Detecting capability leaks in Android-based smartphones
作者: Xuxian Jiang , Yajin Zhou , Zhi Wang , Mike Grace
DOI:
关键词:
摘要: Recent years have witnessed increased popularity and adoption of smartphones partially due to the functionalities convenience offered their users (e.g., ability run third-party applications). To manage amount access given smartphone applications, Android provides a permission-based security model, which requires each application explicitly request permissions before it can be installed run. In this paper, we systematically analyze eight flagship from leading manufacturers, including HTC, Motorola, Samsung found out that stock phone images do not properly enforce permission model. Several privileged protect sensitive user data dangerous features on phones are unsafely exposed other applications need them for actual use, violation termed capability leak in paper. facilitate identifying these leaks, take static analysis approach accordingly developed system called Woodpecker. Our results with show among 13 examined so far, 11 were leaked, individual leaking up permissions. By exploiting leaked capabilities, an untrusted wipe data, send SMS messages premium numbers), record conversation, or obtain geo-locations affected – all without asking any permission.
参考文章(24)
Yajin Zhou, Xinwen Zhang, Xuxian Jiang, Vincent W. Freeh, Taming information-stealing smartphone applications (on Android) trust and trustworthy computing. pp. 93- 107 ,(2011) , 10.1007/978-3-642-21599-5_7
Damien Octeau, William Enck, Patrick McDaniel, Swarat Chaudhuri, A study of android application security usenix security symposium. pp. 21- 21 ,(2011)
Jong Youl Choi, Ninghui Li, Zhuowei Li, XiaoFeng Wang, PRECIP: Towards Practical and Retrofittable Confidential Information Protection. network and distributed system security symposium. ,(2008)
Manuel Egele, Christopher Kruegel, Engin Kirda, Giovanni Vigna, PiOS : Detecting privacy leaks in iOS applications network and distributed system security symposium. ,(2011)
Shashi Shekhar, Michael Dietz, Anhei Shu, Dan S. Wallach, Yuliy Pisetsky, Quire: lightweight provenance for smart phone operating systems usenix security symposium. pp. 23- 23 ,(2011)
William Enck, Patrick McDaniel, Jaeyeon Jung, Byung-Gon Chun, Peter Gilbert, Anmol N. Sheth, Landon P. Cox, TaintDroid: an information-flow tracking system for realtime privacy monitoring on smartphones operating systems design and implementation. pp. 393- 407 ,(2010) , 10.5555/1924943.1924971
Lieven Desmet, Wouter Joosen, Fabio Massacci, Pieter Philippaerts, Frank Piessens, Ida Siahaan, Dries Vanoverberghe, Security-by-contract on the .NET platform Information Security Technical Report. ,vol. 13, pp. 25- 32 ,(2008) , 10.1016/J.ISTR.2008.02.001
William Enck, Machigar Ongtang, Patrick McDaniel, On lightweight mobile phone application certification computer and communications security. pp. 235- 245 ,(2009) , 10.1145/1653662.1653691
Alastair R. Beresford, Andrew Rice, Nicholas Skehin, Ripduman Sohan, MockDroid Proceedings of the 12th Workshop on Mobile Computing Systems and Applications - HotMobile '11. pp. 49- 54 ,(2011) , 10.1145/2184489.2184500
Norm Hardy, The Confused Deputy: (or why capabilities might have been invented) Operating Systems Review. ,vol. 22, pp. 36- 38 ,(1988) , 10.1145/54289.871709