Betarte, G., Campo, J., Luna, C., & Romano, A. (2016). Formal Analysis of Android’s Permission-Based Security Model. Scientific Annals of Computer Science, 16(1), 27-68. doi:10.7561/sacs.2016.1.27

This paper is built upon previous research by the authors and provides a comprehensive overview of the Android architecture, security model and permissions, and seeks to formalise Android security specifications and provides formal verification of the Android security model. Android architecture, application components, security model, permissions, permission delegation, manifest are examined in the roles for granting permissions within the device OS and application layer. The authors explain how Android uses a Linux operating system, which forces third party applications to run in a sandbox, protecting the device and kernel and requiring permissions to use system resources and to communicate with other apps, making permissions a subject fundamental to Android security. There is a detailed examination of 8-tuple datasets that represent the platform state and store information about all permissions, delegated permissions, components, and resource allocations for each app. Privileges are examined and tested and proven that a permission can be redelegated without limit. Finally, runtime permissions are examined and concerns about changes in the API, such as internet access becoming a normal permission, so not needing explicit user permission. The weaknesses of the permissions system are explored and the authors recommend more research on intent spoofing and permission collusion.

This is a landmark paper, and although there has been two SDKs released since 6.0 runtime permissions were introduced into the API at this point and little change has been made to Permissions since, so the paper retains its value to date.

Taylor, V. F., & Martinovic, I. (2017). To Update or Not to Update: Insights from a Two-Year Study of Android App Evolution. Paper presented at the Proceedings of the 2017 ACM on Asia Conference on Computer and Communications Security.

This is a comprehensive two-year study of 35,000 apps from the Google Play Store. The study takes quarterly snapshots of app permissions to examine trends in dangerous permission requests over the lifetime of applications, using four datasets, the older and newer .apk files of 5000 top and 10,000 random apps. Two hypotheses were tested and confirmed, “Free apps are more likely to add new permissions than paid apps” and “Popular apps are more likely to add new permissions than unpopular apps”.

The authors are objective about the study limitations and offer sound argument as to the methodology, and potential bias from making quarterly reviews. The researchers hoped to draw attention to this phenomenon and this is a strong and useful contribution to this area of research.

Wu, J., Yang, M., & Luo, T. (2017). PACS: Permission Abuse Checking System for Android Applications based on Review Mining. Paper presented at the Dependable and Secure Computing, 2017 IEEE Conference on.

This paper discusses the creation of a Permission abuse checking system (PACS), to find the percentage of apps that are abusing permission privileges. Using a crawler module, Google Play Store apps were crawled, fetching details of 9349 app APKs and other details, from the permissions in the manifests the apps were sorted into ten categories. One app out of ten from each category was selected (935 apps) and the source code decompiled. Comparing apps with like categories, on the assumption that apps of similar categories would use similar permissions. They found that 77.2% of apps had Permission Abuse Problems, which is in sharp contrast to the findings of (Chester, Jones, Mkaouer, & Krutz, 2017). Compared with other studies and the random checks for accuracy instil confidence in the results obtained from this study. As with (Taylor & Martinovic, 2017), (Yusof, Saudi, & Ridzuan, 2017) and (Moussa, Di Penta, Antoniol, & Beltrame, 2017) the larger data sample gives greater confidence in the findings, however the authors do not mention here if the one out of ten selected apps were chosen randomly.

Chester, P., Jones, C., Mkaouer, M. W., & Krutz, D. E. (2017). M-Perm: A Lightweight Detector for Android Permission Gaps. Paper presented at the Proceedings of the 4th International Conference on Mobile Software Engineering and Systems.

The authors study rests on the basis that permissions are the base for all app privileges, that a significant proportion of apps are over-privileged and there is no check within the API to discover over-privileged apps. App source code is collected and decompiled. The authors create a tool M-Perm, to improve on prior research efforts to discover over-privileged apps. The results of the study determine 2.2% of apps are over-privileged, compared to a 2014 study that showed 11% of sampled apps were over-privileged. This study is limited by a small sample size of 50, and the inability to compare the results with the previous, cited, studies, however the authors acknowledge this. There is also the difficulty in a change in the API with the introduction on runtime permissions, another weakness the authors mention. Overall the intend of the study is purposeful, to examine privileges in apps, without the need for graphing the data, but it needs to be extended into a larger and randomised sample collection.

Ben Ayed, A. (2017). Permission Request Pattern Recognition in Android Malware Applications. International Journal of Strategic Information Technology and Applications, 8(1), 37-49. doi:10.4018/IJSITA.2017010103

This study explores the correlation between permissions and malware, to find if there are patterns that can aid in finding malware. There is an overview of Android permissions, the security risks of malware and using public Wi-Fi. A crawler collected apps and these were scanned with anti-malware software. The data collected from three hundred and eighty-four app’s manifests, was represented visually, using a mapping system, previously created by the author. These visual representations aided in recognising patterns between the apps. The study found ten permission patterns common to malware.

Overall this is an effective and meaningful study, providing a useful framework for discovering malware, using permission abuse. The research is built upon Ayed’s previous research and uses cluster mapping of permission type, from this research, to produce readable visual representations. The large sample instils confidence in the results. The literature review contains detailed and useful information about Permissions, re-delegation, however, specifically, “User Mistakes and Errors” lacks referencing.

Faqiry, F. M., Rahman, R., & Tomar, D. S. (2017). Scrutinizing Permission Based Attack on Android OS Platform Devices. International Journal of Advanced Research in Computer Science; Udaipur, 8(7).

The paper gives a concise introduction to the Android framework and architecture, citing three common security attacks, with a purposed focus on permissions attacks. Related works are summarised and cover concisely the areas of permission based security threats and developer abuse and misuse of permissions. After a brief overview of the Android permission system, the authors focus on permission based attacks and whether apps have been signed and defines a permission based attack scenario. With the use of screenshots the authors step through the process by which users grant access to apps, without realising the implications of doing so. The authors recommend two countermeasures, stop automatic updates (a wise suggestion given the research of (Taylor & Martinovic, 2017)) and to prevent installation of unsigned apps.

This paper is useful for readers with limited knowledge of the Android development, there is little value in terms of being a useful contribution to the research community.

The poor English and grammar makes it difficult to read and the overhead of attempting to decipher the meaning in some parts is taxing and detracts from the message of the paper. In part, this renders the conclusions and recommendations for future work are either unclear they are otherwise redundant.

Yusof, M., Saudi, M. M., & Ridzuan, F. (2017). A New Mobile Botnet Classification based on Permission and API Calls. Paper presented at the Emerging Security Technologies (EST), 2017 Seventh International Conference on.

This study examines the accuracy of discovering botnets using permissions vs permission and API calls. Botnets more prevalent in smart phones, due to usage and security flaws. An overview of the android botnets is given. Two datasets were used, one for training, one for testing. The testing dataset was 800. Permissions and API calls are collected. Using five different algorithms, the data is processed and provides consistent results across all algorithms. Using both permission and API calls, produces less false positives and is a more accurate way to find botnets. This is useful in narrowing down finding malware and the significant dataset and findings instil confidence in the study.

Dennis, C., Krutz, D. E., & Mkaouer, M. W. (2017). P-Lint: A Permission Smell Detector for Android Applications. Paper presented at the Proceedings of the 4th International Conference on Mobile Software Engineering and Systems.

The authors designed a tool to check apps for code smell (meaning poorly written code), they refer to as permission smell, which refers to the poor handling of runtime permissions within the app source code, in particular checkSelfPermission() and shouldShowPermissionRationale(), misused rationales, the misuse of permission requests in place of intents, and custom permission mishandling. With runtime permissions, the user can deny or revoke permissions at any stage, if the permission state is not checked with each call within the app using that permission, the app is liable to crash. The app source code of 40 apps is decompiled and examined, they discovered 79 instances of permission smell.

This is significant, but there is no data breaking down how many apps have permission smell and the sample size is small. There is no mention of how the sample was obtained. This study raises pertinent questions, as to the proportion of over-privileged apps that have mal-intent, as opposed to poor programming practice. This study is an excellent starting point for further research with randomised and larger samples and is a more useful study than their other study (Krutz, Munaiah, Peruma, & Mkaouer, 2017). The resulting data could be cross-checked. It should be noted good development practice checks for permissions every time they are used and has error handling in place if a permission has been revoked, so the app will not crash.

Krutz, D. E., Munaiah, N., Peruma, A., & Mkaouer, M. W. (2017). Who Added that Permission to My App? An Analysis of Developer Permission Changes in Open Source Android Apps. Paper presented at the Proceedings of the 4th International Conference on Mobile Software Engineering and Systems.

This study categorises developers by the number of commits made for an app over the total number of commits, a Developer’s Commit Ratio (DCR). Using the assumption that more experienced developers will have a higher DCR, the study examines which type of developers add and remove permissions, and permission related commit reverts. The results showed that developers with a higher DCR are “more likely to make permission-based changes”, that permissions are usually added early in the development process, permission removal is consistent throughout the apps life, and that the developers reverting permission based changes are more likely to have a higher DCR than the developers committing the original change.

This study is fundamentally flawed in the assumption that a higher DCR correlates with more experience in development. The higher DCR, only means that developer has made more commits while working on that app. If the developers commit style was equal, it does not mean that developer is experienced with android development, then the developers with lower DCRs, it means those developers worked more on that app. It makes sense that the developer spending more time on an application would make permission based programming decisions and revert clumsy commits, as they are more familiar with the app and likely to have more hours on the app. A developer contracting occasionally on an app will be more likely to misunderstand the requirements and domain of the app. Having said this, it does not preclude that these findings would follow for more experienced developers, compared to less. Unlike (Dennis, Krutz, & Mkaouer, 2017), a significant number of apps were examined, 1402 apps with 331,318 commits.

Micinski, K., Votipka, D., Stevens, R., Kofinas, N., Mazurek, M. L., & Foster, J. S. (2017). User Interactions and Permission Use on Android. Paper presented at the Proceedings of the 2017 CHI Conference on Human Factors in Computing Systems.

This is a twofold study, examining permission requests and user experience. The authors create a tool App-Tracer to analyse data from users’ app activity and the correlation with sensitive resource access. 150 popular apps were researched and it was concluded that many sensitive resources were run in the background without user awareness.

The authors then study how interaction with apps affects user expectation of whether sensitive resources are being accessed. This study uses 961 people, with a broad cross section of the community, offering results that are likely to be reliable.

It is concluded that button clicks are perceived as permission acceptance and that resource access needs to be tied to the UI and relevant to the current activity of the user, for the user to understand what type of resource is being accessed. Permission control could be become interactive, as opposed to acceptance of a dialog box, with the caveat that the interaction must be related to the resource is also added. It is also recommended that background requests become interactive and are further researched, as this is one area where users are unclear about how apps behave.

A much-needed study, as user ignorance and vulnerability is well known in the research community, as mentioned by (Ben Ayed, 2017; Betarte, Campo, Luna, & Romano, 2016; Faqiry, Rahman, & Tomar, 2017; Lokesh Kumar Mishra, 2017; Moussa et al., 2017; Taylor & Martinovic, 2017; Yusof et al., 2017), to be one of the biggest issues with permission attacks. The authors provide an innovative solution in aiding users to control app permission. They do offer one peculiar and unreferenced assertion, that “popular apps are likely implemented to high standards and unlikely to be malicious”. There may not be a basis for this assertion, in fact the opposite may be true as evidenced by (Taylor & Martinovic, 2017).

Moussa, M., Di Penta, M., Antoniol, G., & Beltrame, G. (2017). ACCUSE: Helping Users to Minimize Android App Privacy Concerns. Paper presented at the Proceedings of the 4th International Conference on Mobile Software Engineering and Systems.

The authors test the system, Android Confidentiality Concern User Support Environment (ACCUSE) for detecting apps. 11,576 apps were tested and 1000 known malware apps were tested to find a baseline. The aim of the system is to simplify permissions and privacy risks for users and the authors ask and answer two questions, “How does ACCUSE behave when compared to using a malware detection tool?” and “How does ACCUSE compare with the risk model proposed by Peng et al. [5]?” (Peng et al use a probabilistic model). ACCUSE performs well as a malware detector and performs well compared to Peng et al when including number of app downloads and app rating. The researchers do admit that this study is like other, referenced studies, with the exception that users are able to weight risk factors and so tailor the rating to their preferences and Google store rating and popularity is considered. ACCUSE also offers 3D graphing of risk types and distribution. This model is not easily interpreted and could be simplified by excluding normal permissions and being displayed in 2D format. App popularity ameliorates negative ratings, which supports this assertion by (Micinski et al., 2017).

Lokesh Kumar Mishra, R. D., Tushar Desale, Rahul Bidkar, Jayant Waghale, Prof. S.R. Bhamare. (2017). Anti-Hijack: Real-Time Detection and Prevention of Attack on Android. International Research Journal of Engineering and Technology (IRJET), 04(04), 3389-3393.

The authors examine intent based hijacking and authenticated session based hijacking and have created a system, using a honey pot to check downloaded apps and URL redirections, to prevent this. New apps are downloaded and run in a honey pot. A monkey runner tool tracks and records all permissions and system calls, and compares these to a benign app, if there is a suspicious difference between the two the app is marked as malware and will not be installed onto the device. The researchers conclude this would be an effective real-time tool against malware seeking to exploit permissions. The authors recommend research to detect root exploits and scripts which violate sandbox. The literature survey, whilst being informative, lacks any referencing. There is also an absence of statistics or real data. Despite this, this is a promising concept and, combined with the recommended research, offers the potential to be ground breaking in the prevention of permission abuses, one of the most innovative ideas to date.

Originality Report and Questions

I am having issues with Small SEO Tools not recognising the letter “f” and giving me 100% unique reports. I have tried it on different browsers and sanitised the text through a text file and it does not help. The Turnitin report on my draft copy showed 12% similarities, the majority of these were for referencing and one quote, there was the use of the phrase “35,000 apps in the Google Play Store”, which I changed slightly. I am unable to expand on this report, as I resubmitted and I am waiting on my submission from Turnitin to process my new report. It does not appear that it will be ready in time.

References

Faqiry, F. M., Rahman, R., & Tomar, D. S. (2017). Scrutinizing Permission Based Attack on Android OS Platform Devices. International Journal of Advanced Research in Computer Science; Udaipur, 8(7).

Possible Android Permission Security Flaw with Google APIs

Annotated Bibliography

Originality Report and Questions