Application-centric

securitypoliciesonunmodiedAndroidNikhileshReddyJinseongJeonJeffreyA.
VaughanToddMillsteinJeffreyS.
FosterUniversityofCalifornia,LosAngelesUniversityofMaryland,CollegeParkTechnicalReport#110017UCLAComputerScienceDepartmentJuly5,2011AbstractGoogle'sAndroidplatformusesafairlystandardresource-centricpermissionmodeltoprotectresourcessuchasthecamera,GPS,andInternetconnection.
Weclaimthatamuchbet-terpermissionmodelfordevelopersanduserswouldbeapplication-centric,withavocabularythatdirectlyrelatestoapplication-levelfunctionality,e.
g.
,onepermissioncouldallowcamerause,butonlyforbarcodescanning;anothercouldallowInternetaccess,butonlytocertaindo-mains.
Despitethelargeapparentgapbetweenresource-andapplication-centricpermissions,wearguethatAndroidalreadyprovidesthenecessarymechanismstosupportanexpressiveandpracticalformofapplication-centricpolicies.
Specically,eachapplication-centricper-missioncanberepresentedbyanewAndroidpermissionandcanbeenforcedbycouplingthepermissionwithatrustedservicerunninginitsownprocess.
Wepresentasurveyofthetop24freeAndroidappsandshowthatasmallvocabularyofapplication-centricpermissionscoversmuchofthefunctionalityofthoseapps.
Wealsodescribeaprototypeimplementationofourapproach.
1OverviewGoogle'sAndroidisoneofthemostpopularsmartphoneplatforms,withmorethan100millionactivateddevices,morethan200,000applicationsintheAndroidMarket,andanestimated4.
5bil-lionappsinstalledfromtheMarket[8].
SecurityofAndroidapplications(henceforth"apps")isapressingconcern,asappscancollectsensitivedatafromtheuser(e.
g.
,usernamesandpasswords),accesspersonaldatastoredonthedevice(e.
g.
,calendarandcontactinformation),andusesensitivedevicecapabilities(e.
g.
,telephony,GPS,andcamera).
Androidtakesan"open-publish"approachtoappdistribution,inwhichanyappcanbeinstalledonanyphone.
Tohelpaddresssecurityconcerns,theAndroidplatformprotectsaccesstosensitiveresources—includingthecamera,networksockets,andGPSreceiver—withpermissions.
EachappincludesanXMLmanifestlethatliststhepermissionsrequestedbytheapp.
Whenanappisinstalled,thosepermissionsareshowntotheuser,whothendecideswhetherornottoproceedwiththeinstallation.
Noadditionalpermissionsmaybeacquiredwhenanappruns,andasecurityexceptionisraisedifanapptriestoaccessaresourcewithoutpermission.
Androidpermissionstoday.
WhilepermissionsonAndroidprovideanimportantlevelofsecurity,wehaveobservedthat,inpractice,thedesignofAndroid'spermissionsystemroutinelyforcesappstoacquiremorepowerfulpermissionsthanshouldbenecessary.
Forexample,anappthatscansaproduct'sbarcodeandthensearchesforitinapublicdatabasemusthave(atleast)theTakePicturesandFullInternetAccesspermissions.
Asaresult,appswiththisfeature(ofwhichthereareseveralintheAndroidMarket)couldpotentiallydomuchmorethanjustbarcodescanning.
Forexample,theycouldaccessthegeotagonabarcodeimagetondtheuser'slocation.
Moremaliciously,theymaybeabletocovertlycaptureimagesofauser'ssurroundingsandtransmitthemanywhereontheInternet.
Inourview,thebasicproblemwithAndroid'spermissionsystemisthatitisresource-centric:eachpermissiontypicallycontrolsaccesstoaparticularhardwareorsoftwareresource.
Thus,enforceablesecuritypoliciesonlysaywhatresourcesareaccessed,withlittleornoindicationof1howorwhytheyareused.
Thisleavesdevelopersontheirowntoensuretheyusetheresourcessafelyandonlytotheextentnecessary.
Worse,whenusersarepresentedwithalistofpermissionsanapprequests,theyarelefttoguessatwhethertheappusesthosepermissionssafely.
Application-centricpermissionsonunmodiedAndroid.
Therearetwomajorchallengesthatanysolutiontothisissuemustaddress:First,Androidisevolvingrapidly,withnewhardwareandsoftwarecapabilitiesemergingregularly,andthusanysolutionmustbeagileandadaptable.
Second,thepermissionsrequiredbyappsmustcaptureapplication-centricsecuritypropertiesthatareintuitivelyunderstandabletobothdevelopersandusers.
ItistemptingtotrytoaddressthisproblembyenrichingAndroid'spermissionsysteminvari-ousways.
Forexample,eachexistingpermissioncouldbeslicedintosmallerpermissionsgrantingrightstocorrespondinglynerunitsofresourceaccess.
Asanotherexample,anapplication'smanifestcoulduseanauthorizationlanguage(e.
g.
,DCCorKeyNote)toestablishconstraintsonresourceaccess.
Aprogramanalysisortypesystem(e.
g.
,JIF)couldalsobeusedtotrackhowin-formationowsthroughanapp.
However,webelievesuchapproachesrequiremakingimportantarchitecturalcommitmentsup-front,andtheymaybedifculttoevolveonsucharapidlychangingplatform.
Furthermore,itisimperativethatthepolicylanguagebekeptsimplefordevelopersandusersalike.
Perhapssurprisingly,webelievethatAndroidalreadycontainsthekeyingredientsneededforapowerfulandpracticalsolutiontotheabovechallenges:interprocesscommunication,processiso-lation,anduser-denedpermissions.
Interprocesscommunicationenablesanapplicationtoaccessrichfunctionalityprovidedbytrustedthirdparties.
Processisolationensuresthatapplicationsonlyaccessthatfunctionalitythroughawell-denedinterface,therebyallowingthirdpartiestoenforcearbitrarilyexpressiveapplication-centricsecuritypolicies.
Finally,user-denedpermissionsallowthesepoliciestobeassociatedwithsimpleAndroidpermissionsthatapplicationsmustacquiretoaccessthedesiredfunctionality.
Consideragaintheproblemofsupportingsafebarcodescanning.
Anidealsecuritypolicywouldspecifythatthecameramayonlybeusedtoscanabarcode,andtheresultingimagesarethrownawayafterprocessing.
WeproposetorepresentthispolicyasanewAndroidpermission,ScanBarcodes,thatgrantsaccesstoatrustedlibrarythatobeysthepolicy.
Todoso,thelibrarycouldhaveasinglefunctionthatdisplaysthecurrentcameraimage,waitsforauserclick,andthenscanstheresultingimageforabarcode,andreturnsthebarcode'snumericalvaluetothecallingapp.
Furthermore,wecanimplementthelibraryasanAndroidservicethatrunsinaseparateprocess.
Therefore,whilethelibrarymustbegrantedfullcameraaccess,anappthatcallsintothelibraryneedonlybegrantedScanBarcodesaccess,therebyprovidingastrongandunderstandableguaranteetoboththeappdeveloperandusers.
Althoughatrstglanceitseemswemayneedmanysuchapplication-centricpermissions,ourhypothesisisthatinpracticeareasonablysmallsetcandramaticallyimprovethesecurityofawidevarietyofapplications.
Moreover,weenvisionanecosysteminwhichmanydifferentvendorspro-videservicesassociatedwithcommonlydesiredapplication-centricpermissions.
Theseserviceswillbefarsimplerthanfullappsandhenceshouldbeeasytoauditforsecurity,andtheyareat-tractivecomponentsforopen-sourcingsincetheylikelywillnotcontainproprietaryfeaturesofanapp.
Finally,bymodularizingeachapplication-centricpermissioninitsownabstractionboundary,2wedecreasethepotentialforharmduetopolicyviolationsintheselibraries.
Forexample,ourprice-checkingapplicationwouldnaturallyuseoneservicetoprovidethebarcodescanningandaseparateservicetoprovideaccesstoabarcodedatabaseontheInternet,therebygreatlyreducingthepotentialforvulnerabilitiescausedbytheinteractionofcameraandInternetpermissions.
Toexploretheseideas,wehaveundertakenseveralpreliminarytasks.
WeperformedasurveyofpopularAndroidappstoidentifytheirapplication-centricpolicies(Section2).
WeimplementedourproposedapproachasanAndroidlibraryACPlib,whichcomprisesthreeapplication-centricpermissionsandtheassociatedservices.
Finally,wedevelopedRedexer,aDalvikbytecoderewrit-ingframeworkthatretrotsdownloadedappstouseapplication-centricpolicies.
WedescribeourpreliminaryexperienceusingACPlibandRedexertoenhancethesecurityofexistingandnewapps(Section3).
2FeasibilitystudyWeperformedapreliminarystudytoevaluatetheextenttowhichapplication-centricpermissionscanbesharedacrossavarietyofappstoenforcestrongersecuritypolicies.
MethodologyOurfeasibilitystudyconsideredthetop24freeappsonGoogle'sAndroidMar-ket1asofApril13,2011.
TheseappswereselectedbecausetheMarketwebsitedisplaysthemprominentlytousers;theyarewidelyinstalled(asreportedontheirMarkethomepages);andtheyrepresentaspectrumofapplicationdomains.
Theevaluationconsistedofinstallingandrunningeachapptounderstanditsfunctionality,readingEnglish-languageprivacypoliciesorotherdocumentationwhenavailable,and,sometimes,crudeanalysisofbinaries(usingtheUnixstringscommand).
InthecaseofWhatsApp,onlylimitedfunctionalitywastestedduetorestrictionsonappregistration.
Foreachapp,weevaluatedhowitusesitscurrentpermissionsetandidentiedapplication-centricpermissionsthatcouldreplacesomeofthesepermissions.
ResultsTheresultsofourstudyaresummarizedinFigure1.
Thetopleft-handcolumnofthetableshowsaselectionofAndroidpermissionsrequestedbyapps,andthebottomleft-handcolumnshowsapplication-centricpermissionsweidentiedaspotentialreplacements.
ThesepermissionsaredescribedbeneaththetableandrangefromcapturingspecicInternetusestorestrictinguseoflocationdata.
Wediscussseveralofourapplication-centricpermissionsindetail.
Internetpermissions.
Fourofthe11permissionspertaintotheInternet.
ThepermissionInter-netURL(domain)allowsnetworkconnectionsonlytodomainanditssubdomains.
Thisisusefulforthecommoncaseinwhichanappcommunicateswithonlyahandfulofknownwebservices,e.
g.
,Google'sSkyMapcanuseInternetURL(google.
com)inlieuofarbitraryInternetaccess.
1https://market.
android.
com/.
TheappssurveyedareAlchemy1.
10.
2,GoogleMaps5.
4.
0,Dropbox1.
1.
1,GasBuddy-FindCheapGas1.
14,StreetViewonGoogleMaps1.
6.
0.
6,AngryBirds1.
5.
3,BubbleBlast!
1.
0.
16,Shazam2.
5.
3-BB70302,ASTROFileManager2.
5.
2,PandoraRadio1.
5.
5,AdvancedTaskKiller1.
9.
6B76,BarcodeScanner3.
53,VaultyFreeHidesPictures2.
4.
1,FacebookforAndroid1.
5.
4,FreeMusicDownloader1.
8.
3LiveHoldemPokerPro3.
01,AngryBirdsRio1.
0.
0,Horoscope1.
5.
2,KakaoTalk2.
0.
1,FlashPlayer10.
2.
156.
12,BubbleBlast2ver.
1.
0.
18,GoogleSkyMap1.
6.
1,andWhatsAppMessenger2.
6.
2642.
3AlchemyAngryBirdsA.
BirdsRioASTROBarcodeBubbleBlastBub.
Blast2DropboxFacebookFlashplayerFreeMusicGasBuddyHoroscopeKakaoTalkLiveHoldemMapsPandoraShazamSkyMapStreetViewTaskKillerVaultyWhatsAppYouTubeFullInternetAccessStoragecontentsLocationne/coarseModifyglobalsettingsReadphonestate/idTakephotos/videosAdsPrivateAdsGeo++AnonUsageInternetURL(developer)InternetURL(other)LocationBlock+LocationVisibleMobileBilling+ScanBarcodes+SDCardOwnFiles++++SDCardShared+++ToggleGPS+++AdsPrivate:Maydisplaysads,butwithoutshar-ingpersonalinformationwithadvertisers.
AdsGeo:Maydisplaysadsandmayshareyourlocation,butnootherpersonalinformation,withadvertisers.
AnonUsage:Mayreportanonymoususagein-formationtoitsdevelopers,includingarandomnumberidentifyingyourcopyoftheapp,butnotyouoryourphone.
InternetURL(x):Mayaccesstheinternetserviceslocatedatdomainx.
LocationBlock:Mayaccessapproximatelocation,accurateto150m(aboutonecityblock).
LocationVisible:Mayacquireaccuratelocation,butonlywhentheapp'sinterfaceisshowing.
MobileBilling:Maybillyouviayourcarrier,afterrequestingpermissionwithaprompt.
ScanBarcodes:Mayusethecameratoreadbar-codesandQRcodes.
ToggleGPS:MayenableordisabletheGPSre-ceiver.
SDCardOwnFiles:MaymanagelesonitsownareaoftheSDcard;cannotread,edit,ordeleteotherles.
SDCardShared:Maymanageles,suchasmusicorphotos,thataresharedbyseveralapps;cannotread,edit,ordeletethatbelongtootherapps.
Figure1:App-centricpermissionsfortop24apps.
Notationindicatesabuilt-inAndroidpermissionthatcanbereplacedbyoneormoreapplication-centripermissions.
+indicatesapplication-centricpoliciestobeaddedandindicatespoliciesthatcannotobviouslyberemoved.
SomeAndroidpermissions,suchasthoserelatedtoaccountmanagmentareoutsidethescopeofthispaper,andnotshown.
4TheInternetURLpermissionistoocoarse-grainedtouseforin-appadvertising,sinceboththeadvertiserandtheappdeveloperhaveincentivestoextensivelyshareuserdata,violatingreasonableprivacyexpectations.
Yettotallyforbiddingcommunicationwithadvertisersisalsoundesirable,asadrevenueencouragesdeveloperstoreleasefreeapps.
ThepermissionsAdsPrivateandAdsGeomanagethistensionbyallowingadvertisingwhilerestrictingowsofprivatedata.
AsimilarAnonUsagepermissionisintendedforthecollectionofgeneral,anonymousanalyticsviaservicessuchasFlurry.
2.
(Analternativedesigncouldparametrizethepermissionbyadnetwork.
)Theapplication-centricInternetpermissionsaboveimposestrongrestrictionsonInternetac-cesswhilestillallowingmostdesiredfunctionality.
Ofthe23appsthatoriginallyrequiredFullinternetaccess,22canberewrittentouseonlyapplication-centricInternetpermissions.
There-mainingapp,Freemusic,downloadsmedialesfromdiversedomainsandlegitimatelyneedsfullInternetaccess.
Storagepermissions.
Android'sdefaulthandlingofexternalstorage,suchasSDcards,allowsanyapptomodifydatastoredbyanyotherapp.
Thispolicyisoverlybroadformanyapps,suchasFreemusic,thatshouldonlyaccessdeliberatelymodifymedialibraries,andforothers,suchasHoroscope,thatdonotappeartolegitimatelyneedmodifytosharedlesatall.
Indeed,webelievetherestrictiveSDCardOwnFilesandSDCardSharedpoliciescanreplaceAndroid'sbuilt-instoragepermissionforsixofthetenappsthatrequireit.
GPSpermissions.
WefoundthatfourofthesevenappsthatrequesttheModifyglobalset-tingspermissionseemtouseitsolelytotoggletheGPSunitonoroff,tosavepower(asdistinctfromtherighttoaccessGPSlocationdata,protectedbyadifferentpermission).
TheseappscanbegrantedthemorerestrictiveToggleGPSpermissioninstead.
PermissionsLocationBlockandLocationVisiblerestrictaccesstoGPSlocationdataintwodifferentways,andthesepermissionsappearsufcienttoreplaceAndroid'sGPSpermissioninsevenoutofeightapps.
AssuggestedbyLocationBlock,webelievethedistinctionofGPSvs.
networklocationislessinterestingthanthedistinctionbetweenhighest-precession-possiblevs.
intentionally-degradedlocation.
Overall,oftherequestedAndroidpermissionswestudied,71%arereplaceablewithapplication-specicpermissionsthataremuchmorerestrictive,andyetshouldnotadverselyaffectfunction-ality.
ThepermissionsInternetURL,AdsPrivate,andAnonUsageareapplicabletoatleast1/3ofsurveyedapps,andInternetURLitselfisapplicableto2/3.
Finally,8ofthe11permissionsareapplicabletoatleast10%ofthesurveyedapps.
Thisstudythereforeprovidespreliminaryevi-dencethatformanyAndroidapps,asmallnumberofapplication-centricpermissionscanprovidesignicantlystrongersecurityguaranteeswithoutlossoffunctionality.
Implementingapplication-centricpermissionsThe11application-centricpermissionsweiden-tiedareintendedtobeenforceablebyinterposingastrongAPI,implementedviaaservice,be-tweenunderlyingresourcesandclientsapps.
Togiveaavorofhowthatmightwork,wesketchhowtwoofthepermissionscouldbeenforcedbyatrustedservice.
Forpurposesofexpositionweelidesomedetails,notablyAndroid'seventdrivenprogrammingmodelandpervasiveuseofobjects.
(TheprototypedescribedinSection3doesfollowAndroid'sprogrammingmodel.
)First,considertheInternetURL(domain)permission,whichallowsanapptoconnectto(sub-2http://www.
flurry.
com5domainsof)domain.
Thisfunctionalitycanbeimplementedbyaservicewiththefollowinginter-face:Connectionopen(stringurl);byte[]read(Connectionc);voidwrite(Connectionc,byte[]data);voidclose(Connectionc);InAndroid,globalstateisusedtotrackasecuritycontext,andopen(x)checksthecurrentcontextforapermissionoftheformInternetURL(y),wherexisasubdomainofy.
Ifsuchapermissionexists,openconnectstoasocketandreturnsavalidConnectionobject.
Otherwise,openraisesasecurityexception.
Whilethissecurekernelprovidesfewoperations,wrapperscanextendittoaricherinterface.
AlthoughAndroiddoesnotdirectlysupportparameterizedpermissionssuchasInternetURL,thesecanbeencodedusingpermissiontrees.
Apermissiontreeisafamilyofpermissionswhosenamesshareacommonprex.
ForinstanceInternetURL(google.
com)canbegivenfullnameac-plib.
perm.
URL.
googlecomwhichispartoftheacplib.
perm.
URLtree.
Servicesmustbeinstructedtopreregistertreeelementsbeforeclientinstallation,butthisdoesnotappeartobeafundamentallimitationoftheplatform.
Second,considertheAdsPrivatepermission.
Atrustedlibrarycanmediatebetweenappsandwell-knownadservicesusinganinterfacesuchas:enumAdService{ADMOB,JUMPTAPConnectionopen(AdServicea);byte[]newAd(Connectionc);voidclose(Connectionc);Thisinterfaceallowsadstobedisplayed(vianewAd),butpreventstheappfrompassinganyinformationtoanadvertiser.
Theservicecouldalsomitigatecoverttimingchannelsusingacom-binationofprefetchinganddelayingadrequests.
Onewrinkleisthatonlineadvertisingrequiresthatappsidentifythemselvesusingauniqueidsothattherightdevelopercanbepaidforclicks.
Theservicecanusetheglobalcontexttoidentifycallingapps,alongwithawell-knownmapfromappstoidsthatisconsultedthersttimeanapprequestsanadconnection.
Finally,whileitwouldbeappeardifculttoimplementandmaintainasinglemulti-advertiserabstractionlayer,companiessuchasAdWhirl3dothisalready,albeitwithoutoursecurityfocus.
3ACPlibandRedexerTogainpreliminaryexperiencewithsomeofthepermissionsdiscussedinSection2,weimple-mentedaprototypeapplication-centricpermissionsystemforAndroid.
Oursystemcomprisestwomaincomponents:ACPlib,whichprovidesanimplementationofapplication-centricpermissionsandtheirassociatedservices,andRedexer,aDalvik-to-Dalvikrewritingsystemthatcanmodifyapps,evenwithouthavingtheirsourcecode,touseACPlib.
3https://www.
adwhirl.
com6ACPlibACPlibiscollectionofAndroidservices,eachimplementingoneofthefollowingpermis-sions:InternetUrl,LocationBlock,orScanBarcodes.
Theserviceslistenforrequestmessagesfromotherclientsappsandensureclientappshaveappropriateprivilegesbeforeservicingrequests.
AsdescribedinSection2,securitydictatesthatACPlibservicesruninseparateprocessesfromtheirclients,withcommunicationonlyviaAndroid'sRPCmechanism.
Usingthisdirectlyismorecomplexthansimplycallingprivilegedsystemroutines.
Toamelioratethis,ACPlibprovidesdrop-inAPIreplacementsforsystemlibrariesthathandlenecessaryRPCcalls,ACPlibinternally.
Forexample,insteadofcallingjava.
net.
URLConnection.
openConnection()toopenanInternetconnection,usersnowcallapclib.
net.
URLConnection.
openConnection().
AdditionallyappsmustbindtoACPlib,typicallydoneintheapp'sonCreate()method.
RedexerACPlibcanbeusedas-isbysecurity-consciousdeveloperstoreducetheprivilegeleveloftheirapps.
WealsoexpectthatappuserswillwishtoretrotexistingappstouseACPlib,e.
g.
,torestrictthewebsitesappscanvisitorcoarsenthelocationinformationrevealedtoapps.
Tothisend,wehavebegundevelopmentofRedexer,aDalvikbinaryrewritingframeworkthatmodiesapplicationbundlestoreplaceAndroidAPIcallswithACPlibequivalents.
RedexeralsoaddstheDalvikcodeforACPlib'sreplacementAPIstotheapplication.
OnesurprisingchallengeindevelopingRedexeristherulesthatAndroid'sverierenforcesbeforeitwillexecuteaDalvikbytecodele.
Inparticular,Dalviklescontainseveralindexed"identierlists"ofdatathatissharedacrossmethods,e.
g.
,strings,types,eldandmethodde-nitions,etc.
TheAndroidverierrequiresthatsuchpoolsarebothduplicate-freeandsortedinaparticularorder.
ThiscausessomecomplicationswhenaddingtheACPlibAPItotheapp'sDalvikle.
Forexample,theremustbeonlyonestring"V"representingthetypevoidinaDalvikle,anditisalmostguaranteedthistypewillappearinboththeapp'scodeandintheACPlibAPIcode;thusuponmerging,wemusteliminateonecopyandrewriteoneortheotherleaccordingly.
AnotherchallengeforRedexeristhatsomeappscallACPlibservicesfromonCreate(),but(duetoAndroid'sevent-drivensemantics)theconnectiontoACPlibcannotbeestablisheduntilafteronCreate()returns.
Thus,RedexersplitsonCreate()intotwomethods:Itheuristi-callykeepsallthecodeuptoandincludingthesetContentView()call(whichsetsuptheuserinterface)inonCreate(),andthenappendsacalltoperformthebinding.
WemovetheremainderofthecodeintoanewdroidLibOnCreate()methodthatisinvokedbyACPlibafterthebindingcompletes.
Weexpecttomakethismechanismmorerobustinthefuture.
PreliminaryExperienceWhileACPlibandRedexerarefarfromfullymature,wewereabletomodifythesourceoftwoexistingappstouseACPlibandtorewritetwoappsautomaticallyusingRedexer.
WealsobuiltanewappfromscratchusingACPlib.
GoogleTranslate4isaverypopularappthatrequestsfullInternetpermissions,butonlycontactsthegoogleapis.
comdomain.
WemanuallyeditedthesourcecodeoftheapptouseInter-netURL(gooleapis.
com)instead.
Wefoundthenecessarychangeseasytomake,andaftermakingthechanges,theappcontinuestoworkcorrectly.
Maurauder'sMapisaroute-planningappwewrotepriortoACPlib.
WemanuallyupdateditssourcetouseLocationBlock,allowinguserstondreasonablerouteswithoutrevealingtheirexact4http://code.
google.
com/p/apps-for-android/7location.
Asbeforethechangeswereeasytomakeandtheappcontinuestoworkwell.
SlashdotRSSReader5isanappthatcontactstheslashdot.
orgdomaintoretrieveanRSSfeed,articles,andcomments.
WeusedRedexertorewritetheapptouseInternetURL(slashdot.
org).
ThedomainwasfoundautomaticallyusingRedexertosearchforURLsinthebinary.
WeimplementedaPriceCheckerappfromscratchthatusesScanBarcodestoscanbarcodesandInternetURL(searchupc.
com)tolookupthepriceforthescanneditem.
ThiswaseasytowriteusingACPlib'sbarcodescanninglibrary.
4RelatedWorkOthershavealsorecognizedthelimitationsofAndroid'sresource-centricpermissionmodel.
Bar-reraetal.
[1]andFeltetal[7]analyzethewaypermissionsareusedinAndroidandChromeOSapps.
BothgroupsobservethatonlyasmallnumberofAndroidpermissionsarewidelyusedbutthatsomeofthese,inparticularInternetpermissions,areoverlybroad.
SomeresearchershavedevelopedtoolsthathavefoundavarietyofsecurityissuesinAndroidapps[4,5].
Whileourap-proachcannotguaranteetheabsenceofthesecurityvulnerabilitiesfoundbysuchtools,webelieveitcanhelpmakeappsmoresecureinpractice.
WebelieveAPClibiscomplimentarytosuchtoolsastheyaddressdifferentsortsofsecurityproperties.
Furthermore,trustedlibrarieslikeACPlibareprimecandidatesforautomatedvalidation,asreuseallowsvericationcoststobeamortizedandhighsecurityrequirementscanjustifyremainingper-appcosts.
OthershavealsoproposedenhancedpermissionmechanismsforAndroid.
MockDroidchangesAndroidOSsothatuserscan"mock"asubsetofanapplication'sresource-centricpermissions,causingaccessestothoseresourcestosilentlyfail[2].
Apexissimilarandalsoletstheuserenforcesimpleconstraintssuchasthenumberoftimesperdayaresourcemaybeaccessed[9].
Kirinemploysasetofuser-denedsecurityrulestoagpotentialmalwareatinstalltime[6].
Thesetoolsallowuserstotradeoffappfunctionalityforprivacy,buttheyinherittheresource-centricnatureofAndroidpermissions,whichcanlimittheireffectiveness.
Forexample,denyingInternetaccesstoGoogleTranslatewouldrenderituseless,soaMockDroidusermustallowsuchaccess,whereasourapplication-centricpolicyprovidesamuchstrongerguarantee.
Moreover,ourapproachcanbeimplementedpurelyasalibrary,withnomodicationstotheunderlyingAndroidOS.
SaintenrichespermissionsonAndroidtosupportavarietyofinstallationconstraints,e.
g.
,apermissioncanincludeawhitelistofappsthatmayrequestit[10].
Inourlimitedexperience,wehavenotyetneededthiscapability.
ComDroid[3]analyzesinter-applicationcommunicationforpotentialsecurityrisks.
Thistoolcouldcomplementourproposedapproach,whichreliesheavilyoninter-applicationcommunicationwithtrustedthirdparties.
5http://code.
google.
com/p/slashdot/85ConclusionandFutureWorkWeintroducedtheideaofapplication-centricpermissionsandarguedthattheyareanexpressiveandpracticalapproachtoincreasethesecurityofAndroidappstoday.
Webelievethesameideacanalsobeappliedtootherpermissionsystems.
Inthefuture,weplantodevelopawidervocabularyofapplication-centricpermissions;implementmorepermissionsinACPlib;andimproveRedexersothatwecanautomaticallyrewritemoreapps.
Wealsohopetoconductastudytodeterminehowdevelopersanduserswouldunderstandanduseapplication-centricpermissions.
References[1]D.
Barrera,H.
Kayacik,P.
vanOorschot,andA.
Somayaji.
Amethodologyforempiricalanalysisofpermission-basedsecuritymodelsanditsapplicationtoandroid.
InCCS,pages73–84,2010.
[2]A.
R.
Beresford,A.
Rice,N.
Skehin,andR.
Sohan.
Mockdroid:tradingprivacyforapplicationfunctionalityonsmartphones.
InHotMobile,2011.
[3]E.
Chin,A.
P.
Felt,K.
Greenwood,andD.
Wagner.
AnalyzingInter-ApplicationCommunicationinAndroid.
InMobiSys,2011.
Toappear.
[4]W.
Enck,P.
Gilbert,B.
-G.
Chun,L.
P.
Cox,J.
Jung,P.
McDaniel,andA.
N.
Sheth.
Taintdroid:aninformation-owtrackingsystemforrealtimeprivacymonitoringonsmartphones.
InOSDI,2010.
[5]W.
Enck,D.
Octeau,P.
McDaniel,andS.
Chaudhuri.
Astudyofandroidapplicationsecurity.
InUSENIXSecurity,2011.
[6]W.
Enck,M.
Ongtang,andP.
McDaniel.
Onlightweightmobilephoneapplicationcertication.
InCCS,pages235–245,2009.
[7]A.
P.
Felt,K.
Greenwood,andD.
Wagner.
TheEffectivenessofApplicationPermissions.
InWebApps,2011.
Toappear.
[8]Google.
Android:momentum,mobileandmoreatGoogleI/O,May2011.
http://googleblog.
blogspot.
com/2011/05/android-momentum-mobile-and-more-at.
html.
[9]M.
Nauman,S.
Khan,andX.
Zhang.
Apex:extendingandroidpermissionmodelandenforcementwithuser-denedruntimeconstraints.
InASIACCS,pages328–332,2010.
[10]M.
Ongtang,S.
McLaughlin,W.
Enck,andP.
McDaniel.
Semanticallyrichapplication-centricsecurityinandroid.
InACSAC,pages340–349,2009.