Skip to main content
SpringerLink
Log in
Book cover

International Symposium on Engineering Secure Software and Systems

ESSoS 2013: Engineering Secure Software and Systems pp 42–57Cite as

Towards Unified Authorization for Android

  • Conference paper

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 7781))

Abstract

Android applications that manage sensitive data such as email and files downloaded from cloud storage services need to protect their data from malware installed on the phone. While prior security analyses have focused on protecting system data such as GPS locations from malware, not much attention has been given to the protection of application data. We show that many popular commercial applications incorrectly use Android authorization mechanisms leading to attacks that steal sensitive data. We argue that formal verification of application behaviors can reveal such errors and we present a formal model in ProVerif that accounts for a variety of Android authorization mechanisms and system services. We write models for four popular applications and analyze them with ProVerif to point out attacks. As a countermeasure, we propose Authzoid, a sample standalone application that lets applications define authorization policies and enforces them on their behalf.

This is a preview of subscription content, log in via an institution.

Chapter
USD   29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD   54.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD   72.00
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Armando, A., Costa, G., Merlo, A.: Formal modeling and reasoning about the android security framework. In: 7th Intl Sym. on Trustworthy Global Computing (2012)

    Google Scholar 

  2. Barrera, D., Kayacik, H.G., van Oorschot, P.C., Somayaji, A.: A methodology for empirical analysis of permission-based security models and its application to android. In: 17th ACM Conf. on Computer and Comm. Security, CCS 2010 (2010)

    Google Scholar 

  3. Belenko, A., Sklyarov, D.: “Secure Password Managers” and “Military-Grade Encryption” on Smartphones: Oh, Really? Technical report, Elcomsoft Ltd. (2012)

    Google Scholar 

  4. Bhargavan, K., Delignat-Lavaud, A.: Web-based attacks on host-proof encrypted storage. In: 6th USENIX Workshop on Offensive Technologies, WOOT 2012 (2012)

    Google Scholar 

  5. Blanchet, B.: An efficient cryptographic protocol verifier based on Prolog rules. In: Computer Security Foundations Workshop, CSFW 2001 (2001)

    Google Scholar 

  6. Blanchet, B., Chaudhuri, A.: Automated formal analysis of a protocol for secure file sharing on untrusted storage. In: IEEE Sym. on Security and Privacy, SP 2008 (2008)

    Google Scholar 

  7. Bray, T.: Recent Android app update prevents third-party apps from using com.google.android.gm.permission.READ_GMAIL. Why? (July 29, 2011), productforums.google.com/d/msg/gmail/XD0C4sw9K7U/8KwuZl0Rl68J

  8. Chan, P.P.F., Hui, L.C.K., Yiu, S.M.: Droidchecker: analyzing android applications for capability leak. In: ACM Conf. on Security and Privacy in Wireless and Mobile Networks, WISEC 2012 (2012)

    Google Scholar 

  9. Chaudhuri, A.: Language-based security on android. In: ACM SIGPLAN Fourth Workshop on Programming Languages and Analysis for Security, PLAS 2009 (2009)

    Google Scholar 

  10. Chia, P.H., Yamamoto, Y., Asokan, N.: Is this app safe? A large scale study on application permissions and risk signals. In: WWW 2012 (2012)

    Google Scholar 

  11. Conti, M., Nguyen, V.T.N., Crispo, B.: CRePE: Context-Related Policy Enforcement for Android. In: Burmester, M., Tsudik, G., Magliveras, S., Ilić, I. (eds.) ISC 2010. LNCS, vol. 6531, pp. 331–345. Springer, Heidelberg (2011)

    Chapter  Google Scholar 

  12. Davi, L., Dmitrienko, A., Sadeghi, A.-R., Winandy, M.: Privilege Escalation Attacks on Android. In: Burmester, M., Tsudik, G., Magliveras, S., Ilić, I. (eds.) ISC 2010. LNCS, vol. 6531, pp. 346–360. Springer, Heidelberg (2011)

    Chapter  Google Scholar 

  13. Dietz, M., Shekhar, S., Pisetsky, Y., Shu, A., Wallach, D.: Quire: Lightweight provenance for smart phone operating systems. In: 20th USENIX Conf. on Security (2011)

    Google Scholar 

  14. Hammer-Levy, E. (ed.): The OAuth 2.0 Authorization Protocol. IETF (September 22, 2011), draft-ietf-oauth-v2-22. Work in Progress (Expires March 25, 2012)

    Google Scholar 

  15. Enck, W., Gilbert, P., Chun, B., Cox, L., Jung, J., McDaniel, P., Sheth, A.: Taintdroid: an information-flow tracking system for realtime privacy monitoring on smartphones. In: 9th USENIX Conf. on Operating Systems Design and Implementation, OSDI 2010 (2010)

    Google Scholar 

  16. Enck, W., Ongtang, M., McDaniel, P.: On lightweight mobile phone application certification. In: 16th ACM Conf. on Computer and Comm. Security, CCS 2009 (2009)

    Google Scholar 

  17. Felt, A., Chin, E., Hanna, S., Song, D., Wagner, D.: Android permissions demystified. In: 18th ACM Conf. on Computer and Comm. Security, CCS 2011 (2011)

    Google Scholar 

  18. Felt, A., Wang, H., Moshchuk, A., Hanna, S., Chin, E.: Permission re-delegation: attacks and defenses. In: 20th USENIX Conf. on Security, SEC 2011 (2011)

    Google Scholar 

  19. Fragkaki, E., Bauer, L., Jia, L., Swasey, D.: Modeling and Enhancing Android’s Permission System. In: Foresti, S., Yung, M., Martinelli, F. (eds.) ESORICS 2012. LNCS, vol. 7459, pp. 1–18. Springer, Heidelberg (2012)

    Chapter  Google Scholar 

  20. Fuchs, A., Chaudhuri, A., Foster, J.S.: SCanDroid: Automated security certification of android applications. Technical report, U. of Maryland College Park (2009)

    Google Scholar 

  21. Google. Android 4.1 Compatibility Definition. Android Compatibility Program, Rev. 2 (September 7, 2012)

    Google Scholar 

  22. Hornyack, P., Han, S., Jung, J., Schechter, S., Wetherall, D.: These aren’t the droids you’re looking for: retrofitting android to protect data from imperious applications. In: 18th ACM Conf. on Computer and Comm. Security, CCS 2011 (2011)

    Google Scholar 

  23. Nauman, M., Khan, S., Zhang, X.: Apex: extending android permission model and enforcement with user-defined runtime constraints. In: 5th ACM Symp. on Information, Computer and Communications Security, ASIACCS 2010 (2010)

    Google Scholar 

  24. NielsenWire. State of the appnation - a year of change and growth in U.S. smartphones (May 16, 2012), blog.nielsen.com/nielsenwire/online_mobile/state-of-the-appnation-%E2%80%93-a-year-of-change-and-growth-in-u-s-smartphones/

  25. Schreckling, D., Posegga, J., Köstler, J., Schaff, M.: Kynoid: Real-Time Enforcement of Fine-Grained, User-Defined, and Data-Centric Security Policies for Android. In: Askoxylakis, I., Pöhls, H.C., Posegga, J. (eds.) WISTP 2012. LNCS, vol. 7322, pp. 208–223. Springer, Heidelberg (2012)

    Chapter  Google Scholar 

  26. Shekhar, S., Dietz, M., Wallach, D.: Adsplit: separating smartphone advertising from applications. In: 21st USENIX Conf. on Security, SEC 2012 (2012)

    Google Scholar 

  27. Stevens, R., Gibler, C., Crussell, J., Erickson, J., Chen, H.: Investigating user privacy in android ad libraries. In: MoST 2012: Mobile Security Technologies (2012)

    Google Scholar 

  28. Varma, K.: Security permissions in android. Krishnaraj Varma’s Blog (October 3, 2010), www.krvarma.com/2010/10/security-permissions-in-android/ (accessed October 9, 2012)

  29. Xu, R., Saïdi, H., Anderson, R.: Aurasium: practical policy enforcement for android applications. In: 21st USENIX Conf. on Security, SEC 2012 (2012)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Kinneret College on the Sea of Galilee, DN Emek Hayarden, 15132, Israel

    Michael J. May

  2. INRIA, France

    Karthikeyan Bhargavan

Authors
  1. Michael J. May
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Karthikeyan Bhargavan
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Department of Computer Science, TU Dortmund und Fraunhofer ISST, Otto-Hahn-Straße 14, 44221, Dortmund, Germany

    Jan Jürjens

  2. One Microsoft Way, Microsoft Research, 98052-6399, Redmond, WA, USA

    Benjamin Livshits

  3. Department of Computer Science, Katholieke Universiteit Leuven, Celestijnenlaan 200A, 3001, Heverlee, Belgium

    Riccardo Scandariato

Rights and permissions

Reprints and permissions

Copyright information

© 2013 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

May, M.J., Bhargavan, K. (2013). Towards Unified Authorization for Android. In: Jürjens, J., Livshits, B., Scandariato, R. (eds) Engineering Secure Software and Systems. ESSoS 2013. Lecture Notes in Computer Science, vol 7781. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-36563-8_4

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-36563-8_4

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-36562-1

  • Online ISBN: 978-3-642-36563-8

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation