short-paper

Short paper: a look at smartphone permission models

Authors:

David LieAuthors Info & Claims

SPSM '11: Proceedings of the 1st ACM workshop on Security and privacy in smartphones and mobile devices

Pages 63 - 68

https://doi.org/10.1145/2046614.2046626

Published: 17 October 2011 Publication History

Get Access

Abstract

Many smartphone operating systems implement strong sandboxing for 3rd party application software. As part of this sandboxing, they feature a permission system, which conveys to users what sensitive resources an application will access and allows users to grant or deny permission to access those resources. In this paper we survey the permission systems of several popular smartphone operating systems and taxonomize them by the amount of control they give users, the amount of information they convey to users and the level of interactivity they require from users. We discuss the problem of permission overdeclaration and devise a set of goals that security researchers should aim for, as well as propose directions through which we hope the research community can attain those goals.

References

[1]

D. Barrera, H. Kayacik, P. van Oorschot, and A. Somayaji. A methodology for empirical analysis of permission-based security models and its application to Android. In Proceedings of the 17th ACM Conference on Computer and Communications Security (CCS 2010), Oct. 2010.

Digital Library

Google Scholar

[2]

W. Enck, M. Ongtang, and P. McDaniel. On lightweight mobile phone application certification. In Proceedings of the 16th ACM Conference on Computer and Communications Security (CCS 2009), Nov. 2009.

Digital Library

Google Scholar

[3]

A. P. Felt, E. Chin, S. Hanna, D. Song, and D. Wagner. Android permissions demystified. In Proceedings of the 18th ACM Conference on Computer and Communications Security (CCS 2011), Oct. 2011.

Digital Library

Google Scholar

[4]

A. P. Felt, K. Greenwood, and D. Wagner. The effectiveness of application permissions. In Proceedings of the 2nd USENIX Conference on Web Application Development, June 2011.

Digital Library

Google Scholar

[5]

A. P. Felt, H. Wang, A. Moshchuk, S. Hanna, and E. Chin. Permission re-delegation: Attacks and defenses. In Proceedings of the 20th USENIX Security Symposium, Aug. 2011.

Digital Library

Google Scholar

[6]

P. Hornyack, S. Han, J. Jung, S. Schechter, and D. Wetherall. "These aren't the droids you're looking for": Retrofitting Android to protect data from imperious applications. In Proceedings of the 18th ACM Conference on Computer and Communications Security (CCS 2011), Oct. 2011.

Digital Library

Google Scholar

[7]

K. Noyes. Why Android app security is better than for the iPhone. PC World Magazine, 2011. http://www.pcworld.com/businesscenter/article/202758/why_android_app_security_is_better_than_for_the_iphone.html (accessed August 19, 2011).

Google Scholar

[8]

M. Ongtang, S. McLaughlin, W. Enck, and P. McDaniel. Semantically rich application-centric security in Android. In Proceedings of the 25nd Annual Computer Security Applications Conference (ACSAC), Dec. 2009.

Digital Library

Google Scholar

[9]

senk9. How to control Android app permissions (Root/CM7). http://senk9.wordpress.com/2011/06/19/how-to-control-android-app-permis%sions-rootcm7/ (accessed August 19, 2011).

Google Scholar

[10]

R. Vallée-Rai, P. Co, E. Gagnon, L. Hendren, P. Lam, and V. Sundaresan. Soot - a Java bytecode optimization framework. In Proceedings of the 1999 conference of the Centre for Advanced Studies on Collaborative research, CASCON '99, page 13. IBM Press, 1999.

Digital Library

Google Scholar

[11]

Y. Zhou, X. Zhang, X. Jiang, and V. W. Freeh. Taming information-stealing smartphone applications (on Android). In Proceedings of the 4th International Conference on Trust and Trustworthy Computing (TRUST 2011), June 2011.

Digital Library

Google Scholar

Cited By

View all

Chang KNiu HKim BBarber S(2024)IoT Privacy Risks RevealedEntropy10.3390/e2607056126:7(561)Online publication date: 29-Jun-2024
https://doi.org/10.3390/e26070561
Chang KBarber S(2023)Personalized Privacy Assistant: Identity Construction and Privacy in the Internet of ThingsEntropy10.3390/e2505071725:5(717)Online publication date: 26-Apr-2023
https://doi.org/10.3390/e25050717
Mishra BAgarwal AGoel AAnsari AGaur PSingh DLee H(2022)Privacy Protection Framework for AndroidIEEE Access10.1109/ACCESS.2022.314234510(7973-7988)Online publication date: 2022
https://doi.org/10.1109/ACCESS.2022.3142345
Show More Cited By

Index Terms

Short paper: a look at smartphone permission models
1. Security and privacy
  1. Security services
    1. Access control
  2. Systems security
    1. Information flow control
    2. Operating systems security

Recommendations

Android permissions demystified
CCS '11: Proceedings of the 18th ACM conference on Computer and communications security

Android provides third-party applications with an extensive API that includes access to phone hardware, settings, and user data. Access to privacy- and security-relevant parts of the API is controlled with an install-time application permission system. ...
PScout: analyzing the Android permission specification
CCS '12: Proceedings of the 2012 ACM conference on Computer and communications security

Modern smartphone operating systems (OSs) have been developed with a greater emphasis on security and protecting privacy. One of the mechanisms these systems use to protect users is a permission system, which requires developers to declare what ...
User-Driven Access Control: Rethinking Permission Granting in Modern Operating Systems
SP '12: Proceedings of the 2012 IEEE Symposium on Security and Privacy

Modern client platforms, such as iOS, Android, Windows Phone, Windows 8, and web browsers, run each application in an isolated environment with limited privileges. A pressing open problem in such systems is how to allow users to grant applications ...

Comments

Information & Contributors

Information

Published In

SPSM '11: Proceedings of the 1st ACM workshop on Security and privacy in smartphones and mobile devices

October 2011

96 pages

ISBN:9781450310000

DOI:10.1145/2046614

General Chair:
Xuxian Jiang
North Carolina State University
,
Program Chairs:
Amiya Bhattacharya
Arizona State University
,
Partha Dasgupta
Arizona State University
,
William Enck
North Carolina State University

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 17 October 2011

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Short-paper

Conference

CCS'11

Sponsor:

SIGSAC

CCS'11: the ACM Conference on Computer and Communications Security

October 17, 2011

Illinois, Chicago, USA

Acceptance Rates

Overall Acceptance Rate 46 of 139 submissions, 33%

Upcoming Conference

CCS '24

Sponsor:
sigsac

ACM SIGSAC Conference on Computer and Communications Security

October 14 - 18, 2024

Salt Lake City , UT , USA

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

46
Total Citations
View Citations
1,061
Total Downloads

Downloads (Last 12 months)30
Downloads (Last 6 weeks)3

Reflects downloads up to

Other Metrics

View Author Metrics

Citations

Cited By

View all

Chang KNiu HKim BBarber S(2024)IoT Privacy Risks RevealedEntropy10.3390/e2607056126:7(561)Online publication date: 29-Jun-2024
https://doi.org/10.3390/e26070561
Chang KBarber S(2023)Personalized Privacy Assistant: Identity Construction and Privacy in the Internet of ThingsEntropy10.3390/e2505071725:5(717)Online publication date: 26-Apr-2023
https://doi.org/10.3390/e25050717
Mishra BAgarwal AGoel AAnsari AGaur PSingh DLee H(2022)Privacy Protection Framework for AndroidIEEE Access10.1109/ACCESS.2022.314234510(7973-7988)Online publication date: 2022
https://doi.org/10.1109/ACCESS.2022.3142345
Gupta SRavipati SKumar RVani V(2022)Enhancing Security Mechanism in Smart Phones Using CrowdsourcingCyber Warfare, Security and Space Research10.1007/978-3-031-15784-4_24(303-310)Online publication date: 28-Aug-2022
https://doi.org/10.1007/978-3-031-15784-4_24
Er-Rajy LEl Kiram M(2021)An Investigation into Permissions Requested by Mobile Banking on Android PlatformResearch Anthology on Securing Mobile Technologies and Applications10.4018/978-1-7998-8545-0.ch040(745-766)Online publication date: 2021
https://doi.org/10.4018/978-1-7998-8545-0.ch040
Tu TRao LLi Z(2021)AdEye: Recognize Advertising Android Apps2021 IEEE International Conference on Artificial Intelligence and Computer Applications (ICAICA)10.1109/ICAICA52286.2021.9498176(610-616)Online publication date: 28-Jun-2021
https://doi.org/10.1109/ICAICA52286.2021.9498176
Costa FMedeiros ICosta PMenezes TVinicius MBonifacio RCanedo E(2020)DroidXP: A Benchmark for Supporting the Research on Mining Android Sandboxes2020 IEEE 20th International Working Conference on Source Code Analysis and Manipulation (SCAM)10.1109/SCAM51674.2020.00021(143-148)Online publication date: Sep-2020
https://doi.org/10.1109/SCAM51674.2020.00021
Luo L(2020)Heap Memory Snapshot Assisted Program Analysis for Android Permission Specification2020 IEEE 27th International Conference on Software Analysis, Evolution and Reengineering (SANER)10.1109/SANER48275.2020.9054795(435-446)Online publication date: Mar-2020
https://doi.org/10.1109/SANER48275.2020.9054795
Shah MRehman UIqbal FWahid FHussain MArsalan A(2020)Access Permissions for Apple Watch Applications: A Study on Users' Perceptions2020 International Conference on Communications, Computing, Cybersecurity, and Informatics (CCCI)10.1109/CCCI49893.2020.9256714(1-7)Online publication date: 3-Nov-2020
https://doi.org/10.1109/CCCI49893.2020.9256714
Chang KZaeem RBarber K(2020)A Framework for Estimating Privacy Risk Scores of Mobile AppsInformation Security10.1007/978-3-030-62974-8_13(217-233)Online publication date: 25-Nov-2020
https://doi.org/10.1007/978-3-030-62974-8_13
Show More Cited By

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Cited By

Index Terms

Recommendations

Android permissions demystified

PScout: analyzing the Android permission specification

User-Driven Access Control: Rethinking Permission Granting in Modern Operating Systems