A formal approach for detection of security flaws in the android permission system
Author(s)
Bagheri, Hamid; Kang, Eunsuk; Malek, Sam; Jackson, Daniel
Download165_2017_445_ReferencePDF.pdf (659.4Kb)
OPEN_ACCESS_POLICY
Open Access Policy
Creative Commons Attribution-Noncommercial-Share Alike
Terms of use
Metadata
Show full item recordAbstract
The ever increasing expansion of mobile applications into nearly every aspect of modern life, from banking to healthcare systems, is making their security more important than ever. Modern smartphone operating systems (OS) rely substantially on the permission-based security model to enforce restrictions on the operations that each application can perform. In this paper, we perform an analysis of the permission protocol implemented in Android, a popular OS for smartphones. We propose a formal model of the Android permission protocol in Alloy, and describe a fully automatic analysis that identifies potential flaws in the protocol. A study of real-world Android applications corroborates our finding that the flaws in the Android permission protocol can have severe security implications, in some cases allowing the attacker to bypass the permission checks entirely. Keywords: Android, Permission protocol, Alloy, Verification
Date issued
2017-11Department
Massachusetts Institute of Technology. Department of Electrical Engineering and Computer ScienceJournal
Formal Aspects of Computing
Publisher
Springer London
Citation
Bagheri, Hamid, et al. “A Formal Approach for Detection of Security Flaws in the Android Permission System.” Formal Aspects of Computing, vol. 30, no. 5, Sept. 2018, pp. 525–44.
Version: Author's final manuscript
ISSN
0934-5043
1433-299X