Mapping and Evolution of Android Permissions presented at CounterMeasure 2012

by Zach Reiter,

Tags: Security

Summary : The Android Open Source Project provides a software stack for mobile devices. The provided API enforces restrictions on specific operations a process is allowed to perform through a permissions mechanism. Due to the fine-grained nature of the model (and lack of a map), it is non-obvious which calls require which permission(s) for an API of over 2400 classes. Also, due to the on-going development of the AOSP and API, these required permissions have changed. Both of these provide headaches for application security testers and application developers. We first discuss our methodology for building an Android API permission map, including active and passive discovery tools. We then present the evolution of the map as the Android API has transformed through releases. This work is significant because of the need for an understanding of the API permission requirements in application security testing and the current lack of clarity in this ever-growing environment. Finally, we will discuss our research findings around underlying permissions enforcements/checks in Android, and the associated security implications of changes in permissions over time.