A formal approach for detection of security flaws in the android permission system-Reference-Cited by-同舟云学术

A formal approach for detection of security flaws in the android permission system

Published:2018-09 Issue:5 Volume:30 Page:525-544
ISSN:0934-5043
Container-title:Formal Aspects of Computing
language:en
Short-container-title:Form. Asp. Comput.

Author:

Bagheri Hamid¹,Kang Eunsuk²,Malek Sam³,Jackson Daniel²

Affiliation:

1. Department of Computer Science and Engineering, University of Nebraska, Lincoln, NE, USA

2. Computer Science and Artificial Intelligence Laboratory, Massachusetts Institute of Technology, Cambridge, MA, USA

3. School of Information and Computer Sciences, University of California, Irvine, Irvine, CA, USA

Abstract

Abstract The ever increasing expansion of mobile applications into nearly every aspect of modern life, from banking to healthcare systems, is making their security more important than ever. Modern smartphone operating systems (OS) rely substantially on the permission-based security model to enforce restrictions on the operations that each application can perform. In this paper, we perform an analysis of the permission protocol implemented in Android, a popular OS for smartphones. We propose a formal model of the Android permission protocol in Alloy, and describe a fully automatic analysis that identifies potential flaws in the protocol. A study of real-world Android applications corroborates our finding that the flaws in the Android permission protocol can have severe security implications, in some cases allowing the attacker to bypass the permission checks entirely.

Publisher

Association for Computing Machinery (ACM)

Subject

Theoretical Computer Science,Software

Link

http://link.springer.com/article/10.1007/s00165-017-0445-z/fulltext.html

Reference44 articles.

1. Armando A Costa G Merlo A (2012) Formal modeling and reasoning about the android security framework. In: Palamidessi C Ryan MD (eds) Trustworthy global computing number 8191 in Lecture Notes in Computer Science. Springer Berlin pp 64–81. https://doi.org/10.1007/978-3-642-41157-1_5

2. Andoni A Daniliuc D Khurshid S Marinov D. Evaluating the small scope hypothesis. http://sdg.csail.mit.edu/pubs/2002/SSH.pdf

3. Arzt S Rasthofer S Bodden E Bartel A Klein J Le Traon Y Octeau D McDaniel P (2014) Flowdroid: precise context flow field object-sensitive and lifecycle-aware taint analysis for android apps. In: Proceedings of the 35th annual ACM SIGPLAN conference on programming language design and implementation (PLDI 2014)

4. Bugliesi M Calzavara S Spanò A (2013) Lintent: towards security type-checking of android applications. In: Beyer D Boreale M (ed) Formal techniques for distributed systems number 7892 in Lecture Notes in Computer Science. Springer Berlin pp 289–304. https://doi.org/10.1007/978-3-642-38592-6_20

5. Software architectural principles in contemporary mobile software: from conception to practice

Cited by 47 articles. 订阅此论文施引文献订阅此论文施引文献，注册后可以免费订阅5篇论文的施引文献，订阅后可以查看论文全部施引文献

1. Modelling and Analysing Routing Protocols Diagrammatically with Bigraphs;Formal Aspects of Computing;2024-09-10

2. A comprehensive framework for inter-app ICC security analysis of Android apps;Automated Software Engineering;2024-06-04

3. Large Language Model vs. Stack Overflow in Addressing Android Permission Related Challenges;Proceedings of the 21st International Conference on Mining Software Repositories;2024-04-15

4. An Analysis of the Impact of Field-Value Instance Navigation in Alloy’s Model Finding;Lecture Notes in Computer Science;2024

5. Crucible: Graphical Test Cases for Alloy Models;2023 IEEE 34th International Symposium on Software Reliability Engineering (ISSRE);2023-10-09