Permission Evolution in the Android Ecosystem Xuetao Wei, Lorenzo Gomez, Iulian Neamtiu, Michalis Faloutsos Department of Computer Science and Engineering.

Slides:

Advertisements

Similar presentations

Operating-System Structures

Advertisements

Thomas S. Messerges, Ezzat A. Dabbish Motorola Labs Shin Seung Uk.

An Application Package Configuration Approach to Mitigating Android SSL Vulnerabilities Vasant Tendulkar NC State University William.

Dissecting Android Malware : Characterization and Evolution

Machigar Ongtang, Stephen McLaughlin, William Enck, Patrick McDaniel Department of Computer Science and Engineering The Pennsylvania State University ACSCA.

SCRUB: Secure Computing Research for Users’ Benefit David Wagner 1.

Access Control Chapter 3 Part 5 Pages 248 to 252.

Security in By: Abdulelah Algosaibi Supervised by: Prof. Michael Rothstein Summer II 2010: CS 6/79995 Operating System Security.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 8: Implementing and Managing Printers.

ANDROID PROGRAMMING MODULE 1 – GETTING STARTED

Timetable Android App FURC Engineering Department This is a beta version. Support for other classes will be added within one/two days.

CS 153 Design of Operating Systems Spring 2015 Lecture 24: Android OS.

UFCFX5-15-3Mobile Device Development Commercial Trends and Competitive Initiatives.

Presentation By Deepak Katta

LastLeaf Sample PPT SMARTEST WAY TO CRAFT PRESENTATIONS.

Understanding Android Security Yinshu Wu William Enck, Machigar Ongtang, and PatrickMcDaniel Pennsylvania State University.

MPE+ Access Data Evasi0n iPhone 4s/5 Nexus 4 Market Share Information.

A METHODOLOGY FOR EMPIRICAL ANALYSIS OF PERMISSION-BASED SECURITY MODELS AND ITS APPLICATION TO ANDROID.

박 종 혁 컴퓨터 보안 및 운영체제 연구실 MobiSys '11 Proceedings of the 9th international conference on Mobile systems, applications,

Lei Wu, Michael Grace, Yajin Zhou, Chiachih Wu, Xuxian Jiang Department of Computer Science North Carolina State University CCS 2013.

Enhancing User Privacy on Android Devices Bachelor of Computer Science (Honours) Name: Quang Do Supervisor: Raymond Choo Associate Supervisor: Ben Martini.

PrivacyShield: Real-time Monitoring and Detection of Android Privacy Leakage Review and Discussion Yan Chen Lab of Internet and Security Technology Northwestern.

Detecting and Preventing Privilege- Escalation on Android Jiaojiao Fu 1.

Byron Alleman Will Galloway Jesse McCall. Permission Based Security Model Users can only use features for which their permissions grant them access Abstracts.

Chapter 12: Finale! Publishing Your Android App. Objectives In this chapter, you learn to: Understand Google Play Target various device configurations.

All Your Droid Are Belong To Us: A Survey of Current Android Attacks 단국대학교 컴퓨터 보안 및 OS 연구실 김낙영

Chapter 3: Operating-System Structures System Components Operating System Services System Calls System Programs System Structure Virtual Machines System.

TEMPLATE DESIGN © Detecting User Activities Using the Accelerometer on Android Smartphones Sauvik Das, Supervisor: Adrian.

DeepDroid: Dynamically Enforcing Enterprise Policy on Android Devices Fall 2015 Instructor: Kun Sun, Ph.D.

Erika Chin Adrienne Porter Felt Kate Greenwood David Wagner University of California Berkeley MobiSys 2011.

Chapter 12: Finale! Publishing Your Android App

Mehdi Ghayoumi Kent State University Computer Science Department Summer 2015 Exposition on Cyber Infrastructure and Big Data.

A multi-Criteria-based Evaluation of Android Application Andrea Saracino, G. Dini, F. Martinelli, I. Matteucci, M.Petrocchi, D. Sgandurra InTrust 2012.

Indispensable tools for research at its best

Mobile Broadband Working Group Jennifer Rexford Princeton University.

ADV. NETWORK SECURITY CODY WATSON What’s in Your Dongle and Bank Account? Mandatory and Discretionary Protections of External Resources.

ANDROID BY:-AANCHAL MEHTA MNW-880-2K11. Introduction to Android Open software platform for mobile development A complete stack – OS, Middleware, Applications.

Introduction to Android

WEST VIRGINIA UNIVERSITY Lane Department of Computer Science and Electrical Engineering CROWDSOURCED TRAFFIC MAP Team Members: Faculty Mentor: David Williams.

FriendFinder Location-aware social networking on mobile phones.

Android Permissions Demystified

ITE District 6 Annual Meeting 1 Implementing a Web-based Transportation Data Management System Prepared for: ITE District 6 Annual Meeting Honolulu, Hawaii.

© 2016 Cengage Learning®. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. Android Boot Camp.

Power Guru: Implementing Smart Power Management on the Android Platform Written by Raef Mchaymech.

Analysis And Research Of System Security Based On.

1 Get All Answers Get All Answers. Contents History of Android Android Fragmentation The Role of Google Features and Architecture Android Software Development.

Reach people on mobile. Mobile Search Ads Reach people with Mobile Search Ads.

Securing a Host Computer BY STEPHEN GOSNER. Definition of a Host  Host  In networking, a host is any device that has an IP address.  Hosts include.

Android and IOS Permissions Why are they here and what do they want from me?

3 Ways to Transfer Calendar from Android to Android Gihosoft Studio

How to Sync Android Phone to Computer (PC/Mac)? Are you a person that always has your Android phone in your hands? Nowadays, a cell phone is not just for.

System Components Operating System Services System Calls.

Android forensics: Automated data collection and reporting from a mobile device Justin Grover Digital Investigation Volume 10, Supplement, August 2013,

KASPERSKY INTERNET SECURITY FOR ANDROID. YOUR MOBILE DEVICES NEED PROTECTION More online communications and transaction are happening on tablets and phones.

ANDROID ACCESS CONTROL Presented by: Justin Williams Masters of Computer Science Candidate.

Google. Android What is Android ? -Android is Linux Based OS -Designed for use on cell phones, e-readers, tablet PCs. -Android provides easy access to.

Android Application -Architecture.

More Security and Programming Language Work on SmartPhones

CS371m - Mobile Computing Runtime Permissions.

Android Mobile Application Development

Understanding Android Security

AppShield: Enabling Multi-entity Access Control Cross Platforms for Mobile App Management Zhengyang Qu1, Guanyu Guo2, Zhengyue Shao2, Vaibhav Rastogi3,

ProfileDroid: Multi-layer Profiling of Android Applications

Systematic Detection of capability leaks in stock android smartphones

CS371m - Mobile Computing Runtime Permissions.

Introduction to Operating Systems

BACHELOR’S THESIS DEFENSE

Understanding Android Security

Presentation transcript:

Permission Evolution in the Android Ecosystem Xuetao Wei, Lorenzo Gomez, Iulian Neamtiu, Michalis Faloutsos Department of Computer Science and Engineering University of California, Riverside

Outline  The Android Platform Basics  Dataset Description  Platform Permission Evolution  Third-Party Apps  Pre-Installed Apps  Suggestions  Conclusion

Android Platform  In this paper we studied all major API levels, from level 3 (April 2009) to level 15 (December 2011).

Android Apps  Third-party  apps are available for download from Google Play and other app stores.  Pre-installed  apps come along with the devices from the vendors.

Android Permissions  Protection Level  Normal  Dangerous  Signature  SignatureOrSystem  Functionality categories  Cost Money, Message, Personal Info, Location, Network, Accounts, Hard-ware Controls, Phone Calls, Storage, System Tools and Development Tools.

Apps Permissions Dataset  Third-Party Apps (237 apps with 1,703 versions) 1. 1,420 apps with 4,857 versions 2. we selected only those apps that had at least one version each year between 2009 and we obtained the stable dataset of 237 apps with 1,703 versions, with each app's evolution spanning at least three years.

Apps Permissions Dataset (Cont.)  Pre-Installed App (346 apps with 1,714 versions) 1. We gathered the firmware of multiple phone vendors - HTC, Motorola, Samsung, and LG - from various online sources. 2. we unpacked the firmware and extracted the pre-installed apps inside. 3. we collected 69 firmware over the years which contained 346 pre-installed apps with 1,714 versions.

Apps Permissions Dataset (Cont.)  Permission collection  use the tool aapt on each app version to extract the AndroidManifest.xml file.  parse the manifest files to get the full list of the permissions used by each app version.

The List of Permissions is Growing

The List of Permissions is Growing (Cont.)  we find that the Default, System_Tools and Development_Tools categories contribute to most of the increases.

Dangerous Group is Largest and Growing  Most of them are from personal data- related categories, e.g., PERSONAL_INFO, STORAGE and ACCOUNTS.

Why are Permissions Added or Deleted?  Because new functionality  NFC, WiMAX, 4G…  Accommodate new smartphone features  READ_PROFILE and READ_SOCIAL_STREAM replace READ_OWNER_DATA.  Some permissions are made available to public without manifest-declared.  BACKUP_DATA

Why are Permissions Added or Deleted? (Cont.)

No Tendency Toward Finer- grained Permissions

Third-Party Apps Permission Additions Dominate

What is the primary cause for the permission additions?  Android apps became more aggressive in asking for resources, by asking for new permissions.

Apps Want More Dangerous Permissions  66.11% of permission increases in apps required at least one more Dangerous permission.

Macro Evolution Patterns  For all apps have any permission change

Micro Evolution Patterns  Location Permission  ACCESS_COARSE_LOCATION  ACCESS_FINE_LOCATION

Permission Trajectories

Apps Are Becoming Over privileged  To detect over privilege, we ran the Stowaway tool on the stable dataset (1,703 app versions).

Apps Are Becoming Over privileged (Cont.)

Pre-Installed Apps  62.61% of pre-installed apps do not change their permissions at all.

Pre-Installed Apps (Cont.)  the vendors also have the ability to dene their own permissions inside the platform when they customize the Android platform for their devices.  HTC_APP_UPDATE  66.1% of pre-installed apps were over privileged  HTCLogger

Suggestions  Securing the ecosystem must start at the Android platform.  App certification should enforce checks against over-privileged requests.  App permission evolution and fluctuation indicate developer confusion in selecting legitimate permissions.  Pre-installed apps need more security.

Conclusion  We have investigated how Android permission and their use evolve in the Android ecosystem.  The number of permissions defined in Android platform tends to increase.  Permissions cater to hardware manufacturers and their apps, rather than third-party developers.