Attacking Android smartphone systems without permissions

Author

Mon Kywe SU, Singapore Management UniversityFollow
Yingjiu LI, Singapore Management UniversityFollow
Kunal PETAL, Samsung Research America
Michael GRACE, Samsung Research America

Publication Type

Conference Proceeding Article

Version

publishedVersion

Publication Date

12-2016

Abstract

Android requires third-party applications to request for permissions when they access critical mobile resources, such as users' personal information and system operations. In this paper, we present the attacks that can be launched without permissions. We first perform call graph analysis, component analysis and data-flow analysis on various parts of Android framework to retrieve unprotected APIs. Unprotected APIs provide a way of accessing resources without any permissions. We then exploit selected unprotected APIs and launch a number of attacks on Android phones. We discover that without requesting for any permissions, an attacker can access to device ID, phone service state, SIM card state, Wi-Fi and network information, as well as user setting information, such as airplane, location, NFC, USB and power modes of mobile devices. An attacker can also disturb Bluetooth discovery services, and block the incoming emails, calendar events, and Google documents. Moreover, an attacker can set volumes of devices and trigger alarm tones and ringtones that users personally set for their devices. An attacker can also launch camera, mail, music and phone applications even when the devices are locked. We compare our research on two Android versions, and discover that as platform providers incorporate more APIs, the number of unprotected APIs increases and new attacks become possible. We thus suggest platform providers to inspect Android frameworks systematically before releasing new versions.

Keywords

Android smartphone, Component analysis, Mobile resource, Network information, Personal information, Phone applications, System operation, Third party application (Apps)

Discipline

Information Security

Research Areas

Cybersecurity

Publication

2016 14th Annual Conference on Privacy, Security and Trust (PST): Auckland, New Zealand, December 12-14: Proceedings

First Page

147

Last Page

156

ISBN

9781509043798

Identifier

10.1109/PST.2016.7906949

Publisher

IEEE

City or Country

Piscataway, NJ

Citation

SU, Mon Kywe; LI, Yingjiu; PETAL, Kunal; and GRACE, Michael. Attacking Android smartphone systems without permissions. (2016). 2016 14th Annual Conference on Privacy, Security and Trust (PST): Auckland, New Zealand, December 12-14: Proceedings. 147-156.
Available at: https://ink.library.smu.edu.sg/sis_research/3768

Copyright Owner and License

Authors

Creative Commons License

This work is licensed under a Creative Commons Attribution-NonCommercial-No Derivative Works 4.0 International License.

Additional URL

https://doi.org/10.1109/PST.2016.7906949