Custom permission misconfigurations in Android : A Large-scale security analysis
Publication Type
Conference Proceeding Article
Publication Date
12-2024
Abstract
Android’s popularity is due to its openness and vast app ecosystem. Global developers can use Android Studio and rich Android APIs to create their apps. Within this ecosystem, Android permissions play a crucial role in managing access to resources, with system permissions controlled by system apps and custom permissions declared by third-party apps. However, the security of custom permissions has not received enough attention from the mobile security community, resulting in a lack of thorough evaluation of security practices for app developers using custom permissions. This study systematically evaluated the misconfiguration of custom permissions by Android app developers. It is based on ten configuration guidelines derived from the Android development documentation, OS source code, and related research papers to ensure proper functioning and adherence to best security practices of custom permissions. The study established the corresponding violation rules and built a dataset containing 174,740 APK files for large-scale measurement and analysis of guideline violations. The measurement results indicate that misconfiguration of custom permissions by Android app developers is quite common, with approximately 29.02% of the 92,461 apps involving custom permissions having configuration guideline violations. The two most common errors in custom permission configuration are 1) putting custom permissions into a defective custom group and 2) protecting components with undeclared custom permissions. Such misconfigurations can lead to various issues, including private app data leaks, app installation failures, or incomplete implementation of app functions.
Keywords
Android permissions, Android mobile security, Customs permissions configurations
Discipline
Information Security
Research Areas
Cybersecurity
Publication
Proceedings of the 23rd IEEE International Conference on Trust, Security and Privacy in Computing and Communications (TrustCom 2024) : Sanya, China, December 17-21
Publisher
IEEE
City or Country
Sanya, China
Citation
LI, Rui; DIAO, Wenrui; and GAO, Debin.
Custom permission misconfigurations in Android : A Large-scale security analysis. (2024). Proceedings of the 23rd IEEE International Conference on Trust, Security and Privacy in Computing and Communications (TrustCom 2024) : Sanya, China, December 17-21.
Available at: https://ink.library.smu.edu.sg/sis_research/9856
Comments
PDF provided by faculty