Problem Domain
Android devices are becoming increasingly commonplace and security issues are not new to the platform. (Sufatrio, Tan, Chua, & Thing, 2015) This topic explores potential security weaknesses present within setting Permissions of the Android and Google APIs. There is an argument that it is the end user who is the “weakest link” in supporting Android security. Users need protection against malware. (Sasse, 2001)
Android development, prior to SDK 23, the user would accept permissions when installing an application. (Au, Zhou, Huang, & Lie, 2012) To make matters worse, the application would only make one permission request, with all the permissions combined. If the user denied the permissions, the application would not download. With user ignorance and trust, coupled with the advent of the “now” generation, this meant many applications had the capacity to transgress the user’s privacy without users fully understanding the contractual agreement. (Olmstead, 2013)
Android introduced runtime permissions in version 6.0, SDK 23. This new development doesn’t completely overcome the issues of user failings, but assists in safeguarding users. (Clark, Sarode, & Lindqvist, 2016) Studies have consistently found that a significant proportion of applications had redundant permissions and were over privileged. (Felt, Chin, Hanna, Song, & Wagner, 2011) (Au et al., 2012)
There is no longer a permission checked when installing an application. As the application is running, any needed permissions need user acceptance, for that part of the application to execute. The API groups permissions with like functionality. User acceptance of any permission from a group grants, access for all permissions from that group.
This serves two key purposes.
- It allows the user to cool off and examine the permission in situ.
- Applications give users choice as to which permissions they will accept.
- It also allows the user to change the permission settings, at any time, within the settings of the Android device, without uninstalling the application or losing any of its data.
The Google APIs also have permission settings. These APIs offer a wide range of functionality with specific permissions for each of these. These APIs do not allow developers to gain lawful access to personal data within the user Google Account.
Between the two sets of permissions, it appears that there are applications now on the Google Play Store that manage to access personal data. If so, these applications take advantage of a zero-day exploit. The purpose of this project is to explore this.
Purpose and justification
To find if there is a zero-day exploit in Android and Google API Permissions, allowing hackers to gain access to private information in user accounts. To determine if such pass the Google Play Store submission process. (Al-Sharif, Iqbal, Baker, & Khattack, 2016) The industry relies on white hack hackers to find and report zero-day exploits, to develop and apply software patches to frameworks.
Supervisor Recommendations
The supervisor, Arif Khan, assessed the proposal and blog, and approved the project on the grounds the of a clear and useful goal, with good scope for a first and smaller research topic.
Questions
Do two applications, on the Google Play Store, exploit Permissions’ vulnerabilities to access private data and, if so, can the source code be decompiled to find the hack? If not, is there a zero-day exploit within the Permissions framework, that enables access to private data?