By Topic

Automatic detection of inter-application permission leaks in Android applications

Sign In

Cookies must be enabled to login.After enabling cookies , please use refresh or reload or ctrl+f5 on the browser for the login options.

Formats Non-Member Member
$31 $31
Learn how you can qualify for the best price for this item!
Become an IEEE Member or Subscribe to
IEEE Xplore for exclusive pricing!
close button

puzzle piece

IEEE membership options for an individual and IEEE Xplore subscriptions for an organization offer the most affordable access to essential journal articles, conference papers, standards, eBooks, and eLearning courses.

Learn more about:

IEEE membership

IEEE Xplore subscriptions

5 Author(s)
Sbirlea, D. ; Department of Computer Science, Rice University, Houston, TX, USA ; Burke, M.G. ; Guarnieri, S. ; Pistoia, M.
more authors

The Android® operating system builds upon already well-established permission systems but complements them by allowing application components to be reused within and across applications through a single communication mechanism, called the Intent mechanism. In this paper, we describe techniques that we developed for statically detecting Android application vulnerability to attacks that obtain unauthorized access to permission-protected information. We address three kinds of such attacks, known as confused deputy, permission collusion, and Intent spoofing. We show that application vulnerability to these attacks can be detected using taint analysis. Based on this technique, we developed PermissionFlow, a tool for discovering vulnerabilities in the byte code and configuration of Android applications. To enable PermissionFlow analysis, we developed a static technique for automatic identification of permission-protected information sources in permission-based systems. This technique identifies application programming interfaces (APIs) whose execution leads to permission checking and considers these APIs to be sources of taint. Based on this approach, we developed Permission Mapper, a component of PermissionFlow that improves on previous work by performing fully automatic identification of such APIs for Android Java® code. Our automated analysis of popular applications found that 56% of the most popular 313 Android applications actively use intercomponent information flows. Among the tested applications, PermissionFlow found four exploitable vulnerabilities. By helping ensure the absence of inter-application permission leaks, we believe that the proposed analysis will be highly beneficial to the Android ecosystem and other mobile platforms that may use similar analyses in the future.

Note: The Institute of Electrical and Electronics Engineers, Incorporated is distributing this Article with permission of the International Business Machines Corporation (IBM) who is the exclusive owner. The recipient of this Article may not assign, sublicense, lease, rent or otherwise transfer, reproduce, prepare derivative works, publicly display or perform, or distribute the Article.  

Published in:

IBM Journal of Research and Development  (Volume:57 ,  Issue: 6 )