Attacking Android smartphone systems without permissions

Attacking Android smartphone systems without permissions

Android requires third-party applications to request for permissions when they access critical mobile resources, such as users' personal information and system operations. In this paper, we present the attacks that can be launched without permissions. We first perform call graph analysis, compo...

Full description

Saved in:
Bibliographic Details
Main Authors: SU, Mon Kywe, LI, Yingjiu, PETAL, Kunal, GRACE, Michael
Format: text
Language:English
Published: Institutional Knowledge at Singapore Management University 2016
Subjects:
Android smartphone
Component analysis
Mobile resource
Network information
Personal information
Phone applications
System operation
Third party application (Apps)
Information Security
Online Access:https://ink.library.smu.edu.sg/sis_research/3768
https://ink.library.smu.edu.sg/context/sis_research/article/4770/viewcontent/PST_2016.pdf
Tags: Add Tag
No Tags, Be the first to tag this record!
Institution: Singapore Management University
Language: English
Description
Summary:Android requires third-party applications to request for permissions when they access critical mobile resources, such as users' personal information and system operations. In this paper, we present the attacks that can be launched without permissions. We first perform call graph analysis, component analysis and data-flow analysis on various parts of Android framework to retrieve unprotected APIs. Unprotected APIs provide a way of accessing resources without any permissions. We then exploit selected unprotected APIs and launch a number of attacks on Android phones. We discover that without requesting for any permissions, an attacker can access to device ID, phone service state, SIM card state, Wi-Fi and network information, as well as user setting information, such as airplane, location, NFC, USB and power modes of mobile devices. An attacker can also disturb Bluetooth discovery services, and block the incoming emails, calendar events, and Google documents. Moreover, an attacker can set volumes of devices and trigger alarm tones and ringtones that users personally set for their devices. An attacker can also launch camera, mail, music and phone applications even when the devices are locked. We compare our research on two Android versions, and discover that as platform providers incorporate more APIs, the number of unprotected APIs increases and new attacks become possible. We thus suggest platform providers to inspect Android frameworks systematically before releasing new versions.

Similar Items