Location via proxy:   [ UP ]  
[Report a bug]   [Manage cookies]                
skip to main content
research-article

Mules and Permission Laundering in Android: Dissecting Custom Permissions in the Wild

Published: 01 July 2024 Publication History

Abstract

Android implements a permission system to regulate apps’ access to system resources and sensitive user data. One salient feature of this system is its extensibility: apps can define their own custom permissions to expose features and data to other apps. However, little is known about how widespread the usage of custom permissions is, and what is the impact that these permissions can have on users’ privacy and security. In this paper, we empirically study the usage of custom permissions at large scale, using a dataset of 2.2M pre-installed and app-store-downloaded apps. We find the usage of custom permissions to be widespread, and seemingly growing over time. Despite this prevalence, we find that custom permissions are virtually invisible to end users, and their purpose mostly undocumented. This lack of transparency can lead to serious security and privacy problems: we show that custom permissions can facilitate access to permission-protected system resources to apps that lack those permissions without user awareness. To detect this practice, we design and implement two static analysis tools, and highlight multiple concerning cases spotted in the wild. We conclude this study with a discussion of potential solutions to mitigate the privacy and security risks of custom permissions.

References

[1]
Amazon Push Notification Service, Accessed: Feb. 03, 2021. [Online]. Available: https://developer.amazon.com/docs/adm/integrate-your-app.html
[2]
Androguard, Accessed: Mar. 19, 2019. [Online]. Available: https://github.com/androguard/androguard/
[3]
“Android certified partners — brands,” Accessed: Jul. 07, 2020. [Online]. Available: https://www.android.com/certified/partners/
[4]
Android Certified Partners — ODMs, Accessed: Jul. 07, 2020. [Online]. Available: https://www.android.com/certified/partners/#tab-panel-odms
[5]
“Android comptability document — permissions,” Accessed: Jul. 07, 2020. [Online]. Available: https://source.android.com/compatibility/android-cdd#9_1_permissions
[6]
Android Developers, Accessed: May 29, 2019. [Online]. Available: https://developer.android.com/guide/topics/manifest/permission-element.html
[7]
“Android developers - define a custom app permission,” Accessed: Jul. 25, 2019. [Online]. Available: https://developer.android.com/guide/topics/permissions/defining
[9]
“Android version distribution statistics,” 2020. Accessed: May 31, 2020. [Online]. Available: https://www.xda-developers.com/android-version-distribution-statistics-android-studio/
[11]
android:sharedUserId, Accessed: Mar. 15, 2021. [Online]. Available: https://developer.android.com/guide/topics/manifest/manifest-element#uid
[12]
APK Mirror App Store, Accessed: May 28, 2020. [Online]. Available: https://www.apkmirror.com/
[13]
APK Monk App Store, Accessed: May 28, 2020. [Online]. Available: https://www.apkmonk.com/
[14]
Baidu App Store, Accessed: May 28, 2020. [Online]. Available: https://shouji.baidu.com/
[15]
Baidu Push Notification Service, Accessed: Feb. 03, 2021. [Online]. Available: http://push.baidu.com/doc/android/api
[16]
“Best practices for unique identifiers,” Accessed: Apr. 01, 2021. [Online]. Available: https://developer.android.com/training/articles/user-data-ids
[17]
Cars | Android Developers, [Online]. Available: https://developer.android.com/reference/android/car/Car
[18]
“Commit a90c8de: Add new “preinstalled” permission flag,” Accessed: Jul. 11, 2019. [Online]. Available: https://android.googlesource.com/platform/frameworks/base/+/a90c8def2c6762bc6e5396b78c43e65e4b05079d
[20]
“Dataset of defined custom permissions,” [Online]. Available: https://androidobservatory.com/files/defined_perms_all_release.json.xz
[21]
“Dataset of requested custom permissions,” [Online]. Available: https://androidobservatory.com/files/requested_perms_all_release.json.xz
[22]
“Firmware scanner,” Accessed: Mar. 06, 2019. [Online]. Available: https://play.google.com/store/apps/details?id=org.imdea.networks.iag.preinstalleduploader
[24]
“Google maps receive permission,” Accessed: Feb. 03, 2021. [Online]. Available: https://stackoverflow.com/questions/14832911/android-map-v2-why-maps-receive-permission
[25]
Google Play App Store, Accessed: May 28, 2020. [Online]. Available: https://play.google.com/store/apps/
[26]
Google Push Notification Service, Accessed: Feb. 03, 2021. [Online]. Available: https://web.archive.org/web/20121004073640/https://developers.google.com/android/c2dm/
[27]
Huawei App Store, Accessed: May 28, 2020. [Online]. Available: https://appgallery1.huawei.com/#/Featured
[28]
Huawei Push Notification Service, Accessed: Feb. 03, 2021. [Online]. Available: https://stackoverflow.com/questions/57860791/how-to-access-payload-of-hms-push-notifications
[29]
Huawei's Android App Store Launches Internationally, 2018. Accessed: Jun. 16, 2020. [Online]. Available: https://www.androidheadlines.com/2018/04/huaweis-android-app-store-launches-internationally.html
[30]
Integrate Amazon Device Messaging (ADM), [Online]. Available: https://developer.amazon.com/docs/video-skills-fire-tv-apps/integrate-adm.html
[31]
Jiguang Push Notification Service, Accessed: Feb. 03, 2021. [Online]. Available: https://docs.jiguang.cn/en/jpush/client/Android/android_guide/#configuration-and-code-instructions
[32]
“Market share development per Android phone manufacturer,” [Online]. Available: https://www.appbrain.com/stats/top-manufacturers
[33]
“Merge multiple manifest files,” Accessed: Jul. 22, 2020. [Online]. Available: https://developer.android.com/studio/build/manifest-merge
[34]
“Mobile advertising network InMobi settles FTC charges it tracked hundreds of millions of consumers’ locations without permission,” 2016. [Online]. Available: https://www.ftc.gov/news-events/news/press-releases/2016/06/mobile-advertising-network-inmobi-settles-ftc-charges-it-tracked-hundreds-millions-consumers
[35]
[40]
Qihoo 360 App Store, Accessed: May 28, 2020. [Online]. Available: http://zhushou.360.cn/
[42]
RequiresPermission — AndroidX, Accessed: Mar. 23, 2020. [Online]. Available: https://developer.android.com/reference/androidx/annotation/RequiresPermission
[43]
Samsung Knox, Accessed: Apr. 15, 2021. [Online]. Available: https://www.samsungknox.com/en
[44]
Tencent App Store, Accessed: May 28, 2020. [Online]. Available: https://android.myapp.com/
[45]
Xiaomi Mi App Store, Accessed: May 28, 2020. [Online]. Available: http://app.mi.com/
[46]
Xiaomi Push Notification Service, Accessed: Feb. 03, 2021. [Online]. Available: https://docs.moengage.com/docs/android-xiaomi-push
[47]
“Android developers - define a custom app permission,” 2018. [Online]. Available: https://developer.android.com/guide/topics/permissions/defining
[48]
Android Developers - GoogleSignInApi, 2018, Accessed: Aug. 06, 2020. [Online]. Available: https://developers.google.com/android/reference/com/google/android/gms/auth/api/signin/GoogleSignInApi
[49]
“Android developers - permissions overview,” 2018. [Online]. Available: https://developer.android.com/guide/topics/permissions/overview
[50]
AndroZoo, 2018. [Online]. Available: https://androzoo.uni.lu/
[51]
“Google issue tracker - Why Google Play services dependency automatically added com.google.android.finsky.permission. BIND_GET_INSTALL_REFERRER_SERVICE permission,” 2018, Accessed: Aug. 6, 2020. [Online]. Available: https://issuetracker.google.com/issues/78380811#comment22
[52]
“Migrate a GCM client app for Android to firebase cloud messaging,” 2018. [Online]. Available: https://developers.google.com/cloud-messaging/android/android-migrate-fcm
[53]
“Android developers - play install referrer library,” 2019, Accessed: Aug. 6, 2020. [Online]. Available: https://developer.android.com/google/play/installreferrer/library
[54]
“Android developers - AIDL to Google Play billing library migration guide,” 2020, Accessed: Aug. 06, 2020. [Online]. Available: https://developer.android.com/google/play/billing/migrate
[55]
“Android developers - Sign your app,” 2020, Accessed: Aug. 25, 2020. [Online]. Available: https://developer.android.com/studio/publish/app-signing
[56]
Context - Android Developers, 2020. [Online]. Available: https://developer.android.com/reference/android/content/Context.html
[57]
Intent - Android Developers, 2020. [Online]. Available: https://developer.android.com/reference/android/content/Intent
[59]
2021, Accessed: Apr. 15, 2021. [Online]. Available: https://developers.google.com/android/play-protect
[60]
S. Arzt et al., “FlowDroid: Precise context, flow, field, object-sensitive and lifecycle-aware taint analysis for Android apps,” in Proc. ACM Special Int. Groupon Program. Lang., vol. 49, pp. 259–269, 2014.
[61]
K. W. Y. Au, Y. F. Zhou, Z. Huang, and D. Lie, “PScout: Analyzing the Android permission specification,” in Proc. ACM Conf. Comput. Commun. Secur., 2012, pp. 217–228.
[62]
M. Backes, S. Bugiel, E. Derr, P. McDaniel, D. Octeau, and S. Weisgerber, “On demystifying the Android application framework: Re-visiting Android permission specification analysis,” in Proc. USENIX Secur. Symp., 2016, pp. 1101–1118.
[63]
H. Bagheri, E. Kang, S. Malek, and D. Jackson, “Detection of design flaws in the Android permission protocol through bounded verification,” in Proc. Int. Symp. Formal Methods, 2015, pp. 73–89.
[64]
H. Bagheri, E. Kang, S. Malek, and D. Jackson, “A formal approach for detection of security flaws in the Android permission system,” Formal Aspects Comput., vol. 30, pp. 525–544, 2018.
[65]
K. Block, S. Narain, and G. Noubir, “An autonomic and permissionless Android covert channel,” in Proc. ACM Conf. Secur. Privacy Wireless Mobile Netw., 2017, pp. 184–194.
[66]
S. Bugiel, L. Davi, A. Dmitrienko, T. Fischer, and A.-R. Sadeghi, “XManDroid: A new Android evolution to mitigate privilege escalation attacks,” Technische Universität Darmstadt, Darmstadt, Germany, Tech. Rep., 2011.
[67]
S. Chitkara, N. Gothoskar, S. Harish, J. I. Hong, and Y. Agarwal, “Does this app really need my location? Context-aware privacy management for smartphones,” in Proc. ACM Interactive Mobile Wearable Ubiquitous Technol., vol. 1, pp. 1–22, 2017.
[68]
L. Deshotels, “Inaudible sound as a covert channel in mobile devices,” in Proc. USENIX Workshop Offensive Technol., 2014, Art. no.
[69]
D. Dittrich and E. Kenneally, “The menlo report: Ethical principles guiding information and communication technology research,” SSRN Electron. J., 2012.
[70]
Á. Feal et al., Don't Accept Candy From Strangers: An Analysis of Third-Party Mobile SDKs, vol. 13, London, U.K.: Bloomsbury Publishing, 2021, p. 1.
[71]
A. P. Felt, E. Chin, S. Hanna, D. Song, and D. Wagner, “Android permissions demystified,” in Proc. ACM Conf. Comput. Commun. Secur., 2011, pp. 627–638.
[72]
A. P. Felt, K. Greenwood, and D. Wagner, “The effectiveness of application permissions,” in Proc. USENIX Conf. Web Appl. Develop., 2011, Art. no.
[73]
A. P. Felt, E. Ha, S. Egelman, A. Haney, E. Chin, and D. Wagner, “Android permissions: User attention, comprehension, and behavior,” in Proc. Symp. Usable Privacy Secur., 2012, pp. 1–14.
[74]
A. P. Felt, H. J. Wang, A. Moshchuk, S. Hanna, and E. Chin, “Permission re-delegation: Attacks and defenses,” in Proc. USENIX Secur. Symp., 2011, Art. no.
[75]
J. Gamba, M. Rashed, A. Razaghpanah, J. Tapiador, and N. Vallina-Rodriguez, “An analysis of pre-installed android software,” in Proc. IEEE Symp. Secur. Privacy, 2020, pp. 1039–1055.
[76]
C. Gibler, J. Crussell, J. Erickson, and H. Chen, “Androidleaks: Automatically detecting potential privacy leaks in Android applications on a large scale,” in Proc. Int. Conf. Trust Trustworthy Comput., 2012, pp. 291–307.
[77]
K. Hageman et al., “Mixed signals: Analyzing software attribution challenges in the Android ecosystem,” IEEE Trans. Softw. Eng., vol. 49, no. 4, pp. 2964–2979, Apr. 2023.
[78]
K. Kennedy, E. Gustafson, and H. Chen, “Quantifying the effects of removing permissions from Android applications,” in Mobile Security Technologies, Ann Arbor, MI, USA: Davis?ProQuest Dissertations Publishing, 2013.
[79]
R. Li, W. Diao, Z. Li, J. Du, and S. Guo, “Android custom permissions demystified: From privilege escalation to design shortcomings,” in Proc. IEEE Symp. Secur. Privacy, 2021, pp. 70–86.
[80]
Z. Ma, H. Wang, Y. Guo, and X. Chen, “LibRadar: Fast and accurate detection of third-party libraries in Android apps,” in Proc. Int. Conf. Softw. Eng., 2016, pp. 653–656.
[81]
New York Times, “Facebook gave device makers deep access to data on users and friends,” 2018. [Online]. Available: https://www.nytimes.com/interactive/2018/06/03/technology/facebook-device-partners-users-friends-data.html
[82]
S. T. Peddinti et al., “Reducing permission requests in mobile apps,” in Proc. Internet Meas. Conf., 2019, pp. 259–266.
[83]
A. Razaghpanah et al., “Apps, trackers, privacy, and regulators: A global study of the mobile tracking ecosystem,” in Proc. 25th Annu. Netw. Distrib. Syst. Secur. Symp., 2018.
[84]
J. Reardon, Á. Feal, P. Wijesekera, A. E. B. On, N. Vallina-Rodriguez, and S. Egelman, “50 ways to leak your data: An exploration of apps’ circumvention of the Android permissions systems,” in Proc. USENIX Secur. Symp., 2019, pp. 603–620.
[85]
A. Sadeghi, H. Bagheri, and S. Malek, “Analysis of android inter-app security vulnerabilities using covert,” in Proc. IEEE/ACM 37th IEEE Int. Conf. Softw. Eng., 2015, pp. 725–728.
[86]
J. Sellwood and J. Crampton, “Sleeping Android: The danger of dormant permissions,” in Proc. ACM Workshop Secur. Privacy Smartphones Mobile Devices, 2013, pp. 55–66.
[87]
G. S. Tuncay, S. Demetriou, K. Ganju, and C. Gunter, “Resolving the predicament of Android custom permissions,” in Proc. Netw. Distrib. System Secur. Symp., 2018.
[88]
H. Wang et al., “Beyond Google Play: A large-scale comparative study of Chinese Android app markets,” in Proc. Internet Meas. Conf., 2018, pp. 293–307.
[89]
F. Wei, S. Roy, and X. Ou, “Amandroid: A precise and general inter-component data flow analysis framework for security vetting of Android apps,” ACM Trans. Privacy Secur., vol. 21, 2018, Art. no.
[90]
P. Wijesekera, A. Baokar, A. Hosseini, S. Egelman, D. Wagner, and K. Beznosov, “Android permissions remystified: A field study on contextual integrity,” in Proc. USENIX Secur. Symp., 2015, pp. 499–514.

Recommendations

Comments

Information & Contributors

Information

Published In

cover image IEEE Transactions on Dependable and Secure Computing
IEEE Transactions on Dependable and Secure Computing  Volume 21, Issue 4
July-Aug. 2024
2808 pages

Publisher

IEEE Computer Society Press

Washington, DC, United States

Publication History

Published: 01 July 2024

Qualifiers

  • Research-article

Contributors

Other Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

  • 0
    Total Citations
  • 0
    Total Downloads
  • Downloads (Last 12 months)0
  • Downloads (Last 6 weeks)0
Reflects downloads up to 19 Feb 2025

Other Metrics

Citations

View Options

View options

Figures

Tables

Media

Share

Share

Share this Publication link

Share on social media