[go: up one dir, main page]
More Web Proxy on the site http://driver.im/ skip to main content
10.1145/2903150.2911706acmconferencesArticle/Chapter ViewAbstractPublication PagescfConference Proceedingsconference-collections
research-article

Malevolent app pairs: an Android permission overpassing scheme

Published: 16 May 2016 Publication History

Abstract

Portable smart devices potentially store a wealth of information of personal data, making them attractive targets for data exfiltration attacks. Permission based schemes are core security controls for reducing privacy and security risks. In this paper we demonstrate that current permission schemes cannot effectively mitigate risks posed by covert channels. We show that a pair of apps with different permission settings may collude in order to effectively create a state where a union of their permissions is obtained, giving opportunities for leaking sensitive data, whilst keeping the leak potentially unnoticed. We then propose a solution for such attacks.

References

[1]
http://developer.android.com/guide/topics/security/permissions.html. {Online; accessed 14-February-2016}.
[2]
http://developer.android.com/reference/android/app/ActivityManager.html. {Online; accessed 14-February-2016}.
[3]
A. Acquisti and J. Grossklags. Privacy and rationality in individual decision making. IEEE Security & Privacy, (1):26--33, 2005.
[4]
S. Bugiel, L. Davi, A. Dmitrienko, T. Fischer, A.-R. Sadeghi, and B. Shastry. Towards taming privilege-escalation attacks on android. In NDSS, 2012.
[5]
E. Couture. http://www.sans.org/reading-room/whitepapers/detection/covert-channels-33413. {Online; accessed 14-February-2016}.
[6]
D. E. Denning and P. J. Denning. Data security. ACM Computing Surveys (CSUR), 11(3):227--249, 1979.
[7]
N. DuPaul. http://www.veracode.com/products/static-analysis-sast/static-analysis-tool. {Online; accessed 14-February-2016}.
[8]
W. Enck, P. Gilbert, S. Han, V. Tendulkar, B.-G. Chun, L. P. Cox, J. Jung, P. McDaniel, and A. N. Sheth. Taintdroid: an information-flow tracking system for realtime privacy monitoring on smartphones. ACM Transactions on Computer Systems (TOCS), 32(2):5, 2014.
[9]
A. P. Felt, E. Chin, S. Hanna, D. Song, and D. Wagner. Android permissions demystified. In Proceedings of the 18th ACM conference on Computer and communications security, pages 627--638. ACM, 2011.
[10]
P. C. Kocher. Timing attacks on implementations of diffie-hellman, rsa, dss, and other systems. In Advances in Cryptology - CRYPTO '96, pages 104--113. Springer, 1996.
[11]
J.-F. Lalande and S. Wendzel. Hiding privacy leaks in android applications using low-attention raising covert channels. In Availability, Reliability and Security (ARES), 2013 Eighth International Conference on, pages 701--710. IEEE, 2013.
[12]
S. B. Lipner. A comment on the confinement problem. In ACM SIGOPS Operating Systems Review, volume 9, pages 192--196. ACM, 1975.
[13]
C. Marforio, A. Francillon, S. Capkun, S. Capkun, and S. Capkun. Application collusion attack on the permission-based security model and its implications for modern smartphone systems. Department of Computer Science, ETH Zürich, Switzerland, 2011.
[14]
C. Marforio, H. Ritzdorf, A. Francillon, and S. Capkun. Analysis of the communication between colluding applications on modern smartphones. In Proceedings of the 28th Annual Computer Security Applications Conference, pages 51--60. ACM, 2012.
[15]
J. K. Millen. Covert channel capacity. In null, page 60. IEEE, 1987.
[16]
N. NCSC. Covert channel analysis of trusted systems (light pink book). NSA/NCSC-Rainbow Series publications, 1993.
[17]
H. Okhravi, S. Bak, and S. T. King. Design, implementation and evaluation of covert channel attacks. In Technologies for Homeland Security (HST), 2010 IEEE International Conference on, pages 481--487. IEEE, 2010.
[18]
M. Tsavli, P. S. Efraimidis, V. Katos, and L. Mitrou. Reengineering the user: privacy concerns about personal data on smartphones. Information & Computer Security, 23(4):394--405, 2015.
[19]
J. M. Urban, C. J. Hoofnagle, and S. Li. Mobile phones and privacy. BCLT Research Paper Series, 2012.

Cited By

View all
  • (2019)A Light-Weight Framework for Pre-submission Vetting of Android Applications in App StoresDependability in Sensor, Cloud, and Big Data Systems and Applications10.1007/978-981-15-1304-6_28(356-368)Online publication date: 5-Nov-2019
  • (2018)Session Fingerprinting in Android via Web-to-App IntercommunicationSecurity and Communication Networks10.1155/2018/73520302018Online publication date: 1-Jan-2018
  • (2018)Unravelling Security Issues of Runtime Permissions in AndroidJournal of Hardware and Systems Security10.1007/s41635-018-0053-23:1(45-63)Online publication date: 25-Oct-2018
  • Show More Cited By
  1. Malevolent app pairs: an Android permission overpassing scheme

    Recommendations

    Comments

    Please enable JavaScript to view thecomments powered by Disqus.

    Information & Contributors

    Information

    Published In

    cover image ACM Conferences
    CF '16: Proceedings of the ACM International Conference on Computing Frontiers
    May 2016
    487 pages
    ISBN:9781450341288
    DOI:10.1145/2903150
    • General Chairs:
    • Gianluca Palermo,
    • John Feo,
    • Program Chairs:
    • Antonino Tumeo,
    • Hubertus Franke
    Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

    Sponsors

    Publisher

    Association for Computing Machinery

    New York, NY, United States

    Publication History

    Published: 16 May 2016

    Permissions

    Request permissions for this article.

    Check for updates

    Author Tags

    1. android smartphones
    2. covert channel
    3. data exfiltration
    4. malevolent applications
    5. privacy

    Qualifiers

    • Research-article

    Conference

    CF'16
    Sponsor:
    CF'16: Computing Frontiers Conference
    May 16 - 19, 2016
    Como, Italy

    Acceptance Rates

    CF '16 Paper Acceptance Rate 30 of 94 submissions, 32%;
    Overall Acceptance Rate 273 of 785 submissions, 35%

    Upcoming Conference

    CF '25

    Contributors

    Other Metrics

    Bibliometrics & Citations

    Bibliometrics

    Article Metrics

    • Downloads (Last 12 months)3
    • Downloads (Last 6 weeks)0
    Reflects downloads up to 19 Dec 2024

    Other Metrics

    Citations

    Cited By

    View all
    • (2019)A Light-Weight Framework for Pre-submission Vetting of Android Applications in App StoresDependability in Sensor, Cloud, and Big Data Systems and Applications10.1007/978-981-15-1304-6_28(356-368)Online publication date: 5-Nov-2019
    • (2018)Session Fingerprinting in Android via Web-to-App IntercommunicationSecurity and Communication Networks10.1155/2018/73520302018Online publication date: 1-Jan-2018
    • (2018)Unravelling Security Issues of Runtime Permissions in AndroidJournal of Hardware and Systems Security10.1007/s41635-018-0053-23:1(45-63)Online publication date: 25-Oct-2018
    • (2017)Automated generation of colluding apps for experimental researchJournal of Computer Virology and Hacking Techniques10.1007/s11416-017-0296-414:2(127-138)Online publication date: 6-Apr-2017
    • (2017)Smartphone Bloatware: An Overlooked Privacy ProblemSecurity, Privacy, and Anonymity in Computation, Communication, and Storage10.1007/978-3-319-72389-1_15(169-185)Online publication date: 7-Dec-2017
    • (2017)Hey Doc, Is This Normal?: Exploring Android Permissions in the Post Marshmallow EraSecurity, Privacy, and Applied Cryptography Engineering10.1007/978-3-319-71501-8_4(53-73)Online publication date: 22-Nov-2017
    • (2017)How to Make Information-Flow Analysis Based Defense Ineffective: An ART Behavior-Mask AttackInformation Security10.1007/978-3-319-69659-1_15(269-287)Online publication date: 20-Oct-2017

    View Options

    Login options

    View options

    PDF

    View or Download as a PDF file.

    PDF

    eReader

    View online with eReader.

    eReader

    Media

    Figures

    Other

    Tables

    Share

    Share

    Share this Publication link

    Share on social media