Custom permission misconfigurations in Android : A Large-scale security analysis

Publication Type

Conference Proceeding Article

Publication Date

12-2024

Abstract

Android’s popularity is due to its openness and vast app ecosystem. Global developers can use Android Studio and rich Android APIs to create their apps. Within this ecosystem, Android permissions play a crucial role in managing access to resources, with system permissions controlled by system apps and custom permissions declared by third-party apps. However, the security of custom permissions has not received enough attention from the mobile security community, resulting in a lack of thorough evaluation of security practices for app developers using custom permissions. This study systematically evaluated the misconfiguration of custom permissions by Android app developers. It is based on ten configuration guidelines derived from the Android development documentation, OS source code, and related research papers to ensure proper functioning and adherence to best security practices of custom permissions. The study established the corresponding violation rules and built a dataset containing 174,740 APK files for large-scale measurement and analysis of guideline violations. The measurement results indicate that misconfiguration of custom permissions by Android app developers is quite common, with approximately 29.02% of the 92,461 apps involving custom permissions having configuration guideline violations. The two most common errors in custom permission configuration are 1) putting custom permissions into a defective custom group and 2) protecting components with undeclared custom permissions. Such misconfigurations can lead to various issues, including private app data leaks, app installation failures, or incomplete implementation of app functions.

Keywords

Android permissions, Android mobile security, Customs permissions configurations

Discipline

Information Security

Research Areas

Cybersecurity

Publication

Proceedings of the 23rd IEEE International Conference on Trust, Security and Privacy in Computing and Communications (TrustCom 2024) : Sanya, China, December 17-21

Publisher

IEEE

City or Country

Sanya, China

Comments

PDF provided by faculty

This document is currently not available here.

Share

COinS