A Formal Specification of Access Control in Android
- 34 Downloads
A formal specification of any access control system enables deeper understanding of that system and facilitates performing security analysis. In this paper, we provide a comprehensive formal specification of the Android mobile operating system’s access control system, a widely used mobile OS. Prior work is limited in scope, in addition recent developments in Android concerning dynamic runtime permissions require rethinking of its formalization. Our formal specification includes two parts, the User-Initiated Operations (UIOs) and Application-Initiated Operations (AIOs), which are segregated based on the entity that initiates those operation. Formalizing ACiA allowed us to discover many peculiar behaviors in Android’s access control system. In addition to that, we discovered two significant issues with permissions in Android which were reported to Google.
KeywordsAndroid Permissions Access control Formal model
This work is partially supported by DoD ARO Grant W911NF-15-1-0518, NSF CREST Grant HRD-1736209 and NSF CAREER Grant CNS-1553696.
- 1.Android permission protection level “normal” are never re-granted! (2019). https://issuetracker.google.com/issues/129029397. Accessed 21 Mar 2019
- 2.Android Permissions|Android Open Source Project (2019). https://source.android.com/devices/tech/config. Accessed 17 June 2019
- 3.Issue about Android’s permission to permission-group mapping (2019). https://issuetracker.google.com/issues/128888710. Accessed 21 Mar 2019
- 4.Request App Permissions|Android Developers (2019). https://developer.android.com/training/permissions/requesting/. Accessed 12 Mar 2019
- 8.Betarte, G., Campo, J., Cristiá, M., Gorostiaga, F., Luna, C., Sanz, C.: Towards formal model-based analysis and testing of android’s security mechanisms. In: 2017 XLIII Latin American Computer Conference (CLEI), pp. 1–10. IEEE (2017)Google Scholar
- 13.Shin, W., Kiyomoto, S., Fukushima, K., Tanaka, T.: A formal model to analyze the permission authorization and enforcement in the android framework. In: Proceedings - SocialCom 2010: 2nd IEEE International Conference on Social Computing, PASSAT 2010: 2nd IEEE International Conference on Privacy, Security, Risk and Trust, pp. 944–951 (2010)Google Scholar
- 14.Tuncay, G.S., Demetriou, S., Ganju, K., Gunter, C.A.: Resolving the predicament of android custom permissions. In: Proceedings of the 2018 Network and Distributed System Security Symposium. Internet Society, Reston (2018)Google Scholar