Advertisement

Analysis of the Impact of Permissions on the Vulnerability of Mobile Applications

  • Gouayon KoalaEmail author
  • Didier Bassolé
  • Aminata Zerbo/Sabané
  • Tegawendé F. Bissyandé
  • Oumarou Sié
Conference paper
  • 3 Downloads
Part of the Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering book series (LNICST, volume 311)

Abstract

In this paper, we explored the potential risks of authorizations unexplained by benign apps in order to maintain the confidentiality and availability of personal data. More precisely, we focused on the mechanisms for managing risk permissions under Android to limit the impact of these permissions on vulnerability vectors. We analyzed a sample of forty (40) apps developed in Burkina Faso and identified abuses of dangerous authorizations in several apps in relation to their functional needs. We also discovered combinations of dangerous permissions because it exposes the confidentiality of the data. This analysis allowed us to establish a link between permissions and vulnerabilities, as a source of risk of data security. These risks facilitate exploits of privileges that should be reduced. We have therefore proposed the need to coordinate resolution mechanisms to the administrators, developers, users to better guide the required permissions by benign apps on Android.

Keywords

Permission abuse Vulnerability Privilege exploit Security 

References

  1. 1.
    He, D., Chan, S., Guizani, M.: Mobile application security: malware threats and defenses. IEEE Wirel. Commun. 22, 138–144 (2015)CrossRefGoogle Scholar
  2. 2.
    Thanh, H.L.: Analysis of malware families on android mobiles: detection characteristics recognizable by ordinary phone users and how to fix it. J. Inf. Secur. 4, 213–224 (2013)Google Scholar
  3. 3.
    Wang, Y., Alshboul, Y.: Mobile security testing approaches and challenges. In: Conference Paper, February 2015Google Scholar
  4. 4.
    Sawadogo, S.: Partitionnement de Graphes: Application à l’identification de malwares, master 2, mai 2015Google Scholar
  5. 5.
    Mishra, R.: Mobile application security: building security into the development process (2015)Google Scholar
  6. 6.
    Gilbert, P., Chun, B.-G.: Vision: automated security validation of mobile apps at app markets (2011)Google Scholar
  7. 7.
    Friedman, J., Hoffman, D.V.: Protecting data on mobile devices: a taxonomy of security threats to mobile computing and review of applicable defenses. Inf. Knowl. Syst. Manag. 7, 159–180 (2008)CrossRefGoogle Scholar
  8. 8.
    Rezaie, S.: Mobile security education with android labs. Ph.D. thesis, The Faculty of California Polytechnic State University, March 2018Google Scholar
  9. 9.
    Zonouz, S., Houmansadr, A., Berthier, R., Borisov, N., Sanders, W.: Secloud: a cloud-based comprehensive and lightweight security solution for smartphones. Comput. Secur. 37, 215–227 (2013)CrossRefGoogle Scholar
  10. 10.
    Lindorfer, M., Neugschwandtner, M., Platzer, C.: MARVIN: efficient and comprehensive mobile app classification through static and dynamic analysis. In: 2015 IEEE 39th Annual Computer Software and Applications Conference, vol. 2, pp. 422–433 (2015)Google Scholar
  11. 11.
    Shewale, H., Patil, S., Deshmukh, V., Singh, P.: Analysis of android vulnerabilities and modern exploitation techniques, March 2014Google Scholar
  12. 12.
    Jimenez, M., Papadakis, M., Bissyandé, T.F., Klein, J.: Profiling android vulnerabilities (2014)Google Scholar
  13. 13.
    Mobile Threats Report, Juniper Networks Third Annual, March 2012 through March 2013Google Scholar
  14. 14.
    Li, L., et al.: Understanding android app piggybacking: a systematic study of malicious code grafting (2016)Google Scholar
  15. 15.
    Li, L., et al.: On locating malicious code in piggybacked android apps. October 2017Google Scholar
  16. 16.
    Arzt, S., et al.: FlowDroid: precise context, flow, field, object-sensitive and lifecycle-aware taint analysis for Android apps. In: Proceedings of the 35th ACM SIGPLAN Conference on Programming Language Design and Implementation, PLDI 2014, New York, pp. 259–269 (2014)Google Scholar
  17. 17.
    Avdiienko, V., et al.: Mining apps for abnormal usage of sensitive data. In: 2015 IEEE/ACM 37th IEEE International Conference on Software Engineering, May 2015, vol. 1, pp. 426–436 (2015)Google Scholar
  18. 18.
    Chin, E., Felt, A.P., Greenwood, K., Wagner, D.: Analyzing inter-application communication in Android. In: Proceedings of the 9th International Conference on Mobile Systems, Applications, and Services - MobiSys 2011, pp. 239–252. ACM (2011)Google Scholar
  19. 19.
    Ratsisahanana, R.A.: Caractérisation et détection de malware Android basées sur les flux d’information. Autre, Supélec (2014)Google Scholar
  20. 20.
    Calvet, J.: Analyse Dynamique de Logiciels Malveillants. Cryptographie et sécurité [cs.CR]. Université de Lorraine (2013)Google Scholar
  21. 21.
    Sang, F.L.: Protection des systèmes informatiques contre les attaques par entrées-sorties. Cryptographie et sécurité [cs.CR]. INSA de Toulouse, pp. 9–10 (2012)Google Scholar
  22. 22.
    Grace, M., Zhou, W., Sadeghi, A-R., Jiang, X.: Unsafe exposure analysis of mobile in-app advertisements (2012)Google Scholar
  23. 23.
    Dinh, H.T., Lee, C., Niyato, D., Wang, P.: A survey of mobile cloud computing: architecture, applications, and approaches, October 2011Google Scholar
  24. 24.
    Symantec, 19 August 2013. https://www.symantec.com/security-center/writeup/2013-081914-5637-99. Accessed 18 Dec 2018
  25. 25.
    Vulnerabilities of Android. https://www.cvedetails.com/product/19997/Google-Android.html?vendor_id=1224. Accessed 18 Jan 2019
  26. 26.
    Gartner: Preliminary Worldwide PC Vendor Unit Shipment Estimates for 2018, January 2019. https://www.gartner.com/en/newsroom/press-releases/2019-01-10-gartner-says-worldwide-pc-shipments-declined-4-3-perc. Accessed 22 Apr 2019
  27. 27.
    Gartner: Worldwide Smartphone Sales to End Users by Vendor in 2018, February 2019. https://www.gartner.com/en/newsroom/press-releases/2019-02-21-gartner-says-global-smartphone-sales-stalled-in-the-fourth-quart. Accessed 28 Apr 2019

Copyright information

© ICST Institute for Computer Sciences, Social Informatics and Telecommunications Engineering 2020

Authors and Affiliations

  • Gouayon Koala
    • 1
    Email author
  • Didier Bassolé
    • 1
  • Aminata Zerbo/Sabané
    • 1
  • Tegawendé F. Bissyandé
    • 1
  • Oumarou Sié
    • 1
  1. 1.Laboratoire de Mathématiques et d’InformatiqueUniversité Joseph Ki-ZerboOuagadougouBurkina Faso

Personalised recommendations