Promote Android Security With Real-time Permissions

Android has been expanding its market share rapidly as a modern mobile operating system. To prevent privileged resources from unprivileged accesses, Android provides a permission-based access control mechanism. The operating system and applications define permissions to regulate accesses to their resources. Only applications granted with specific permissions are allowed to use those permissions, i.e., access their corresponding resources. In the current permission granting model, application developers declare permissions they want in a manifest file. The permissions requested will be prompted to a user when he tries to install the application, and he has only two options either to grant all permissions or to entirely give up the installation. Unfortunately, it is often very difficult for users to make the right decision on granting permissions to applications without knowing when and how exactly these permissions will be used.Besides, Android encourages collaboration between applications, which means an application can expose its public interfaces for other applications. As a side effect, an unprivileged malicious application may indirectly use a permission through the public interface of a privileged application, which known as permission re-delegation attack. This differs from direct permission uses and requires to elegantly handling such indirect permission uses in a systematic way, while the existing access-control system in Android and other Android extensions are incapable of this.In this paper, we present an in-context permission granting framework named Arbiter for Android, whereby each permission granting is delayed to the time when the application uses it. To differentiate different kinds of permission uses from different scenarios, Arbiter calculates and records a using context for each permission use. Unlike previous works which either requires a certain amounts of developer’s efforts or only covers an incomplete set of permission uses, Arbiter requires no modification to the existing Android applications and intercepts all permission uses requested by applications. To avoid imposing unnecessary burden on end users, Arbiter further adopts a security requirement engineering approach to generate permission granting policies, according to which only permissions possibly leading to security breaches will be prompted for an in-context user decision. Our evaluation with real-world malware samples indicates Arbiter is effective in preventing malicious behaviors, and a large scale usability and performance evaluation also shows it has minor impacts to users. Only one user-involved permission granting is required in every7,500user interactions with an application, and more specifically, only one out of every290permission uses requires a user involved permission granting. These results demonstrate that Arbiter can make automated permission granting decision for the vast majority of benign permission uses, and introduce very light disruption to end users. Our performance evaluation further demonstrated that our implementation introduced unobservable performance overhead for several benchmarks, and an acceptable16%overhead in the worst-case scenarios.