Journal of Hardware and Systems Security

, Volume 3, Issue 1, pp 45–63 | Cite as

Unravelling Security Issues of Runtime Permissions in Android

  • Efthimios Alepis
  • Constantinos PatsakisEmail author


Mobile computing is conquering human-computer interaction and user Internet access over the last years. At the same time, smartphone devices are equipped with an increasing number of sensors, realizing context awareness, while accompanying their users in their daily life. As a result, these highly sophisticated and multi-modal devices deal with a surprisingly big amount of data, much of which is private and sensitive. To control data access, OSes have special permission mechanisms, often controlled by the users. The Android permission model has radically changed over the last years, in an effort to become more flexible and protect its users more effectively. This work presents a thorough analysis of the new android permission architecture, accompanied with a criticism regarding its advantages and disadvantages based on a number of disclosed security issues.


Android Security Permissions Privacy Smartphones 


Funding Information

This work was supported by the European Commission under the Horizon 2020 Programme (H2020), as part of the OPERANDO project (Grant Agreement no. 653704). The authors would like to thank ElevenPaths for their valuable feedback and granting them access to Tacyt.


  1. 1.
    Achara JP, Cunche M, Roca V, Francillon A (2014) Wifileaks: underestimated privacy implications of the access_wifi_state android permission. In: Proceedings of the 2014 ACM conference on security and privacy in wireless & mobile networks, ACM, pp 231–236Google Scholar
  2. 2.
    Alepis E, Patsakis C (2017) Hey doc, is this normal?: exploring android permissions in the post marshmallow era. In: Ali SS, Danger J, Eisenbarth T (eds) Security, privacy, and applied cryptography engineering - 7th international conference, SPACE 2017, Goa, India, december 13-17, 2017, proceedings. Lecture notes in computer science, vol 10662. Springer, pp 53–73Google Scholar
  3. 3.
    Alepis E, Patsakis C (2017) Monkey says, monkey does: security and privacy on voice assistants. IEEE AccessGoogle Scholar
  4. 4.
    Alepis E, Patsakis C (2017) There’s wally! location tracking in android without permissions. In: Proceedings of the 3rd international conference on information systems security and privacy - Volume 1: ICISSP, INSTICC. ScitePress, pp 278–284.
  5. 5.
    Alepis E, Patsakis C (2017) Trapped by the ui: the android case. In: Proceedings of the 20th international symposium on research in attacks, intrusions and defenses. Springer. (To appear)Google Scholar
  6. 6.
    Alepis E, Patsakis C (2018) Session fingerprinting in android via web-to-app intercommunication. Security and Communication Networks 2018:7352030:1–7352030:13. CrossRefGoogle Scholar
  7. 7.
    Android Developer Manifest.permission – SYSTEM_ALERT_ WINDOW., date retrieved: 28/03/2017
  8. 8.
    Android Source Code (2017) platform_frameworks_base/core/ res/AndroidManifest.xml.
  9. 9.
    Balebako R, Jung J, Lu W, Cranor LF, Nguyen C (2013) Little brothers watching you: raising awareness of data leaks on smartphones. In: Proceedings of the ninth symposium on usable privacy and security. ACM, p 12Google Scholar
  10. 10.
    Barrera D, Kayacik HG, van Oorschot PC, Somayaji A (2010) A methodology for empirical analysis of permission-based security models and its application to android. In: Proceedings of the 17th ACM conference on computer and communications security, ACM, pp 73–84Google Scholar
  11. 11.
    Bartel A, Klein J, Le Traon Y, Monperrus M (2012) Automatically securing permission-based software by reducing the attack surface: an application to android. In: Proceedings of the 27th IEEE/ACM international conference on automated software engineering, ACM, pp 274–277Google Scholar
  12. 12.
    Blasco J, Chen TM (2017) Automated generation of colluding apps for experimental research. Journal of Computer Virology and Hacking Techniques 1–12Google Scholar
  13. 13.
    Book T, Pridgen A, Wallach DS (2013) Longitudinal analysis of android ad library permissions. arXiv:1303.0857
  14. 14.
    Book T, Wallach DS (2013) A case of collusion: a study of the interface between ad libraries and their apps. In: Proceedings of the third ACM workshop on security and privacy in smartphones & mobile devices, ACM, pp 79–86Google Scholar
  15. 15.
    Calciati P, Kuznetsov K, Bai X, Gorla A (2018) What did really change with the new release of the app?. In: Proceedings of the 15th international conference on mining software repositories, ACM, pp 142–152Google Scholar
  16. 16.
    Chen QA, Qian Z, Mao ZM (2014) Peeking into your app without actually seeing it: UI state inference and novel android attacks. In: 23rd USENIX security symposium (USENIX security 14). USENIX Association, San Diego, pp 1037–1052Google Scholar
  17. 17.
    Davi L, Dmitrienko A, Sadeghi AR, Winandy M (2011) Privilege escalation attacks on android. In: Information security. Springer, pp 346–360Google Scholar
  18. 18.
    Diao W, Liu X, Zhou Z, Zhang K (2014) Your voice assistant is mine: how to abuse speakers to steal information and control your phone. In: Proceedings of the 4th ACM workshop on security and privacy in smartphones & mobile devices, ACM, pp 63–74Google Scholar
  19. 19.
    Dimitriadis A, Efraimidis PS, Katos V (2016) Malevolent app pairs: an android permission overpassing scheme. In: Proceedings of the ACM international conference on computing frontiers, ACM, pp 431–436Google Scholar
  20. 20.
    Durumeric Z, Kasten J, Adrian D, Halderman JA, Bailey M, Li F, Weaver N, Amann J, Beekman J, Payer M et al (2014) The matter of heartbleed. In: Proceedings of the 2014 conference on internet measurement conference. ACM, pp 475–488Google Scholar
  21. 21.
    Economist T (2017) The world’s most valuable resource is no longer oil, but data.
  22. 22.
    Enck W, Gilbert P, Han S, Tendulkar V, Chun BG, Cox LP, Jung J, McDaniel P, Sheth AN (2014) Taintdroid: an information-flow tracking system for realtime privacy monitoring on smartphones. ACM Transactions on Computer Systems (TOCS) 32(2):5CrossRefGoogle Scholar
  23. 23.
    EUGDPR (2018) The EU general data protection regulation.
  24. 24.
    Fahl S, Harbach M, Oltrogge M, Muders T, Smith M (2013) Hey, you, get off of my clipboard. In: International conference on financial cryptography and data security. Springer, pp 144–161Google Scholar
  25. 25.
    Faruki P, Bharmal A, Laxmi V, Ganmoor V, Gaur MS, Conti M, Rajarajan M (2015) Android security: a survey of issues, malware penetration, and defenses. IEEE Commun Surv Tutorials 17(2):998–1022CrossRefGoogle Scholar
  26. 26.
    Felt AP, Chin E, Hanna S, Song D, Wagner D (2011) Android permissions demystified. In: Proceedings of the 18th ACM conference on computer and communications security. ACM, pp 627–638Google Scholar
  27. 27.
    Felt AP, Greenwood K, Wagner D (2011) The effectiveness of application permissions. In: Proceedings of the 2nd USENIX conference on web application development, pp 7–7Google Scholar
  28. 28.
    Felt AP, Ha E, Egelman S, Haney A, Chin E, Wagner D (2012) Android permissions: user attention, comprehension, and behavior. In: Proceedings of the eighth symposium on usable privacy and security. ACM, p 3Google Scholar
  29. 29.
    Fratantonio Y, Qian C, Chung S, Lee W (2017) Cloak and dagger: from two permissions to complete control of the UI feedback loop. In: Proceedings of the IEEE symposium on security and privacy (Oakland), San Jose, CAGoogle Scholar
  30. 30.
    Goodin D (2015) Beware of ads that use inaudible sound to link your phone, tv, tablet, and pc
  31. 31.
  32. 32.
  33. 33.
    Grace MC, Zhou Y, Wang Z, Jiang X (2012) Systematic detection of capability leaks in stock android smartphones. In: NDSSGoogle Scholar
  34. 34.
    Jeon J, Micinski KK, Vaughan JA, Fogel A, Reddy N, Foster JS, Millstein T (2012) Dr. android and mr. hide: fine-grained permissions in android applications. In: Proceedings of the second ACM workshop on security and privacy in smartphones and mobile devices. ACM, pp 3–14Google Scholar
  35. 35.
    Kelley PG, Consolvo S, Cranor LF, Jung J, Sadeh N, Wetherall D (2012) A conundrum of permissions: installing applications on an android smartphone. In: Financial cryptography and data security. Springer, pp 68–79Google Scholar
  36. 36.
    Kywe SM, Li Y, Petal K, Grace M (2016) Attacking android smartphone systems without permissions. In: 2016 14th annual conference on privacy, security and trust (PST). IEEE, pp 147–156Google Scholar
  37. 37.
    Orthacker C, Teufl P, Kraxberger S, Lackner G, Gissing M, Marsalek A, Leibetseder J, Prevenhueber O (2012) Android security permissions–can we trust them?. In: Security and privacy in mobile information and communication systems. Springer, pp 40–51Google Scholar
  38. 38.
    Patsakis C, Alepis E (2018) Knock-knock: the unbearable lightness of android notifications. In: Proceedings of the 4th international conference on information systems security and privacy, ICISSP 2018, Funchal, Madeira - Portugal, January 22-24, 2018. pp 52–61Google Scholar
  39. 39.
    Peles O, Hay R (2015) One class to rule them all: 0-day deserialization vulnerabilities in android. In: 9th USENIX workshop on offensive technologies (WOOT 15)Google Scholar
  40. 40.
    Poeplau S, Fratantonio Y, Bianchi A, Kruegel C, Vigna G (2014) Execute this! analyzing unsafe and malicious dynamic code loading in android applications. In: 21st annual network and distributed system security symposium, NDSS 2014, San Diego, california, USA, February 23-26, 2014. The Internet SocietyGoogle Scholar
  41. 41.
    SnoopWall (2014) Flashlight apps threat assessment report
  42. 42.
    Taylor VF, Martinovic I (2017) To update or not to update: insights from a two-year study of android app evolution. In: Proceedings of the 2017 ACM on Asia conference on computer and communications security. ASIA CCS ’17. ACM, pp 45–57Google Scholar
  43. 43.
    Tsiakos V, Patsakis C (2016) Andropatchapp: taming rogue ads in android. In: Mobile, secure, and programmable networking - first international conference, MSPN 2016Google Scholar
  44. 44.
    Tuncay GS, Demetriou S, Ganju K, Gunter CA (2018) Resolving the predicament of android custom permissions. In: ISOC network and distributed systems security symposium (NDSS)Google Scholar
  45. 45.
    Wei X, Gomez L, Neamtiu I, Faloutsos M (2012) Permission evolution in the android ecosystem. In: Proceedings of the 28th annual computer security applications conference. ACM, pp 31–40Google Scholar
  46. 46.
    Wibson (2018) How much is your data worth? At least $240 per year. likely much more
  47. 47.
    Yang L, Boushehrinejadmoradi N, Roy P, Ganapathy V, Iftode L (2012) Short paper: enhancing users’ comprehension of android permissions. In: Proceedings of the second ACM workshop on security and privacy in smartphones and mobile devices. ACM, pp 21–26Google Scholar
  48. 48.
    Zhang X, Du W (2014) Attacks on android clipboard. In: International conference on detection of intrusions and malware, and vulnerability assessment. Springer, pp 72–91Google Scholar

Copyright information

© Springer Nature Switzerland AG 2018

Authors and Affiliations

  1. 1.Department of InformaticsUniversity of PiraeusPiraeusGreece

Personalised recommendations