Custom permission misconfigurations in Android : A Large-scale security analysis
Android’s popularity is due to its openness and vast app ecosystem. Global developers can use Android Studio and rich Android APIs to create their apps. Within this ecosystem, Android permissions play a crucial role in managing access to resources, with system permissions controlled by system apps a...
Saved in:
| Main Authors: | , , |
|---|---|
| Format: | text |
| Language: | English |
| Published: |
Institutional Knowledge at Singapore Management University
2024
|
| Subjects: | |
| Online Access: | https://ink.library.smu.edu.sg/sis_research/9856 |
| Tags: |
Add Tag
No Tags, Be the first to tag this record!
|
| Institution: | Singapore Management University |
| Language: | English |
| Summary: | Android’s popularity is due to its openness and vast app ecosystem. Global developers can use Android Studio and rich Android APIs to create their apps. Within this ecosystem, Android permissions play a crucial role in managing access to resources, with system permissions controlled by system apps and custom permissions declared by third-party apps. However, the security of custom permissions has not received enough attention from the mobile security community, resulting in a lack of thorough evaluation of security practices for app developers using custom permissions. This study systematically evaluated the misconfiguration of custom permissions by Android app developers. It is based on ten configuration guidelines derived from the Android development documentation, OS source code, and related research papers to ensure proper functioning and adherence to best security practices of custom permissions. The study established the corresponding violation rules and built a dataset containing 174,740 APK files for large-scale measurement and analysis of guideline violations. The measurement results indicate that misconfiguration of custom permissions by Android app developers is quite common, with approximately 29.02% of the 92,461 apps involving custom permissions having configuration guideline violations. The two most common errors in custom permission configuration are 1) putting custom permissions into a defective custom group and 2) protecting components with undeclared custom permissions. Such misconfigurations can lead to various issues, including private app data leaks, app installation failures, or incomplete implementation of app functions. |
|---|