app
- 8. System Permissions URI Permissions Self-declare Permissions Permissions Type Owned by apps Allow processes to access apps resources <manifest xmlns:android="http://schemas.android.com/apk/res/android" package="com.me.app.myapp" > <permission android:name="com.me.app.myapp.permission.CHANGE_ROOT_PASSWD" android:label="@string/label_changeRootPasswd" android:description="@string/description_changeRootPasswd" android:permissionGroup="android.permission-group.PERSONAL_INFO" android:protectionLevel="dangerous" /> </manifest>
- 9. Normal Dangerous Signature Signature or System Permissions Protection Level
- 10. Permissions Request Flow 1. Install an app 2. System check permissions in AndroidManifest.xml 3. System ask user for approval User Approve ? System grants all permissions System cancel the installation System continue to installation process and App is installed System denies all permissions No Yes
- 11. Permissions Threats Permission Re-delegation Over-privilege Permission inheritance
- 12. Permissions Threats A: an App No INTERNET permission B: another App INTERNET permission A: Malicious App No INTERNET permission Android System Services INTERNET Rejected B: Vulnerable App INTERNET permission INTERNET INTERNET Accepted AcceptedPermission Re-delegation Over-privilege Permission inheritance
- 13. Permissions Threats Flashlight App Permission list: FLASHLIGHT INTERNET ACCESS_FINE_LOCATION READ_CONTACT B: Social Media App Permission list: INTERNET ACCESS_FINE_LOCATION READ_CONTACT READ_PROFILE CAMERA Over Privilege App Permission Re-delegation Over-privilege Permission inheritance
- 14. Flashlight App Permission list: FLASHLIGHT Social Media App Permission list: INTERNET ACCESS_FINE_LOCATION READ_CONTACT READ_PROFILE CAMERA UID: 0123-4567-8910 UID: 0123-4567-8910 Permissions Threats Flashlight App Permission list: FLASHLIGHT INTERNET ACCESS_FINE_LOCATION READ_CONTACT READ_PROFILE CAMERA UID: 0123-4567-8910 Social Media App Permission list: INTERNET ACCESS_FINE_LOCATION READ_CONTACT READ_PROFILE CAMERA FLASHLIGHT UID: 0123-4567-8910 Permission Re-delegation Over-privilege Permission inheritance
- 15. Solutions Permission Re-delegation Over-privilege Permission inheritance
- 16. Solutions Type of solution • System modification / Hook modification and services • Android services • Non-android application Implementation level • System/Kernel • Application • Separate system Run-time mode • Static • Dynamic
- 17. Permission Re-delegation Over-privilege Permission inheritance Solutions Name Type of Solution Implementation Running mode IPC Inspection System modification System Dynamic Quire System modification System Dynamic
- 18. Solutions Name Type of Solution Implementation Running mode Webifest Manifest file Application Static Stowaway Non-android apps Separate system Static Pscout Non-android apps Separate system Static RefineDroid Non-android apps Separate system Static Mr. Hide Android service Application Dynamic Dr. Android Non-android apps Separate system Static Apex System modification System Static SAINT System modification System Static and Dynamic Analysis Tool Non-android apps Separate system Static Permission Re-delegation Over-privilege Permission inheritance
- 19. Solutions Sign with different keys • Android apps • Application • Static Permission Re-delegation Over-privilege Permission inheritance
- 20. Solutions - Complete Matrix Threats Proposed Solution Type of Solution Implementation Level Solution Running mode Ref Permission Re- delegation IPC Inspection System modification System level Dynamic [9] Quire System modification System level Dynamic [18] Over Privilege Webifest website manifest file Application level Static [11] Stowaway Non-android application Separate system Static [12] PScout Non-android application Separate system Static [13] RefineDroid Non-android application Separate system Static [14] Mr. Hide Android service Application level Dynamic [14] Dr. Android Non-android application Separate system Static [14] Apex System modification System level Static [20] SAINT System modification System level Static and Dynamic [17] Static analysis tool Non-android application Separate system Static [23] Permission inheritance Sign apps with different keys android apps Application level Static [16]
- 21. Conclusio n 3 threats found Numbers of solutions Different implementation level
- 22. Future Work Combination of solutions Are solutions implemented? Cost matrix of solutions: performance, speed, power consumption, complexity
