Resolving the predicament of android custom permissions
File(s)ndss2018_08-4_Tuncay_paper.pdf (268 KB)
Published version
Author(s)
Tuncay, Güliz Seray
Demetriou, Soteris
Ganju, Karan
Gunter, Carl
Type
Conference Paper
Abstract
Android leverages a set of
system permissions
to
protect platform resources. At the same time, it allows untrusted
third-party applications to declare their own
custom permissions
to regulate access to app components. However, Android treats
custom permissions the same way as system permissions even
though they are declared by entities of different trust levels. In
this work, we describe two new classes of vulnerabilities that arise
from the ‘predicament’ created by mixing system and custom
permissions in Android. These have been acknowledged as serious
security flaws by Google and we demonstrate how they can be
exploited in practice to gain unauthorized access to platform
resources and to compromise popular Android apps. To address
the shortcomings of the system, we propose a new modular
design called Cusper for the Android permission model. Cusper
separates the management of system and custom permissions and
introduces a backward-compatible naming convention for custom
permissions to prevent custom permission spoofing. We validate
the correctness of Cusper by 1) introducing the first formal
model of Android runtime permissions, 2) extending it to describe
Cusper, and 3) formally showing that key security properties
that can be violated in the current permission model are
always
satisfied in Cusper. To demonstrate Cusper’s practicality, we
implemented it in the Android platform and showed that it is
both effective and efficient.
system permissions
to
protect platform resources. At the same time, it allows untrusted
third-party applications to declare their own
custom permissions
to regulate access to app components. However, Android treats
custom permissions the same way as system permissions even
though they are declared by entities of different trust levels. In
this work, we describe two new classes of vulnerabilities that arise
from the ‘predicament’ created by mixing system and custom
permissions in Android. These have been acknowledged as serious
security flaws by Google and we demonstrate how they can be
exploited in practice to gain unauthorized access to platform
resources and to compromise popular Android apps. To address
the shortcomings of the system, we propose a new modular
design called Cusper for the Android permission model. Cusper
separates the management of system and custom permissions and
introduces a backward-compatible naming convention for custom
permissions to prevent custom permission spoofing. We validate
the correctness of Cusper by 1) introducing the first formal
model of Android runtime permissions, 2) extending it to describe
Cusper, and 3) formally showing that key security properties
that can be violated in the current permission model are
always
satisfied in Cusper. To demonstrate Cusper’s practicality, we
implemented it in the Android platform and showed that it is
both effective and efficient.
Date Issued
2018-02-18
Date Acceptance
2017-10-26
Citation
Network and Distributed System Security Symposium, 2018, pp.1-15
ISBN
1-891562-49-5
Publisher
Internet Society
Start Page
1
End Page
15
Journal / Book Title
Network and Distributed System Security Symposium
Copyright Statement
© 2018 Internet Society
Source
Network and Distributed System Security Symposium
Publication Status
Published
Start Date
2018-02-18
Finish Date
2018-02-21
Coverage Spatial
San Diego, CA, USA