Abstract
Nowadays, redundant permissions and probing permissions are common in Android applications and third-party libraries, which may cause massive security threats to their users. Existing tools used for permission analysis may introduce incorrect detection results, due to their regardless of the relationships between permissions and the values of function parameters and fields. In order to extract the exact used permissions in Android applications and third-party libraries, we propose a Dalvik register-based data flow analysis technique (DARFA) to get the parameter values of function parameters and fields. By leveraging DARFA, we design and implement PermHunter, a static analysis tool, to detect redundant permissions and probing permissions in Android apps and third-party libraries. We have evaluated PermHunter by analyzing 45 third-party libraries and 653 applications. These results indicate that nearly half of these third-party libraries have redundant permissions and probing permissions, and the proportions in Android applications are even higher.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Felt, A.P., Chin, E., Hanna, S., et al.: Android permissions demystified. In: Proceedings of the 2011 ACM Conference on Computer and Communications Security (CCS), pp. 627–638. ACM, New York (2011)
Au, K.W.Y., Zhou, Y.F., Huang, Z., et al.: PScout: analyzing the android permission specification. In: Proceedings of the 2012 ACM Conference on Computer and Communications Security (CCS), pp. 217–228. ACM, New York (2012)
Backes, M., Bugiel, S., Derr, E., et al.: On demystifying the android application framework: re-visiting android permission sepecification analysis. In: Proceedings of the 25th USENIX Security Symposium (USENIX Security), pp. 1101–1118. USENIX Association, Berkeley (2016)
Arzt, S., Rasthofer, S., Fritz, C., et al.: Flowdroid: precise context, flow, field, object-sensitive and lifecycle-aware taint analysis for android apps. In: Proceedings of the 35th ACM SIGPLAN Conference on Programming Language De-sign and Implementation (PLDI), pp. 259–269. ACM, New York (2014)
AndroBugs\(\_\)Framework. https://github.com/AndroBugs/AndroBugs_Framework. Accessed 4 Apr 2017
axplorer demystifying the Android Application Framework. http://www.axplorer.org/. Accessed 11 Oct 2017
PScout. http://pscout.csl.toronto.edu/downloads.php. Accessed 15 Apr 2017
AppBrain-Android library statistics. http://www.appbrain.com/stats/libraries. Accessed 4 Feb 2017
Baidu developer. http://developer.baidu.com/platform/catalog/navigation-c/node/n301. Accessed 4 Feb 2017
Weixin Developer. https://open.weixin.qq.com. Accessed 4 Feb 2017
Umeng. http://www.umeng.com/codecenter.html. Accessed 4 Feb 2017
DevStore. http://www.devstore.cn/service/newproductList/sta3-cla4.html. Accessed 4 Feb 2017
Vidas, T., Christin, N., Cranor, L.: Curbing android permission creep. In: Proceedings of the Web 2.0 Security and Privacy 2011 Workshop (W2sp) (2011)
Bartel, A., Klein, J., Traon, Y. L., et al.: Automatically securing permission-based software by reducing the attack surface: an application to Android. In: Proceedings of the 27th IEEE/ACM International Conference on Automated Software Engineering (ASE), pp. 274–277. ACM, New York (2012)
Grace, M.C., Zhou, W., Jiang, X., et al.: Unsafe exposure analysis of mobile in- app advertisements. In: Proceedings of the 5th ACM Conference on Security and Privacy in Wireless and Mobile Networks (WiSec), pp. 101–112. ACM, New York(2012)
Fuchs, A.P., Chaudhuri, A., Foster, J. S.: SCanDroid: automated security certification of android applications. In: Proceedings of the 2010 IEEE Symposium on Security and Privacy (S&P). IEEE, Piscataway (2010)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2018 Springer Nature Switzerland AG
About this paper
Cite this paper
Lu, Y. et al. (2018). A Comprehensive Study of Permission Usage on Android. In: Au, M., et al. Network and System Security. NSS 2018. Lecture Notes in Computer Science(), vol 11058. Springer, Cham. https://doi.org/10.1007/978-3-030-02744-5_5
Download citation
DOI: https://doi.org/10.1007/978-3-030-02744-5_5
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-02743-8
Online ISBN: 978-3-030-02744-5
eBook Packages: Computer ScienceComputer Science (R0)