nach oben

Information Systems Frontiers

Erschienen in:

14.11.2020

A Formal Specification of Access Control in Android with URI Permissions

verfasst von: Samir Talegaon, Ram Krishnan

Erschienen in: Information Systems Frontiers | Ausgabe 4/2021

Einloggen

Aktivieren Sie unsere intelligente Suche, um passende Fachinhalte oder Patente zu finden.

search-config

KI-gestützte Suche

Aus

Abstract

A formal specification of access control yields a deeper understanding of any operating system, and facilitates performing security analysis of the OS. In this paper, we provide a comprehensive formal specification of access control in Android (ACiA). Prior work is limited in scope, furthermore, recent developments in Android concerning dynamic runtime permissions require rethinking of its formalization. Our formal specification includes three parts, the user-initiated operations (UIOs) and app-initiated operations (AIOs) - which are distinguished based on the initiating entity, and the URI permissions which are utilized in sharing temporary access to data. We also studied the evolution of URI permissions from API 10 (Gingerbread) to API 22 (Lollipop), and a brief discussion on this is included in the paper. Formalizing ACiA allowed us to discover many peculiar behaviors pertaining to ACiA. In addition to that, we discovered two significant issues with permissions in Android which were reported to Google.

Vorheriger Artikel Privacy-Preserving Mutual Authentication and Key Agreement Scheme for Multi-Server Healthcare System

Nächster Artikel Robust Android Malware Detection System Against Adversarial Attacks Using Q-Learning

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 390 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Maschinenbau + Werkstoffe

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 340 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

https://apkpure.com/

(2019) Android perm protection lvl “normal are never re-granted!” https://issuetracker.google.com/issues/129029397, [Online; accessed 21-March-2019].

(2019a) Android Permissions — Android Open Source Project. https://source.android.com/devices/tech/config, [Online; accessed 17-June-2019].

(2019) Issue about Android’s permission to permission-group mapping. https://issuetracker.google.com/issues/128888710, [Online; accessed 21-March-2019].

(2019b) Request App Perms — Android Devs. https://developer.android.com/training/permissions/requesting/, [Online; accessed 12-March-2019].

Bagheri, H., Kang, E., Malek, S., & Jackson, D. (2015a). In Intl. Symp. on Formal Methods (pp. 73–89): Springer.

Bagheri, H., Sadeghi, A., Garcia, J., & Malek, S. (2015b). COVERT: Compositional analysis of android Inter-App permission leakage. IEEE Transactions on Software Engineering, 41(9), 866–886.CrossRef

Bagheri, H., Kang, E., Malek, S., & Jackson, D. (2018). A formal approach for detection of security flaws in the android permission system. Formal Aspects of Computing, 30(5), 525–544.CrossRef

Betarte, G., Campo, J.D., Luna, C., & Romano, A. (2015). Verifying Android’s Permission Model, (pp. 485–504). Cham: Springer.

Betarte, G., Campo, J., Luna, C., & Romano, A. (2016). Formal analysis of android’s Permission-Based security model 1. Scientific Annals of Computer Science, 26(1), 27–68.CrossRef

Betarte, G., Campo, J., Cristiá, M., Gorostiaga, F., Luna, C., & Sanz, C. (2017). Towards formal model-based analysis and testing of android’s security mechanisms. In 2017 XLIII Latin American Computer Conference (CLEI) (pp. 1–10): IEEE.

Bugiel, S., Davi, L., Dmitrienko, A., Fischer, T., Sadeghi, A.R., & Shastry, B. (2012). Towards taming privilege-escalation attacks on android. In NDSS, Citeseer, (Vol. 17 p. 19).

Chin, E., Felt, A.P., Greenwood, K., & Wagner, D. (2011). Analyzing inter-application communication in android. In Proc. of the 9th International Conference on Mobile Systems, Applications, and Services (pp. 239–252).

Davi, L., Dmitrienko, A., Sadeghi, A.R., & Winandy, M. (2010). Privilege escalation attacks on android. In International conference on Information security (pp. 346–360): Springer.

Enck, W., Ongtang, M., & McDaniel, P. (2009a). On lightweight mobile phone application certification. In Proc. of the 16th ACM Conference on Computer and Communications Security (pp. 235–245).

Enck, W., Ongtang, M., & McDaniel, P. (2009b). Understanding android security. IEEE security & privacy, pp. 50–57.

Enck, W., Octeau, D., McDaniel, P.D., & Chaudhuri, S. (2011). A study of android application security. In USENIX Security Symposium, (Vol. 2 p. 2).

Felt, A.P., Chin, E., Hanna, S., Song, D., & Wagner, D. (2011). Android permissions demystified. In Proc. of the 18th ACM conference on Computer and communications security (pp. 627–638).

Fragkaki, E., Bauer, L., Jia, L., & Swasey, D. (2012). Modeling and Enhancing Android’s Permission System, (pp. 1–18). Berlin: Springer.CrossRef

Geerts, F., Goethals, B., & Mielikäinen, T. (2004). Tiling databases. In International conference on discovery science (pp. 278–289): Springer.

Grace, M.C., Zhou, Y., Wang, Z., & Jiang, X. (2012). Systematic detection of capability leaks in stock android smartphones. In NDSS, (Vol. 14 p. 19).

Guo, Q. (2010). A formal approach to the role mining problem. PhD thesis, Rutgers University-Graduate School-Newark.

Ongtang, M., McLaughlin, S., Enck, W., & McDaniel, P. (2012). Semantically rich application-centric security in android. Security and Communication Networks, 5(6), 658–673.CrossRef

Shabtai, A., Fledel, Y., Kanonov, U., Elovici, Y., Dolev, S., & Glezer, C. (2010). Google android: a comprehensive security assessment. IEEE Security & Privacy, 8(2), 35–44.CrossRef

Shin, W., Kiyomoto, S., Fukushima, K., & Tanaka, T. (2010). A formal model to analyze the permission authorization and enforcement in the Android framework. In Proc. - socialcom 2010: 2nd IEEE international conference on social computing, PASSAT 2010: 2nd IEEE International Conference on Privacy, Security, Risk and Trust (pp. 944–951).

Talegaon, S., & Krishnan, R. (2019). A formal specification of access control in android. In International Conference on Secure Knowledge Management in Artificial Intelligence Era (pp. 101–125): Springer.

Taylor, V.F., & Martinovic, I. (2016). Quantifying permission-creep in the google play store. arXiv:160601708.

Tuncay, G.S., Demetriou, S., Ganju, K., & Gunter, C.A. (2018). Resolving the predicament of android custom permissions. In Proc. 2018 Network and Distributed System Security Symposium. Reston: Internet Society.

Vaidya, J., Atluri, V., & Warner, J. (2006). Roleminer: mining roles using subset enumeration. In Proceedings of the 13th ACM conference on Computer and communications security (pp. 144–153).

Vaidya, J., Atluri, V., & Guo, Q. (2007). The role mining problem: finding a minimal descriptive set of roles. In Proceedings of the 12th ACM symposium on Access control models and technologies (pp. 175–184).

Vaidya, J., Atluri, V., & Guo, Q. (2010). The role mining problem: a formal perspective. ACM Transactions on Information and System Security (TISSEC), 13(3), 1–31.CrossRef

Wei, X., Gomez, L., Neamtiu, I., & Faloutsos, M. (2012). Permission evolution in the android ecosystem. In Proc. of the 28th Annual Computer Security Applications Conference (pp. 31–40).

Titel: A Formal Specification of Access Control in Android with URI Permissions
verfasst von: Samir Talegaon
Ram Krishnan
Publikationsdatum: 14.11.2020
Verlag: Springer US
Erschienen in: Information Systems Frontiers / Ausgabe 4/2021
Print ISSN: 1387-3326
Elektronische ISSN: 1572-9419
DOI: https://doi.org/10.1007/s10796-020-10066-9

Springer Professional

Abstract

Bitte loggen Sie sich ein, um Zugang zu Ihrer Lizenz zu erhalten.

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Springer Professional "Technik"

Springer Professional "Wirtschaft"

Weitere Artikel der Ausgabe 4/2021

Privacy-Preserving Mutual Authentication and Key Agreement Scheme for Multi-Server Healthcare System

An Investigation of Misinformation Harms Related to Social Media during Two Humanitarian Crises

Predicting Sports Injuries with Wearable Technology and Data Analysis

Exploring the Multi-Level Digital Divide in Mobile Phone Adoption: A Comparison of Developing Nations

Toward Automated Cyber Defense with Secure Sharing of Structured Cyber Threat Intelligence

Consumer Acceptance and Use of Information Technology: A Meta-Analytic Evaluation of UTAUT2

Premium Partner