research-article

Sleeping android: the danger of dormant permissions

Authors:

James Sellwood,

Jason CramptonAuthors Info & Claims

SPSM '13: Proceedings of the Third ACM workshop on Security and privacy in smartphones & mobile devices

Pages 55 - 66

https://doi.org/10.1145/2516760.2516774

Published: 08 November 2013 Publication History

Abstract

An Android app must be authorized for permissions, defined by the Android platform, in order to access certain capabilities of an Android device. An app developer specifies which permissions an app will require and these permissions must be authorized by the user of the device when the app is installed. Permissions, and the tools that are used to manage them, form the basis of the Android permission architecture, which is an essential part of the access control services provided by the Android platform.

We have analyzed the evolution of the Android permission architecture across six versions of the Android platform, identifying various changes which have occurred during that period and a considerable amount of information about the permission architecture which is not included in the Android documentation. Using this information, we have identified a weakness in the way that the Android platform handles app permissions during platform upgrades. We explain how this weakness may be exploited by a developer to produce malicious software which the average user is unlikely to detect. We conclude with a discussion of potential mitigation techniques for this weakness, highlighting concerns drawn from other research in this area.

References

[1]

Android. API Differences between 13 and 14. http://developer.android.com/sdk/api_diff/14/changes.html. {online} Accessed On: 2013-05--19.

[2]

Android. API Differences between 14 and 15. http://developer.android.com/sdk/api_diff/15/changes.html. {online} Accessed On: 2013-05--19.

[3]

Android. API Differences between 15 and 16. http://developer.android.com/sdk/api_diff/16/changes.html. {online} Accessed On: 2013-05--19.

[4]

Android. API Differences between 16 and 17. http://developer.android.com/sdk/api_diff/17/changes.html. {online} Accessed On: 2013-06--20.

[5]

Android. Manifest.permission j Android Developers. http://developer.android.com/reference/android/Manifest.permission.html. {online}Accessed On: 2013-08--22.

[6]

Android. Platforms j Android Developers. http://developer.android.com/tools/revisions/platforms.html. {online} Accessed On: 2013-05--19.

[7]

Android. R.attr j Android Developers. http://developer.android.com/reference/android/R.attr.html#protectionLevel. {online} Accessed On: 2013-05--19.

[8]

Android. Security Tips (IPC) j Android Developers. http://developer.android.com/training/articles/security-tips.html#IPC. {online} Accessed On: 2013-06--13.

[9]

Android. Status Notifications j Android Developers. http://developer.android.com/guide/topics/ui/notifiers/notifications.html. {online} Accessed On: 2013-05--19.

[10]

Au, K. W. Y., Zhou, Y. F., Huang, Z., Gill, P., and Lie, D. Short Paper: A Look at SmartPhone Permission Models. In Proceedings of the First ACM Workshop on Security and Privacy in Smartphones and Mobile Devices (2011), SPSM'11, ACM.

Digital Library

[11]

Au, K. W. Y., Zhou, Y. F., Huang, Z., and Lie, D. PScout: Analyzing the Android Permission Specification. In Proceedings of the 19th ACM Conference on Computer and Communications Security (2012), CCS'12, ACM.

Digital Library

[12]

Barrera, D., van Oorschot, P., Kayacik, H., and Somayaji, A. A Methodology for Empirical Analysis of Permission-Based Security Models and its Application to Android. In Proceedings of the Seventeenth ACM Conference on Computer and Communications Security (2010), CCS'10, ACM.

Digital Library

[13]

Benenson, Z., Hintz, N., Kroll-Peters, O., and Krupp, M. Poster: Attitudes to IT-Security When Using a Smartphone. In Eighth Symposium on Usable Privacy and Security (SOUPS) (2012), SOUPS'12.

[14]

Bishop, M., and Dilger, M. Checking for race conditions in file accesses. Computing systems 2, 2 (1996), 131--152.

[15]

Central, A. Late-Night Poll: Do You Read App Permissions Before Installing? http://www.androidcentral.com/late-night-poll-do-you-read-app-permissions-installing. {online} Accessed On: 2013-05--19.

[16]

Chia, P. H., Yamamoto, Y., and Asokan, N. Is this App Safe? A Large Scale Study on Application Permissions and Risk Signals. In Proceedings of the Twenty-First International World Wide Web Conference (2012), WWW'12, ACM.

Digital Library

[17]

Egelman, S., Porter Felt, A., and Wagner, D. Choice Architecture and Smartphone Privacy: There's A Price for That. In Proceedings of the 11th Annual Workshop on the Economics of Information Security (2012), WEIS'12.

[18]

Google. weather - Google Play. https://play.google.com/store/search?q=weather&c=apps. {online} Accessed On: 2013-05--19.

[19]

Kelley, P. G., Consolvo, S., Cranor, L. F., Jung, J., Sadeh, N., and Wetherall, D. A Conundrum of Permissions: Installing Applications on an Android Smartphone. In Proceedings of the Workshop on Usable Security (2012), USEC'12.

Digital Library

[20]

Porter Felt, A., Chin, E., Hanna, S., Song, D., and Wagner, D. Android Permissions Demystified. In Proceedings of the Eighteenth ACM Conference on Computer and Communications Security (2011), CCS'11, ACM.

Digital Library

[21]

Porter Felt, A., Egelman, S., Finifter, M., Akhawe, D., and Wagner, D. How to Ask for Permission. In Proceedings of USENIX Workshop on Hot Topics in Security (HotSec) 2012 (2012).

Digital Library

[22]

Porter Felt, A., Egelman, S., and Wagner, D. I've Got 99 Problems, But Vibration Ain't One: A Survery of Smartphone Users' Concerns. Tech. rep., University of California, Berkeley, 2012.

[23]

Porter Felt, A., Ha, E., Egelman, S., Haney, A., Chin, E., and Wagner, D. Android Permissions: User Attention, Comprehension, and Behavior. In Eighth Symposium on Usable Privacy and Security (SOUPS) (2012), SOUPS'12.

Digital Library

[24]

Sellwood, J. Sleeping Android: Exploit Through Dormant Permission Requests. Tech. Rep. RHUL--MA--2013--6, Royal Holloway, University of London, 2013. Available from http://www.ma.rhul. ac.uk/static/techrep/2013/MA-2013-06.pdf.

[25]

Shin, W., Kwak, S., Kiyomoto, S., Fukushima, K., and Tanaka, T. A Small but Non-negligible Flaw in the Android Permission Scheme. In Proceedings of the 2010 IEEE International Symposium on Policies for Distributed Systems and Networks (2010), POLICY'10, IEEE.

Digital Library

[26]

Vidas, T., Christin, N., and Cranor, L. F. Curbing Android Permission Creep. In Proceedings of the Web 2.0 Security and Privacy 2011 (2011), W2SP'11.

Cited By

Oishwee SCodabux ZStakhanova N(2024)Decoding Android Permissions: A Study of Developer Challenges and Solutions on Stack OverflowProceedings of the 18th ACM/IEEE International Symposium on Empirical Software Engineering and Measurement10.1145/3674805.3686676(143-153)Online publication date: 24-Oct-2024
https://dl.acm.org/doi/10.1145/3674805.3686676
Barzolevskaia ABranca EStakhanova N(2024)Measuring and Characterizing (Mis)compliance of the Android Permission SystemIEEE Transactions on Software Engineering10.1109/TSE.2024.336292150:4(742-764)Online publication date: Apr-2024
https://doi.org/10.1109/TSE.2024.3362921
Tuncay GQian JGunter CCapkun SRoesner F(2020)See no evilProceedings of the 29th USENIX Conference on Security Symposium10.5555/3489212.3489236(415-432)Online publication date: 12-Aug-2020
https://dl.acm.org/doi/10.5555/3489212.3489236
Show More Cited By

Index Terms

Sleeping android: the danger of dormant permissions

Recommendations

Android permissions demystified
CCS '11: Proceedings of the 18th ACM conference on Computer and communications security

Android provides third-party applications with an extensive API that includes access to phone hardware, settings, and user data. Access to privacy- and security-relevant parts of the API is controlled with an install-time application permission system. ...
PScout: analyzing the Android permission specification
CCS '12: Proceedings of the 2012 ACM conference on Computer and communications security

Modern smartphone operating systems (OSs) have been developed with a greater emphasis on security and protecting privacy. One of the mechanisms these systems use to protect users is a permission system, which requires developers to declare what ...
Exploring reverse engineering symptoms in Android apps
EuroSec '15: Proceedings of the Eighth European Workshop on System Security

The appearance of the Android platform and its popularity has resulted in a sharp rise in the number of reported vulnerabilities and consequently in the number of mobile threats. Leveraging openness of Android app markets and the lack of security ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

SPSM '13: Proceedings of the Third ACM workshop on Security and privacy in smartphones & mobile devices

November 2013

120 pages

ISBN:9781450324915

DOI:10.1145/2516760

General Chair:
William Enck
North Carolina State University
,
Program Chairs:
Adrienne Porter Felt
Google
,
N. Asokan
Aalto University and University of Helsinki

Copyright © 2013 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 08 November 2013

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

CCS'13

Sponsor:

SIGSAC

CCS'13: 2013 ACM SIGSAC Conference on Computer and Communications Security

November 8, 2013

Berlin, Germany

Acceptance Rates

SPSM '13 Paper Acceptance Rate 13 of 54 submissions, 24%;

Overall Acceptance Rate 46 of 139 submissions, 33%

Upcoming Conference

CCS '25

Sponsor:
sigsac

ACM SIGSAC Conference on Computer and Communications Security

October 13 - 17, 2025

Taipei , Taiwan

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

12
Total Citations
View Citations
755
Total Downloads

Downloads (Last 12 months)4
Downloads (Last 6 weeks)0

Reflects downloads up to 16 Feb 2025

Other Metrics

View Author Metrics

Citations

Cited By

Oishwee SCodabux ZStakhanova N(2024)Decoding Android Permissions: A Study of Developer Challenges and Solutions on Stack OverflowProceedings of the 18th ACM/IEEE International Symposium on Empirical Software Engineering and Measurement10.1145/3674805.3686676(143-153)Online publication date: 24-Oct-2024
https://dl.acm.org/doi/10.1145/3674805.3686676
Barzolevskaia ABranca EStakhanova N(2024)Measuring and Characterizing (Mis)compliance of the Android Permission SystemIEEE Transactions on Software Engineering10.1109/TSE.2024.336292150:4(742-764)Online publication date: Apr-2024
https://doi.org/10.1109/TSE.2024.3362921
Tuncay GQian JGunter CCapkun SRoesner F(2020)See no evilProceedings of the 29th USENIX Conference on Security Symposium10.5555/3489212.3489236(415-432)Online publication date: 12-Aug-2020
https://dl.acm.org/doi/10.5555/3489212.3489236
Yuan HTang YSun WLiu L(2020)A detection method for android application security based on TF-IDF and machine learningPLOS ONE10.1371/journal.pone.023869415:9(e0238694)Online publication date: 11-Sep-2020
https://doi.org/10.1371/journal.pone.0238694
Stach CMitschang B(2019)Elicitation of Privacy Requirements for the Internet of Things Using ACCESSORSInformation Systems Security and Privacy10.1007/978-3-030-25109-3_3(40-65)Online publication date: 5-Jul-2019
https://doi.org/10.1007/978-3-030-25109-3_3
Krutz DMunaiah NPeruma AMkaouer MGrundy JHalfond WBuhnova BAutili MMuccini H(2017)Who added that permission to my app?Proceedings of the 4th International Conference on Mobile Software Engineering and Systems10.1109/MOBILESoft.2017.5(165-169)Online publication date: 20-May-2017
https://dl.acm.org/doi/10.1109/MOBILESoft.2017.5
Pennekamp JHenze MWehrle K(2017)A survey on the evolution of privacy enforcement on smartphones and the road aheadPervasive and Mobile Computing10.1016/j.pmcj.2017.09.00542:C(58-76)Online publication date: 1-Dec-2017
https://dl.acm.org/doi/10.1016/j.pmcj.2017.09.005
Ban TTakahashi TGuo SInoue DNakao K(2016)Integration of Multi-modal Features for Android Malware Detection Using Linear SVM2016 11th Asia Joint Conference on Information Security (AsiaJCIS)10.1109/AsiaJCIS.2016.29(141-146)Online publication date: Aug-2016
https://doi.org/10.1109/AsiaJCIS.2016.29
Jain AGonzalez HStakhanova NMcDonald JPreda MStakhanova N(2015)Enriching reverse engineering through visual exploration of Android binariesProceedings of the 5th Program Protection and Reverse Engineering Workshop10.1145/2843859.2843866(1-9)Online publication date: 8-Dec-2015
https://dl.acm.org/doi/10.1145/2843859.2843866
Ferreira DKostakos VBeresford ALindqvist JDey A(2015)SecuracyProceedings of the 8th ACM Conference on Security & Privacy in Wireless and Mobile Networks10.1145/2766498.2766506(1-11)Online publication date: 22-Jun-2015
https://dl.acm.org/doi/10.1145/2766498.2766506
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Figures

Tables

Media

View Table of Conten