A formal approach for detection of security flaws in the android permission system

Bagheri, Hamid; Kang, Eunsuk; Malek, Sam; Jackson, Daniel

Author(s)

Bagheri, Hamid; Kang, Eunsuk; Malek, Sam; Jackson, Daniel

Download165_2017_445_ReferencePDF.pdf (659.4Kb)

OPEN_ACCESS_POLICY

Terms of use

Creative Commons Attribution-Noncommercial-Share Alike http://creativecommons.org/licenses/by-nc-sa/4.0/

Metadata

Show full item record

Abstract

The ever increasing expansion of mobile applications into nearly every aspect of modern life, from banking to healthcare systems, is making their security more important than ever. Modern smartphone operating systems (OS) rely substantially on the permission-based security model to enforce restrictions on the operations that each application can perform. In this paper, we perform an analysis of the permission protocol implemented in Android, a popular OS for smartphones. We propose a formal model of the Android permission protocol in Alloy, and describe a fully automatic analysis that identifies potential flaws in the protocol. A study of real-world Android applications corroborates our finding that the flaws in the Android permission protocol can have severe security implications, in some cases allowing the attacker to bypass the permission checks entirely. Keywords: Android, Permission protocol, Alloy, Verification

Date issued

2017-11

URI

http://hdl.handle.net/1721.1/117468

Department

Massachusetts Institute of Technology. Department of Electrical Engineering and Computer Science

Journal

Formal Aspects of Computing

Publisher

Springer London

Citation

Bagheri, Hamid, et al. “A Formal Approach for Detection of Security Flaws in the Android Permission System.” Formal Aspects of Computing, vol. 30, no. 5, Sept. 2018, pp. 525–44.

Version: Author's final manuscript

ISSN

0934-5043

1433-299X

Collections

MIT Open Access Articles

DSpace@MIT