close
Skip to main content

Assisting Developers in Preventing Permissions Related Security Issues in Android Applications

  • Conference paper
  • First Online:
Dependable Computing - EDCC 2021 Workshops (EDCC 2021)

Part of the book series: Communications in Computer and Information Science ((CCIS,volume 1462))

Included in the following conference series:

  • 748 Accesses

  • 1 Citation

Abstract

Permissions related attacks are a widespread security issue in Android environment. Permissions misuse enables attackers to steal the application rights and perform malicious actions. While most of the existing solutions are advocated from end-users perspective, we take in this paper the developers perspective because security should be a software design concern. We propose a formal specification covering the permissions use by the current developers of Android applications, who are almost a third party developers. We underline a set of security properties. Then, we formally verify them by applying a Model Driven Reverse Engineering approach that enables abstraction and property verification. We implement the analysis approach as an IDE plug-in called PermDroid. Finally, we show the applicability of our approach through a case study.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Subscribe and save

Springer+
from $39.99 /Month
  • Starting from 10 chapters or articles per month
  • Access and download chapters and articles from more than 300k books and 2,500 journals
  • Cancel anytime
View plans

Buy Now

Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Free shipping worldwide - view details

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Similar content being viewed by others

Notes

  1. 1.

    https://gs.statcounter.com/os-market-share/mobile/worldwide/#monthly-201905-202005.

  2. 2.

    https://www.cvedetails.com/product/19997/Google-Android.html?vendor_id=1224.

  3. 3.

    http://developer.android.com/sdk/api_diff/30/changes.

  4. 4.

    https://www.techrepublic.com/article/ios-and-android-security-a-timeline-of-the-highlights-and-the-lowlights/.

  5. 5.

    https://source.android.com/devices/architecture/modular-system/permissioncontroller.

  6. 6.

    https://pagesperso.ls2n.fr/~andre-p/download/androidPerm.pdf.

  7. 7.

    See the web appendix (See Footnote 6).

  8. 8.

    https://wiki.eclipse.org/MoDisco.

  9. 9.

    https://www.vogella.com/tutorials/EclipseJDT/article.html.

  10. 10.

    https://www.eclipse.org/atl/.

  11. 11.

    https://f-droid.org/app/org.telegram.messenger.

References

  1. Almomani, I.M., Khayer, A.A.: A comprehensive analysis of the Android permissions system. IEEE Access 8, 216671–216688 (2020). https://doi.org/10.1109/ACCESS.2020.3041432

    Article  Google Scholar 

  2. Armando, A., Carbone, R., Costa, G., Merlo, A.: Android permissions unleashed. In: 2015 IEEE 28th Computer Security Foundations Symposium, pp. 320–333. IEEE (2015)

    Google Scholar 

  3. Au, K.W.Y., Zhou, Y.F., Huang, Z., Lie, D.: PScout: analyzing the android permission specification. In: Proceedings of the 2012 ACM Conference on Computer and Communications Security, pp. 217–228 (2012)

    Google Scholar 

  4. Bagheri, H., Kang, E., Malek, S., Jackson, D.: A formal approach for detection of security flaws in the Android permission system. Formal Aspects Comput. 30(5), 525–544 (2017). https://doi.org/10.1007/s00165-017-0445-z

    Article  Google Scholar 

  5. Bello-Ogunu, E., Shehab, M.: PERMITME: integrating Android permissioning support in the IDE. In: Proceedings of the 2014 Workshop on Eclipse Technology eXchange, pp. 15–20 (2014)

    Google Scholar 

  6. Betarte, G., Campo, J., Cristiá, M., Gorostiaga, F., Luna, C., Sanz, C.: Towards formal model-based analysis and testing of Android’s security mechanisms. In: 2017 XLIII Latin American Computer Conference (CLEI), pp. 1–10. IEEE (2017)

    Google Scholar 

  7. Betarte, G., Campo, J., Luna, C., Romano, A.: Formal analysis of Android’s permission-based security model. Sci. Ann. Comput. Sci. 26(1), 27–68 (2016)

    MathSciNet  MATH  Google Scholar 

  8. Betarte, G., Campo, J., Luna, C., Sanz, C., Gorostiaga, F., Cristiá, M.: A formal approach for the verification of the permission-based security model of Android. CLEI Electron. J. 21(2) (2018)

    Google Scholar 

  9. Buchanan, W.: Introduction to Security and Network Forensics. Taylor & Francis (2011). https://books.google.fr/books?id=8uzM63AYi_MC

  10. Chester, P., Jones, C., Mkaouer, M.W., Krutz, D.E.: M-Perm: a lightweight detector for Android permission gaps. In: 4th International Conference on Mobile Software Engineering and Systems (MOBILESoft), pp. 217–218. IEEE (2017)

    Google Scholar 

  11. Fang, Z., Han, W., Li, Y.: Permission based android security: issues and countermeasures. Comput. Secur. 43, 205–218 (2014)

    Article  Google Scholar 

  12. Fragkaki, Elli, Bauer, Lujo, Jia, Limin, Swasey, David: Modeling and enhancing Android’s permission system. In: Foresti, Sara, Yung, Moti, Martinelli, Fabio (eds.) ESORICS 2012. LNCS, vol. 7459, pp. 1–18. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-33167-1_1

    Chapter  Google Scholar 

  13. Guo, W.: Management system for secure mobile application development. In: Proceedings of the ACM Turing Celebration Conference, China, pp. 1–4 (2019)

    Google Scholar 

  14. He, X.: Modeling and analyzing the Android permission framework using high level Petri Nets. In: 2017 IEEE International Conference on Software Quality, Reliability and Security (QRS), pp. 232–239. IEEE (2017)

    Google Scholar 

  15. Hoffmann, J., Ussath, M., Holz, T., Spreitzenbarth, M.: Slicing droids: program slicing for smali code. In: Proceedings of the 28th Annual ACM Symposium on Applied Computing, pp. 1844–1851 (2013)

    Google Scholar 

  16. Jha, A.K., Lee, S., Lee, W.J.: Developer mistakes in writing Android manifests: an empirical study of configuration errors. In: 2017 IEEE/ACM 14th International Conference on Mining Software Repositories (MSR), pp. 25–36. IEEE (2017)

    Google Scholar 

  17. Saaltink, M.: The Z/EVES system. In: Bowen, J.P., Hinchey, M.G., Till, D. (eds.) ZUM 1997. LNCS, vol. 1212, pp. 72–85. Springer, Heidelberg (1997). https://doi.org/10.1007/BFb0027284

    Chapter  Google Scholar 

  18. Sadeghi, A., Jabbarvand, R., Ghorbani, N., Bagheri, H., Malek, S.: A temporal permission analysis and enforcement framework for Android. In: Proceedings of the 40th International Conference on Software Engineering, ICSE 2018, pp. 846–857. ACM, New York (2018)

    Google Scholar 

  19. Scoccia, G.L., Peruma, A., Pujols, V., Malavolta, I., Krutz, D.E.: Permission issues in open-source Android apps: an exploratory study. In: 2019 19th International Working Conference on Source Code Analysis and Manipulation (SCAM), pp. 238–249. IEEE (2019)

    Google Scholar 

  20. Seo, J., Kim, D., Cho, D., Shin, I., Kim, T.: FLEXDROID: enforcing in-app privilege separation in Android. In: NDSS (2016)

    Google Scholar 

  21. Spivey, J.M.: Z Notation - A Reference Manual, 2nd edn. Prentice Hall International Series in Computer Science. Prentice Hall (1992)

    Google Scholar 

  22. Vidas, T., Christin, N., Cranor, L.: Curbing Android permission creep. In: Proceedings of the Web, vol. 2, pp. 91–96 (2011)

    Google Scholar 

  23. Wu, S., Liu, J.: Overprivileged permission detection for Android applications. In: ICC 2019–2019 IEEE International Conference on Communications (ICC), pp. 1–6. IEEE (2019)

    Google Scholar 

  24. Xu, G., Xu, S., Gao, C., Wang, B., Xu, G.: PerHelper: helping developers make better decisions on permission uses in Android apps. Appl. Sci. 9(18), 3699 (2019)

    Article  Google Scholar 

Download references

Author information

Authors and Affiliations

Authors

Corresponding author

Correspondence to Mohammed El Amin Tebib.

Editor information

Editors and Affiliations

Rights and permissions

Reprints and permissions

Copyright information

© 2021 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Tebib, M.E.A., André, P., Aktouf, OEK., Graa, M. (2021). Assisting Developers in Preventing Permissions Related Security Issues in Android Applications. In: Adler, R., et al. Dependable Computing - EDCC 2021 Workshops. EDCC 2021. Communications in Computer and Information Science, vol 1462. Springer, Cham. https://doi.org/10.1007/978-3-030-86507-8_13

Download citation

Keywords

Publish with us

Policies and ethics