Detection of Design Flaws in the Android Permission Protocol Through Bounded Verification
Author(s)
Bagheri, Hamid; Kang, Eunsuk; Jackson, Daniel N.; Malek, Sam
DownloadAccepted version (711.2Kb)
Terms of use
Metadata
Show full item recordAbstract
The ever increasing expansion of mobile applications into nearly every aspect of modern life, from banking to healthcare systems, is making their security more important than ever. Modern smartphone operating systems (OS) rely substantially on the permission-based security model to enforce restrictions on the operations that each application can perform. In this paper, we perform an analysis of the permission protocol implemented in Android, a popular OS for smartphones. We propose a formal model of the Android permission protocol in Alloy, and describe a fully automatic analysis that identifies potential flaws in the protocol. A study of real-world Android applications corroborates our finding that the flaws in the Android permission protocol can have severe security implications, in some cases allowing the attacker to bypass the permission checks entirely. Keywords: Protection Level, Content Provider, Design Flaw, Custom Permission, Alloy Analyzer
Date issued
2015Department
Massachusetts Institute of Technology. Computer Science and Artificial Intelligence Laboratory; Massachusetts Institute of Technology. Department of Electrical Engineering and Computer ScienceJournal
Proceedings of FM 2015: Formal Methods
Publisher
Springer Nature America, Inc
Citation
Bagheri, Hamid, et al. “Detection of Design Flaws in the Android Permission Protocol Through Bounded Verification.” Proceedings of FM 2015: Formal Methods, edited by Nikolaj Bjørner and Frank de Boer, vol. 9109, Springer International Publishing, 2015, pp. 73–89.
Version: Author's final manuscript
ISBN
978-3-319-19248-2
978-3-319-19249-9