Browse > Article
http://dx.doi.org/10.13089/JKIISC.2012.22.5.1145

Analysis of Usage Patterns and Security Vulnerabilities in Android Permissions and Broadcast Intent Mechanism  

Kim, Young-Dong (Mechanical and Information Engineering, University Of Seoul)
Kim, Ikhwan (Mechanical and Information Engineering, University Of Seoul)
Kim, Taehyoun (Mechanical and Information Engineering, University Of Seoul)
Publication Information
Journal of the Korea Institute of Information Security & Cryptology / v.22, no.5, 2012 , pp. 1145-1157 More about this Journal
Abstract
Google Android employs a security model based on application permissions to control accesses to system resources and components of other applications from a potentially malicious program. But, this model has security vulnerabilities due to lack of user comprehension and excessive permission requests by 3rd party applications. Broadcast intent message is widely used as a primary means of communication among internal application components. However, this mechanism has also potential security problems because it has no security policy related with it. In this paper, we first present security breach scenarios caused by inappropriate use of application permissions and broadcast intent messages. We then analyze and compare usage patterns of application permissions and broadcast intent message for popular applications on Android market and malwares, respectively. The analysis results show that there exists a characteristic set for application permissions and broadcast intent receiver that are requested by typical malwares. Based on the results, we propose a scheme to detect applications that are suspected as malicious and notify the result to users at installation time.
Keywords
Android; permission; broadcast intent; security vulnerability;
Citations & Related Records
Times Cited By KSCI : 1  (Citation Analysis)
연도 인용수 순위
1 Google Android Developers Official Site: Dev Gude, "", [Online]: http://developer.android.com/guide/to pics/security/permissions.html
2 National Institute of Standards and Technology, "National Vulnerability Database, CVE-2011-4872", Feb. 2012. [Online]: http://web.nvd.nist.gov/view/vuln/det ail?vulnId=CVE-2011-4872
3 IDC, "Worldwide Quarterly Mobile Phone Tracker." Aug. 8. 2012.
4 Juniper Networks, "2011 Mobile Threats Report," Feb. 2012.
5 AhnLab, "ASEC 2011년 12월 Report," 2011 년 12월.
6 한국인터넷진흥원, 안드로이드 기반 모바일 운영 체제 보안기능 분석, KISA-WP-2010-0011, 2010년 8월.
7 김익환, 김태현, "안드로이드 플랫폼에서 유연한 응용프로그램 권한관리 기법 설계 및 구현," 정보처리학회 논문지C, 18-C(3), pp. 151-156, 2011 년 6월.
8 Y. Zhou and X. Jiang, "Dissecting Android Malware: Characterization and Evolution," Proceeding of the 2012 IEEE Symposium on Security and Privacy, pp. 95-109, May. 2012.
9 B. Sarma, N. Li, C. Gates, R. Potharaju, and C. Nita-Rotaru, "Android permissions: a perspective combining risks and benefits," Proceeding of the 17th ACM symposium on Access Control Models and Technologies, pp. 13-22, Jun. 2012.
10 Y. Zhou, Z. Wang, W. Zhou, and X. Jiang, "Hey, You, Get off of My Market: Detecting Malicious Apps in Official and Alternative Android Markets," Proceedings of the 19th Annual Symposium on Network and Distributed System Security, Feb. 2012.
11 E. Chin, A. Felt, K. Greenwood, and D. Wagner, "Analyzing Inter-Application Communication in Android," Proceedings of the 9th international conference on Mobile systems, applications, and services, pp.239-252, Jun. 2011.
12 Contagio Malware Dump, "Take a sample, leave a sample. Mobile malware mini-dump - July 8 Update", Jul. 2011. [Online]: http://contagiodump.blogspot.kr/2011/ 03/take-sample-leave-sample-mobilemalware. html
13 A. P. Felt, E. Ha, S. Egelman, A. Haney, E. Chin, and D. Wagner, "Android Permissions: User Attention, Comprehension and Behavior," UCB/EECS- 2012-26, University of California at Berkeley. 2012.