Skip to main content
SpringerLink
Log in

Splitting Third-Party Libraries’ Privileges from Android Apps

  • Conference paper
  • First Online:
Information Security and Privacy (ACISP 2017)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 10343))

Included in the following conference series:

Abstract

Third-party libraries are very prevalent in the development of Android Apps. However, the wide use of third-party libraries may cause potential violations on user’s privacy. In the original Android permission mechanism, host Apps share all permissions with their third-party libraries. Moreover, the details of most third-party libraries are not very clear to developers and malicious code may be contained. With privileges and malicious code, the attack may be conducted. In this paper, we present a novel privilege splitting mechanism for the third-party libraries in Android Apps. Different from other similar approaches, our system makes full use of the original permission mechanism to minimize the attack surface and the impact on Android system. Since the lightweight customization on Android, our system can be easily adapted to both Dalvik and ART (Android Runtime) virtual machines. We deployed a prototype on a real Android device and evaluated it’s compatibility, effectiveness and performance. The experiment results show that our system is compatible with existing Apps, splits the third-party libraries’ privileges effectively according to the given policies, and works well with negligible performance overhead.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. android-mapviewballoons. https://github.com/jgilfelt/android-mapviewballoons

  2. jmonkeyengine. http://code.google.com/p/jmonkeyengine/

  3. Grace, M., Zhou, W., Jiang, X., Sadeghi, A.-R.: Unsafe exposure analysis of mobile in-app. advertisements. In: Proceedings of the Fifth ACM Conference on Security and Privacy in Wireless and Mobile Networks (2012)

    Google Scholar 

  4. Opencv for android. http://billmccord.github.com/OpenCV-Android/

  5. android-wheel. http://code.google.com/p/android-wheel/

  6. Android permissions. https://developer.android.com/guide/topics/security/permissions.html

  7. Shekhar, S., Dietz, M., Wallach, D.S.: Adsplit: separating smartphone advertising from applications. In: Presented as part of the 21st USENIX Security Symposium (2012)

    Google Scholar 

  8. Sun, M., Tan, G.: Nativeguard: protecting android applications from third-party native libraries. In: Proceedings of the 2014 ACM Conference on Security and Privacy in Wireless & Mobile Networks (2014)

    Google Scholar 

  9. Seo, J., Kim, D., Cho, D., Kim, T., Shin, I.: Flexdroid: enforcing in-app. privilege separation in android. In: Proceedings of Annual Network & Distributed System Security Symposium (NDSS) (2016)

    Google Scholar 

  10. Android platform versions, February 2017. https://developer.android.com/about/dashboards/index.html

  11. Google play. https://play.google.com/store

  12. Monkey. https://developer.android.com/studio/test/monkey.html

  13. Wang, Y., Hariharan, S., Zhao, C., Liu, J., Du, W.: Compac: enforce component-level access control in android. In: Proceedings of the 4th ACM Conference on Data and Application Security and Privacy (2014)

    Google Scholar 

  14. Pearce, P., Felt, A.P., Nunez, G., Wagner, D.: Addroid: privilege separation for applications and advertisers in android. In: Proceedings of the 7th ACM Symposium on Information, Computer and Communications Security (2012)

    Google Scholar 

  15. Zhang, X., Ahlawat, A., Du, W.: Aframe: isolating advertisements from mobile applications in android. In: Proceedings of the 29th Annual Computer Security Applications Conference (2013)

    Google Scholar 

  16. Roesner, F., Kohno, T.: Securing embedded user interfaces: android and beyond. In: Presented as part of the 22nd USENIX Security Symposium (2013)

    Google Scholar 

  17. Nauman, M., Khan, S., Zhang, X.: Apex: extending android permission model and enforcement with user-defined runtime constraints. In: Proceedings of the 5th ACM Symposium on Information, Computer and Communications Security (2010)

    Google Scholar 

  18. Enck, W., Ongtang, M., McDaniel, P.: On lightweight mobile phone application certification. In: Proceedings of the 16th ACM Conference on Computer and Communications Security (CCS) (2009)

    Google Scholar 

  19. Ongtang, M., McLaughlin, S., Enck, W., McDaniel, P.: Semantically rich application-centric security in android. In: Proceedings of the 2009 Annual Computer Security Applications Conference (ACSA) (2009)

    Google Scholar 

  20. Roesner, F., Kohno, T., Moshchuk, A., Parno, B.: User-driven access control: Rethinking permission granting in modern operating systems. In: Proceedings of the 2012 IEEE Symposium on Security and Privacy (2012)

    Google Scholar 

  21. Conti, M., Nguyen, V.T.N., Crispo, B.: Crepe: context-related policy enforcement for android. In: Proceedings of the 13th International Conference on Information Security (2010)

    Google Scholar 

  22. Bugiel, S., Davi, L., Dmitrienko, A., Fischer, T., Sadeghi, A.R.: Xmandroid: a new android evolution to mitigate privilege escalation attacks (2011)

    Google Scholar 

  23. Bugiel, S., Davi, L., Dmitrienko, A., Fischer, T., Sadeghi, A.R., Shastry, B.: Towards taming privilege-escalation attacks on android. In: Proceedings of Annual Network & Distributed System Security Symposium, vol. 130(130), pp. 346–360 (2012)

    Google Scholar 

  24. Dietz, M., Shekhar, S., Pisetsky, Y., Shu, A., Wallach, D.S.: Quire: lightweight provenance for smart phone operating systems. Dissertations & Theses - Gradworks, p. 23 (2011)

    Google Scholar 

  25. Smalley, S., Craig, R.: Security enhanced (se) android: bringing flexible mac to android. In: Proceedings of 20th Annual Network & Distributed System Security Symposium ( NDSS) (2013)

    Google Scholar 

  26. Bugiel, S., Heuser, S., Sadeghi, A.R.: Towards a framework for android security modules: Extending se android type enforcement to android middleware. Technical report, Center for Advanced Security Research Darmstadt (2012)

    Google Scholar 

  27. Bugiel, S., Heuser, S., Sadeghi, A.R.: Flexible and fine-grained mandatory access control on android for diverse security and privacy policies. In: Usenix Conference on Security, pp. 131–146 (2013)

    Google Scholar 

  28. Bousquet, A., Briffaut, J., Clvy, L., Toinard, C., Venelle, B., Bousquet, A., Clvy, L., Venelle, B.: Mandatory access control for the android dalvik virtual machine. In: The Workshop on Usenix Federated Conferences (2013)

    Google Scholar 

  29. acl, linux man page. http://linux.die.net/man/5/acl

Download references

Acknowledgement

This research was supported by the National Key Research and Development Program of China (Grant No. 2016YFB0800102), and National Basic Research Program of China (973 Program No. 2013CB338001)

Author information

Authors and Affiliations

  1. Data Assurance and Communication Security Research Center, CAS, Beijing, China

    Jiawei Zhan, Quan Zhou, Xiaozhuo Gu, Yuewu Wang & Yingjiao Niu

  2. Institute of Information Engineering, CAS, Beijing, China

    Jiawei Zhan, Quan Zhou, Xiaozhuo Gu, Yuewu Wang & Yingjiao Niu

  3. University of Chinese Academy of Sciences, Beijing, China

    Jiawei Zhan

Authors
  1. Jiawei Zhan
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Quan Zhou
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Xiaozhuo Gu
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Yuewu Wang
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Yingjiao Niu
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Yuewu Wang .

Editor information

Editors and Affiliations

  1. Queensland University of Technology, Brisbane, Queensland, Australia

    Josef Pieprzyk

  2. Queensland University of Technology, Brisbane, Queensland, Australia

    Suriadi Suriadi

Rights and permissions

Reprints and permissions

Copyright information

© 2017 Springer International Publishing AG

About this paper

Cite this paper

Zhan, J., Zhou, Q., Gu, X., Wang, Y., Niu, Y. (2017). Splitting Third-Party Libraries’ Privileges from Android Apps. In: Pieprzyk, J., Suriadi, S. (eds) Information Security and Privacy. ACISP 2017. Lecture Notes in Computer Science(), vol 10343. Springer, Cham. https://doi.org/10.1007/978-3-319-59870-3_5

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-59870-3_5

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-59869-7

  • Online ISBN: 978-3-319-59870-3

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation