Custom permission misconfigurations in Android: A Large-scale security analysis

Author

Rui LI, Singapore Management UniversityFollow
Wenrui DIAO, Shandong University
Debin GAO, Singapore Management UniversityFollow

Publication Type

Conference Proceeding Article

Version

acceptedVersion

Publication Date

12-2024

Abstract

Android’s popularity is due to its openness and vast app ecosystem. Global developers can use Android Studio and rich Android APIs to create their apps. Within this ecosystem, Android permissions play a crucial role in managing access to resources, with system permissions controlled by system apps and custom permissions declared by third-party apps. However, the security of custom permissions has not received enough attention from the mobile security community, resulting in a lack of thorough evaluation of security practices for app developers using custom permissions. This study systematically evaluated the misconfiguration of custom permissions by Android app developers. It is based on ten configuration guidelines derived from the Android development documentation, OS source code, and related research papers to ensure proper functioning and adherence to best security practices of custom permissions. The study established the corresponding violation rules and built a dataset containing 174,740 APK files for large-scale measurement and analysis of guideline violations. The measurement results indicate that misconfiguration of custom permissions by Android app developers is quite common, with approximately 29.02% of the 92,461 apps involving custom permissions having configuration guideline violations. The two most common errors in custom permission configuration are 1) putting custom permissions into a defective custom group and 2) protecting components with undeclared custom permissions. Such misconfigurations can lead to various issues, including private app data leaks, app installation failures, or incomplete implementation of app functions.

Keywords

Android permissions, Android mobile security, Customs permissions configurations

Discipline

Information Security

Research Areas

Cybersecurity

Publication

2024 IEEE 23rd International Conference on Trust, Security and Privacy in Computing and Communications (TrustCom): Sanya, China, December 17-21: Proceedings

First Page

1161

Last Page

1170

ISBN

9798331506209

Identifier

10.1109/TrustCom63139.2024.00165

Publisher

IEEE

City or Country

Piscataway, NJ

Citation

LI, Rui; DIAO, Wenrui; and GAO, Debin. Custom permission misconfigurations in Android: A Large-scale security analysis. (2024). 2024 IEEE 23rd International Conference on Trust, Security and Privacy in Computing and Communications (TrustCom): Sanya, China, December 17-21: Proceedings. 1161-1170.
Available at: https://ink.library.smu.edu.sg/sis_research/9856

Copyright Owner and License

Authors

Creative Commons License

This work is licensed under a Creative Commons Attribution-NonCommercial-No Derivative Works 4.0 International License.

Additional URL

https://doi.org/10.1109/TrustCom63139.2024.00165