Publication Type

Conference Proceeding Article

Publication Date

12-2016

Abstract

Android requires third-party applications to request for permissions when they access critical mobile resources, such as users' personal information and system operations. In this paper, we present the attacks that can be launched without permissions. We first perform call graph analysis, component analysis and data-flow analysis on various parts of Android framework to retrieve unprotected APIs. Unprotected APIs provide a way of accessing resources without any permissions. We then exploit selected unprotected APIs and launch a number of attacks on Android phones. We discover that without requesting for any permissions, an attacker can access to device ID, phone service state, SIM card state, Wi-Fi and network information, as well as user setting information, such as airplane, location, NFC, USB and power modes of mobile devices. An attacker can also disturb Bluetooth discovery services, and block the incoming emails, calendar events, and Google documents. Moreover, an attacker can set volumes of devices and trigger alarm tones and ringtones that users personally set for their devices. An attacker can also launch camera, mail, music and phone applications even when the devices are locked. We compare our research on two Android versions, and discover that as platform providers incorporate more APIs, the number of unprotected APIs increases and new attacks become possible. We thus suggest platform providers to inspect Android frameworks systematically before releasing new versions.

Keywords

Android smartphone, Component analysis, Mobile resource, Network information, Personal information, Phone applications, System operation, Third party application (Apps)

Discipline

Information Security

Research Areas

Cybersecurity

Publication

2016 14th Annual Conference on Privacy, Security and Trust (PST): Auckland, New Zealand, December 12-14: Proceedings

ISBN

9781509043798

Identifier

10.1109/PST.2016.7906949

Publisher

IEEE

City or Country

Piscataway, NJ

Creative Commons License

Creative Commons Attribution-Noncommercial-No Derivative Works 4.0 License
This work is licensed under a Creative Commons Attribution-Noncommercial-No Derivative Works 4.0 License.

Additional URL

http://doi.org/10.1109/PST.2016.7906949

Share

COinS