Change search
CiteExportLink to record
Permanent link

Direct link
Cite
Citation style
  • apa
  • harvard1
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • Other style
More styles
Language
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Other locale
More languages
Output format
  • html
  • text
  • asciidoc
  • rtf
A Permission verification approach for android mobile applications
KTH, School of Information and Communication Technology (ICT), Communication Systems, CoS. Institute for the Protection and Security of the Citizen, Italy.
KTH, School of Information and Communication Technology (ICT), Communication Systems, CoS. Institute for the Protection and Security of the Citizen, Italy.
2015 (English)In: Computers & security (Print), ISSN 0167-4048, E-ISSN 1872-6208, Vol. 49, 192-205 p.Article in journal (Refereed) Published
Abstract [en]

Mobile applications build part of their security and privacy on a declarative permission model. In this approach mobile applications, to get access to sensitive resources, have to define the corresponding permissions in a manifest. However, mobile applications may request access to permissions that they do not require for their execution (over-privileges) and offer opportunities to malicious software to gain access to otherwise inaccessible resources. In this paper, we investigate on the declarative permissions model on which security and privacy services of Android rely upon. We propose a practical and efficient permission certification technique, in the direction of risk management assessment. We combine both runtime information and static analysis to profile mobile applications and identify if they are over-privileged or follow the least privilege principle. We demonstrate a transparent solution that neither requires modification to the underlying framework, nor access to the applications' original source code. We assess the effectiveness of our approach, using a randomly selected varied set of mobile applications. Results show that our approach can accurately identify whether an application is over-privileged or not, whilst at the same time guaranteeing the need of declaring specific permissions in the manifest.

Place, publisher, year, edition, pages
Elsevier, 2015. Vol. 49, 192-205 p.
Keyword [en]
Android, Permissions, Security, Instrumentation, Privacy, Risk assessment
National Category
Computer Systems
Identifiers
URN: urn:nbn:se:kth:diva-165161DOI: 10.1016/j.cose.2014.10.005ISI: 000350519300013Scopus ID: 2-s2.0-84923259697OAI: oai:DiVA.org:kth-165161DiVA: diva2:807446
Note

QC 20150424

Available from: 2015-04-23 Created: 2015-04-23 Last updated: 2017-12-04Bibliographically approved

Open Access in DiVA

No full text

Other links

Publisher's full textScopusPublished version

Search in DiVA

By author/editor
Kounelis, IoannisStirparo, Pasquale
By organisation
Communication Systems, CoS
In the same journal
Computers & security (Print)
Computer Systems

Search outside of DiVA

GoogleGoogle Scholar

doi
urn-nbn

Altmetric score

doi
urn-nbn
Total: 268 hits
CiteExportLink to record
Permanent link

Direct link
Cite
Citation style
  • apa
  • harvard1
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • Other style
More styles
Language
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Other locale
More languages
Output format
  • html
  • text
  • asciidoc
  • rtf